Code:
Overview:
TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using inline hooks at the
moment) and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.
Features:
- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)
Test environments:
- Windows 7 x64 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'loader.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service
5) Start driver
6) Use 'TitanHideGUI.exe' to set hide options
NOTE: When on x64, you have to disable PatchGuard and driver signature
enforcement yourself. Google is your friend :)
Repository:
https://bitbucket.org/mrexodia/titanhide/
Downloads:
https://bitbucket.org/mrexodia/titanhide/downloads
Feel free to report bugs and/or request features.
Greetings,
Mr. eXoDia