Gunther
May 16th, 2014, 11:45
I just happened to noticed that Mr.eXoDia also decides to release some of his tools here.
https://bitbucket.org/mrexodia/titanhide/src
TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using SSDT table hooks)
and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable, to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.
Features:
- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)
- Protect DRx (HW BPs) (NtSetContextThread)
Test environments:
- Windows 7 x64 & x86 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'ServiceManager.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service (specify the full path to TitanHide.sys)
5) Start the service you just created
6) Use 'TitanHideGUI.exe' to set hide options for a PID
NOTE1: When on x64, you have to disable PatchGuard and driver signature
enforcement yourself. Google is your friend
NOTE2: When using x64_dbg, you can use the TitanHide plugin (available
on the download page).
NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to
prevent a BSOD when starting TitanHide. You can reenable it right afterwards
I have not personally tried playing around with it but i suppose it should be educational to some people.
BR,
[ Gunther ]
https://bitbucket.org/mrexodia/titanhide/src
TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using SSDT table hooks)
and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable, to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.
Features:
- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)
- Protect DRx (HW BPs) (NtSetContextThread)
Test environments:
- Windows 7 x64 & x86 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'ServiceManager.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service (specify the full path to TitanHide.sys)
5) Start the service you just created
6) Use 'TitanHideGUI.exe' to set hide options for a PID
NOTE1: When on x64, you have to disable PatchGuard and driver signature
enforcement yourself. Google is your friend
NOTE2: When using x64_dbg, you can use the TitanHide plugin (available
on the download page).
NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to
prevent a BSOD when starting TitanHide. You can reenable it right afterwards
I have not personally tried playing around with it but i suppose it should be educational to some people.
BR,
[ Gunther ]
