Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-26-2014, 22:59
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Cool TitanHide

Code:
Overview:

TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using inline hooks at the
moment) and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.

Features:

- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)

Test environments:

- Windows 7 x64 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)

Installation:

1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'loader.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service
5) Start driver
6) Use 'TitanHideGUI.exe' to set hide options

NOTE: When on x64, you have to disable PatchGuard and driver signature
      enforcement yourself. Google is your friend :)
Repository:
https://bitbucket.org/mrexodia/titanhide/

Downloads:
https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia
Attached Files
File Type: rar loader.rar (3.7 KB, 34 views)

Last edited by mr.exodia; 10-28-2015 at 09:13.
Reply With Quote
The Following 11 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (01-27-2014), besoeso (01-27-2014), chessgod101 (01-31-2014), giv (01-29-2014), h8er (01-28-2014), Insid3Code (01-27-2014), orfei (01-27-2014), quygia128 (01-27-2014), TQN (01-27-2014), winndy (01-27-2014)
The Following 2 Users Say Thank You to mr.exodia For This Useful Post:
demon_da (04-08-2015), Indigo (07-19-2019)
  #2  
Old 01-27-2014, 05:04
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,047
Rept. Given: 514
Rept. Rcvd 374 Times in 142 Posts
Thanks Given: 375
Thanks Rcvd at 410 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
u r very fast man ......
I begin feel as the clock has stop here .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Says Thank You to ahmadmansoor For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 01-28-2014, 00:17
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by ahmadmansoor View Post
u r very fast man ......
I begin feel as the clock has stop here .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work
Hehe, you can join in if you like

Attached V0002, fixed some bugs with UNICODE_STRING (pointed out by deepzero)

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (01-28-2014), zeuscane (01-28-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 01-28-2014, 12:48
cxj98
 
Posts: n/a
how can i get your latest build x64dbg with compiled exe?
Reply With Quote
  #5  
Old 01-28-2014, 15:05
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by cxj98 View Post
how can i get your latest build x64dbg with compiled exe?
Hi, it would be better to ask this in the 'x64_dbg' topic But I will upload a dev build (it's not stable though..)

Sigma is currently unavailable, so the dump window works, but still needs some improvements.

Greetings
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 01-29-2014, 02:27
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
Cool How works it together with patchguard? SSDT hooking is being wathed there...
Reply With Quote
The Following User Says Thank You to ferrit.rce For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 01-29-2014, 02:28
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi,

It doesn't work with patchguard and no ssdt hooking aswell

Greetings
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #8  
Old 01-29-2014, 02:59
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
I thought you've found the holy grail and it works That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt
Reply With Quote
The Following User Says Thank You to ferrit.rce For This Useful Post:
Indigo (07-19-2019)
  #9  
Old 01-29-2014, 03:05
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by ferrit.rce View Post
I thought you've found the holy grail and it works That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt
I figured out how to do SSDT hooking (still with PatchGuard & Driver signing disabled), but it is very unstable, because the addresses are relative. It requires a memory page withing 128MB range of ntoskrnl. This is sometimes possible, but not always unfortunately.

The debugger has a plugin framework, but I don't know if it is good enough to support your needs, could you maybe PM me what kind of stuff you need? I will work on that.

Greetings
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #10  
Old 01-31-2014, 04:07
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi everyone,

V0003 is out.

Changelog:
- SSDT hooks instead of inline hooks
- fixed the bug reported by Insid3Code
- many small fixes

Greetings,

Mr. eXoDia

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 01-31-2014, 05:41
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
A new hotfix V0004:

- support for different kernel names
- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 01-31-2014, 05:46
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:
//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}
if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).
Attached Images
File Type: png ida.png (7.2 KB, 15 views)
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (01-31-2014)
The Following User Says Thank You to mcp For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 01-31-2014, 05:53
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by mcp View Post
Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:
//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}
if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).
Yes, you're right Will be fixed in the next release.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #14  
Old 02-03-2014, 05:05
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Released a fixed binary (V0005), thanks to mcp!

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (02-03-2014), DMichael (02-03-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #15  
Old 02-04-2014, 03:22
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 713 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Released V0006

Fixed the UNICODE_STRING issue (reported by Insid3Code, thanks!)

Tested on Win7x64 and WinXPx86 (SP3), no freezes, no BSOD (before I indeed got a BSOD on the WinXP machine)

Greetings,

Mr. eXoDia

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (02-04-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
Reply

Tags
driver, hiding, ssdt, titanhide, x64

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )