TitanHide - Page 3

besoeso · #31 02-09-2014, 04:03

@Insid3Code

do you know codes for DeviceIoControl funtion???

mr.exodia · #32 02-09-2014, 04:11

Quote:

Originally Posted by besoeso

@Insid3Code

do you know codes for DeviceIoControl funtion???

For TitanHide there are no such codes, you should take a look at TitanHideGUI: https://bitbucket.org/mrexodia/titanhide/src/d3168decc80020c36f6402cebf4a18bcbe34869a/TitanHideGUI/main.cpp?at=master

Greetings

mr.exodia · #33 02-09-2014, 04:15

Changelog V0008l:
- re-added NtClose, not working on Windows Server 2012, Windows 8 and Windows 8.1

Greetings,

Mr. eXoDia

Insid3Code · #34 02-09-2014, 23:08

Quote:

Originally Posted by besoeso

@Insid3Code

do you know codes for DeviceIoControl funtion???

You mean IoControlCode passed as parameter or (GetLastError code) formatted messages to display ?

@Mr. eXoDia
another hardcoded offset:
Windows 8 SP0 X86
0x154 DebugPort
Windows 8 SP0 X64
0x2F8 DebugPort
Windows 8 SP1 X64
0x410 DebugPort

mr.exodia · #35 02-09-2014, 23:32

@Insid3Code: Thanks a lot!

V0009 released:
- changed logging behavior
- added offsets for windows 8 and server 2012 (2012 not tested)

Greetings,

Mr. eXoDia

mcp · #36 02-10-2014, 07:13

@mr.exodia
If you want a more robust implementation, I would recommend that you let your driver determine the OS specific offset by itself, i.e. let it disassemble the kernel function PsGetProcessDebugPort. You could do that like this:
a) determine function boundaries, i.e. disassemble all instructions from start of the function until ret.
b) go backwards starting at ret until you find the first instruction that writes to eax/rax. The immediate in the source operand expression should be the offset you're looking for.

mr.exodia · #37 02-15-2014, 18:31

V0010 Released:
- dynamic retrieval of DebugPortOffset (thanks to mcp!)
- added some alternative code for NtClose (thanks to ahmadmansoor!)
- also updated the TitanHide plugin for x64_dbg

Greetings,

Mr. eXoDia

mr.exodia · #38 03-16-2014, 21:34

TitanHide plugins:
- OllyDbg v1.10
- OllyDbg v2.01
- TitanEngine (x86 + x64)
- x64_dbg (x32 + x64)

Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads

Plugins features will not be extended, but I will fix any bugs you find.

Greetings,

Mr. eXoDia

mr.exodia · #39 02-02-2015, 04:55

V0012 Released:
- fixed weird BSOD with NtQueryInformationProcess
- better installation guide
- various code fixes

Source:
https://bitbucket.org/mrexodia/titanhide

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia

mr.exodia · #40 02-02-2015, 04:55

V0012 Released:
- fixed weird BSOD with NtQueryInformationProcess
- better installation guide
- various code fixes

Source:
https://bitbucket.org/mrexodia/titanhide

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia

mr.exodia · #41 03-22-2015, 03:46

Updated to V0013!

Changelog:
- MIT license
- crappy win10 support
- fixed some exploits kao found
- hopefully now the .sys works on win7 (target = win7 instead of win8.1)

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

#42 08-17-2015, 09:46

Quote:

Originally Posted by mr.exodia

Updated to V0013!

Changelog:
- MIT license
- crappy win10 support
- fixed some exploits kao found
- hopefully now the .sys works on win7 (target = win7 instead of win8.1)

Download:
https://bitbucket.org/mrexodia/titanhide/downloads

very good work.
one little question is kaspersky reports. maybe vm or shell detected.
so use it in vmware.

mr.exodia · #43 08-17-2015, 10:08

TitanHide technically is a rootkit, so kaspersky is doing a good job detecting it

Using it in a VM is generally a good idea.

overfl0ww · #44 06-04-2016, 19:27

Found the solution to this problem while starting service :
"StartService FAILED 6:The handle is invalid."

We need to specify the KMDF version in the project , according to this
For exemple, in Windows 7, it's 1.9, so under Driver Model Settings, change the following
- KMDF Version Major = 1
- KMDF Version Minor = 9

And it's done

cracker[PYG] · #45 06-05-2016, 23:35

X64dbg and TitanHide it very difficult to update the website to download, can you provide a cloud backup download, Thank you

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
Insid3Code (02-09-2014)

The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
mr.exodia (02-09-2014)

The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
copyleft (02-10-2014), zeuscane (02-10-2014)

The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-15-2014)

The Following User Says Thank You to mcp For This Useful Post:
b30wulf (08-17-2015)

The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (02-15-2014), tonyweb (02-16-2014)

The Following 4 Users Gave Reputation+1 to mr.exodia For This Useful Post:
chessgod101 (03-18-2014), kjms (03-17-2014), TQN (03-17-2014)

The Following 8 Users Gave Reputation+1 to mr.exodia For This Useful Post:
cjack (02-02-2015), computerline (02-04-2015), Conquest (02-02-2015), copyleft (02-02-2015), Insid3Code (02-03-2015), Mr.reCoder (02-02-2015), Storm Shadow (02-02-2015), uranus64 (02-02-2015)

The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (03-22-2015)

The Following User Says Thank You to mr.exodia For This Useful Post:
niculaita (08-18-2015)

The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
cracker[PYG] (06-05-2016), niculaita (06-05-2016)

The Following User Says Thank You to overfl0ww For This Useful Post:
niculaita (06-05-2016)