#1
|
|||
|
|||
TitanHide
Code:
Overview: TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using inline hooks at the moment) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy. Features: - ProcessDebugFlags (NtQueryInformationProcess) - ProcessDebugPort (NtQueryInformationProcess) - ProcessDebugObjectHandle (NtQueryInformationProcess) - DebugObject (NtQueryObject) - SystemKernelDebuggerInformation (NtQuerySystemInformation) - NtClose (STATUS_INVALID_HANDLE exception) - ThreadHideFromDebugger (NtSetInformationThread) Test environments: - Windows 7 x64 (SP1) - Windows XP x86 (SP3) - Windows XP x64 (SP1) Installation: 1) Copy TitanHide.sys to %systemroot%\system32\drivers 2) Start 'loader.exe' (available on the download page) 3) Delete the old service (when present) 4) Install a new service 5) Start driver 6) Use 'TitanHideGUI.exe' to set hide options NOTE: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :) https://bitbucket.org/mrexodia/titanhide/ Downloads: https://bitbucket.org/mrexodia/titanhide/downloads Feel free to report bugs and/or request features. Greetings, Mr. eXoDia Last edited by mr.exodia; 10-28-2015 at 09:13. |
The Following 11 Users Gave Reputation+1 to mr.exodia For This Useful Post: | ||
ahmadmansoor (01-27-2014), besoeso (01-27-2014), chessgod101 (01-31-2014), giv (01-29-2014), h8er (01-28-2014), Insid3Code (01-27-2014), orfei (01-27-2014), quygia128 (01-27-2014), TQN (01-27-2014), winndy (01-27-2014) |
Tags |
driver, hiding, ssdt, titanhide, x64 |
|
|