TitanHide

[mr.exodia]

Code:

Overview:

TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using inline hooks at the
moment) and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.

Features:

- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)

Test environments:

- Windows 7 x64 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)

Installation:

1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'loader.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service
5) Start driver
6) Use 'TitanHideGUI.exe' to set hide options

NOTE: When on x64, you have to disable PatchGuard and driver signature
      enforcement yourself. Google is your friend :)

Repository:
https://bitbucket.org/mrexodia/titanhide/

Downloads:
https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia

[ahmadmansoor]

u r very fast man ......
I begin feel as the clock has stop here .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work

[mr.exodia]

Quote:

Originally Posted by ahmadmansoor

u r very fast man ......
I begin feel as the clock has stop here .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work

Hehe, you can join in if you like

Attached V0002, fixed some bugs with UNICODE_STRING (pointed out by deepzero)

how can i get your latest build x64dbg with compiled exe?

[mr.exodia]

Quote:

Originally Posted by cxj98

how can i get your latest build x64dbg with compiled exe?

Hi, it would be better to ask this in the 'x64_dbg' topic But I will upload a dev build (it's not stable though..)

Sigma is currently unavailable, so the dump window works, but still needs some improvements.

Greetings

[ferrit.rce]

Cool How works it together with patchguard? SSDT hooking is being wathed there...

[mr.exodia]

Hi,

It doesn't work with patchguard and no ssdt hooking aswell

Greetings

[ferrit.rce]

I thought you've found the holy grail and it works That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt

[mr.exodia]

Quote:

Originally Posted by ferrit.rce

I thought you've found the holy grail and it works That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt

I figured out how to do SSDT hooking (still with PatchGuard & Driver signing disabled), but it is very unstable, because the addresses are relative. It requires a memory page withing 128MB range of ntoskrnl. This is sometimes possible, but not always unfortunately.

The debugger has a plugin framework, but I don't know if it is good enough to support your needs, could you maybe PM me what kind of stuff you need? I will work on that.

Greetings

[mr.exodia]

Hi everyone,

V0003 is out.

Changelog:
- SSDT hooks instead of inline hooks
- fixed the bug reported by Insid3Code
- many small fixes

Greetings,

Mr. eXoDia

[mr.exodia]

A new hotfix V0004:

- support for different kernel names
- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

[mcp]

Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:

//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}

if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).

[mr.exodia]

Quote:

Originally Posted by mcp

Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:

//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}

if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).

Yes, you're right Will be fixed in the next release.

[mr.exodia]

Released a fixed binary (V0005), thanks to mcp!

[mr.exodia]

Released V0006

Fixed the UNICODE_STRING issue (reported by Insid3Code, thanks!)

Tested on Win7x64 and WinXPx86 (SP3), no freezes, no BSOD (before I indeed got a BSOD on the WinXP machine)

Greetings,

Mr. eXoDia