Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 02-09-2014, 04:03
besoeso's Avatar
besoeso besoeso is offline
Family
 
Join Date: May 2010
Posts: 154
Rept. Given: 414
Rept. Rcvd 100 Times in 39 Posts
Thanks Given: 242
Thanks Rcvd at 42 Times in 33 Posts
besoeso Reputation: 100-199 besoeso Reputation: 100-199
@Insid3Code

do you know codes for DeviceIoControl funtion???
Reply With Quote
  #32  
Old 02-09-2014, 04:11
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by besoeso View Post
@Insid3Code

do you know codes for DeviceIoControl funtion???
For TitanHide there are no such codes, you should take a look at TitanHideGUI: https://bitbucket.org/mrexodia/titanhide/src/d3168decc80020c36f6402cebf4a18bcbe34869a/TitanHideGUI/main.cpp?at=master

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #33  
Old 02-09-2014, 04:15
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Changelog V0008l:
- re-added NtClose, not working on Windows Server 2012, Windows 8 and Windows 8.1

Greetings,

Mr. eXoDia
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
Insid3Code (02-09-2014)
  #34  
Old 02-09-2014, 23:08
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 80
Rept. Given: 44
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 23
Thanks Rcvd at 99 Times in 53 Posts
Insid3Code Reputation: 60
Quote:
Originally Posted by besoeso View Post
@Insid3Code

do you know codes for DeviceIoControl funtion???
You mean IoControlCode passed as parameter or (GetLastError code) formatted messages to display ?

@Mr. eXoDia
another hardcoded offset:
Windows 8 SP0 X86
0x154 DebugPort
Windows 8 SP0 X64
0x2F8 DebugPort
Windows 8 SP1 X64
0x410 DebugPort
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
mr.exodia (02-09-2014)
  #35  
Old 02-09-2014, 23:32
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Insid3Code: Thanks a lot!

V0009 released:
- changed logging behavior
- added offsets for windows 8 and server 2012 (2012 not tested)

Greetings,

Mr. eXoDia
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
copyleft (02-10-2014), zeuscane (02-10-2014)
  #36  
Old 02-10-2014, 07:13
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
@mr.exodia
If you want a more robust implementation, I would recommend that you let your driver determine the OS specific offset by itself, i.e. let it disassemble the kernel function PsGetProcessDebugPort. You could do that like this:
a) determine function boundaries, i.e. disassemble all instructions from start of the function until ret.
b) go backwards starting at ret until you find the first instruction that writes to eax/rax. The immediate in the source operand expression should be the offset you're looking for.
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-15-2014)
The Following User Says Thank You to mcp For This Useful Post:
b30wulf (08-17-2015)
  #37  
Old 02-15-2014, 18:31
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
V0010 Released:
- dynamic retrieval of DebugPortOffset (thanks to mcp!)
- added some alternative code for NtClose (thanks to ahmadmansoor!)
- also updated the TitanHide plugin for x64_dbg

Greetings,

Mr. eXoDia
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf

Last edited by mr.exodia; 10-28-2015 at 09:13.
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (02-15-2014), tonyweb (02-16-2014)
  #38  
Old 03-16-2014, 21:34
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
TitanHide plugins:
- OllyDbg v1.10
- OllyDbg v2.01
- TitanEngine (x86 + x64)
- x64_dbg (x32 + x64)

Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads

Plugins features will not be extended, but I will fix any bugs you find.

Greetings,

Mr. eXoDia
Attached Files
File Type: rar TitanHide_plugins.rar (46.2 KB, 36 views)
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 4 Users Gave Reputation+1 to mr.exodia For This Useful Post:
chessgod101 (03-18-2014), kjms (03-17-2014), TQN (03-17-2014)
  #39  
Old 02-02-2015, 04:55
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
V0012 Released:
- fixed weird BSOD with NtQueryInformationProcess
- better installation guide
- various code fixes

Source:
https://bitbucket.org/mrexodia/titanhide

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #40  
Old 02-02-2015, 04:55
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
V0012 Released:
- fixed weird BSOD with NtQueryInformationProcess
- better installation guide
- various code fixes

Source:
https://bitbucket.org/mrexodia/titanhide

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 8 Users Gave Reputation+1 to mr.exodia For This Useful Post:
cjack (02-02-2015), computerline (02-04-2015), Conquest (02-02-2015), copyleft (02-02-2015), Insid3Code (02-03-2015), Mr.reCoder (02-02-2015), Storm Shadow (02-02-2015), uranus64 (02-02-2015)
  #41  
Old 03-22-2015, 03:46
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Updated to V0013!

Changelog:
- MIT license
- crappy win10 support
- fixed some exploits kao found
- hopefully now the .sys works on win7 (target = win7 instead of win8.1)

Download:
https://bitbucket.org/mrexodia/titanhide/downloads
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (03-22-2015)
The Following User Says Thank You to mr.exodia For This Useful Post:
niculaita (08-18-2015)
  #42  
Old 08-17-2015, 09:46
odovo
 
Posts: n/a
Quote:
Originally Posted by mr.exodia View Post
Updated to V0013!

Changelog:
- MIT license
- crappy win10 support
- fixed some exploits kao found
- hopefully now the .sys works on win7 (target = win7 instead of win8.1)

Download:
https://bitbucket.org/mrexodia/titanhide/downloads
very good work.
one little question is kaspersky reports. maybe vm or shell detected.
so use it in vmware.
Reply With Quote
  #43  
Old 08-17-2015, 10:08
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 858
Rept. Given: 497
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 745 Times in 355 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
TitanHide technically is a rootkit, so kaspersky is doing a good job detecting it Using it in a VM is generally a good idea.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
cracker[PYG] (06-05-2016), niculaita (06-05-2016)
  #44  
Old 06-04-2016, 19:27
overfl0ww overfl0ww is offline
Friend
 
Join Date: Jun 2016
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
overfl0ww Reputation: 0
Found the solution to this problem while starting service :
"StartService FAILED 6:The handle is invalid."

We need to specify the KMDF version in the project , according to this
For exemple, in Windows 7, it's 1.9, so under Driver Model Settings, change the following
- KMDF Version Major = 1
- KMDF Version Minor = 9

And it's done
Reply With Quote
The Following User Says Thank You to overfl0ww For This Useful Post:
niculaita (06-05-2016)
  #45  
Old 06-05-2016, 23:35
cracker[PYG] cracker[PYG] is offline
Friend
 
Join Date: Aug 2005
Posts: 74
Rept. Given: 18
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 11
Thanks Rcvd at 7 Times in 5 Posts
cracker[PYG] Reputation: 1
X64dbg and TitanHide it very difficult to update the website to download, can you provide a cloud backup download, Thank you
Reply With Quote
Reply

Tags
driver, hiding, ssdt, titanhide, x64

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 08:51.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX