IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques.

The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.

Installation

To install the plugin, copy both files to the plugins directory of your IDA installation. Make sure, that the cfg subdirectory is writable, because that's where the plugin stores its configuration.

If you find bugs or want to suggest new stealth techniques just drop me a mail or create a new forum topic.
Changelog

07/24/2008 - v1.0 Beta 1

* Bugfix: Multiple minor bugfixes
* Added: Fake OS version
* Added: Disable NtTerminateThread/NtTerminateProcess

07/14/2008 - v1.0 Alpha 4

* Bugfix: Injection of stealth dll could fail in some cases (see N-InjectLib)

07/13/2008 - v1.0 Alpha 3

* Added: Multiple stealth techniques (OpenProcess, DBG_PRINTEXCEPTION, hardware breakpoint protection, hide IDA process and windows, to name but a few)
* Improved: Overall stealth: xADT as well as Extreme Debugger Detector 0.5 are unable to detect an attached debugger (except for RDTSC based tests and scanning the HDD for various tools)
* Bugfix: Plugin didn't correctly de-register from debug callback; crashed with newly created databases

07/06/2008 - v1.0 Alpha 2

* Bugfix: Injection of stealth dll failed if IMAGE_DIRECTORY_ENTRY_IAT of process was zero, so the plugin didn't work with most packed executables
* Bugfix: NtQueryInformationProcess didn't work (CheckRemoteDebuggerPresent was implicitly affected)

07/04/2008 - v1.0 Alpha

* First alpha release, some features still missing, needs testing, major bugs
* Known Bugs:
o Problems when modifying import directory of packed executables (error 0xC000007B)

http://newgre.net/idastealth

D-Jester:

I've updated the entry in the CRCETL for your tool, shown here:

<removed>

I have included the current release date, but you have not specified a version number with this release. Is it 1.0 Beta 1(1) or something else? You, of course, can make the edits directly in the CRCETL yourself if you wish.

Thanks for sharing your efforts with our readers.

Regards,

Nice idea, as IDA has 64 bit debugger also, any possible of your tool compiled as 64 bit too?

This tool is by Jan Newger, he says an x64 isn't possible at this time.

http://newgre.net/node/55

Peace

He said the 64 bit wasn't possible because he doesn't have a copy of IDA 64 bit to play with yet.

Regards,

IDA64 is a 32-bit program, so one would need to hide the win64_remotex64.exe debug server instead of IDA itself. I don't think plugins would work here.

I realise this, but in a 32bit environment, does IDA not just execute win32_remote.exe under the covers? So would not compiling the plugin as a PE32+ image allow the dll to be loaded by by win64_remotex64.exe?

The injected dll is 32-bit so it wouldn't work as-is on 64-bit processes.

The 32-bit dll is also injected when using the remote server locally so it could work that way too if the dll was recompiled and fixed for 64-bit.

TiGa

win64_remotex64.exe is just a simple 64-bit debugger which talks with IDA (IDA's debugger plugin) over TCP. It doesn't have any plugins.

FYI: full source code is available by this time

Very nice with the source code narfzort!

Oh, btw, there has been some confusion about the CRCETL entry for this tool (duplicate entries). The correct entry is the following, and nothing else:

http://www.woodmann.com/collaborative/tools/IDA_Stealth