mrexodia Posted January 26, 2014 Posted January 26, 2014 (edited) Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- DebugObject (NtQueryObject)- SystemKernelDebuggerInformation (NtQuerySystemInformation)- NtClose (STATUS_INVALID_HANDLE exception)- ThreadHideFromDebugger (NtSetInformationThread)Test environments:- Windows 7 x64 (SP1)- Windows XP x86 (SP3)- Windows XP x64 (SP1)Installation:1) Copy TitanHide.sys to %systemroot%\system32\drivers2) Start 'loader.exe' (available on the download page)3) Delete the old service (when present)4) Install a new service5) Start driver6) Use 'TitanHideGUI.exe' to set hide optionsNOTE: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend Repository:https://bitbucket.org/mrexodia/titanhide/Downloads:https://bitbucket.org/mrexodia/titanhide/downloadsFeel free to report bugs and/or request features.Greetings,Mr. eXoDiaTitanHide_0001.rarloader.rar Edited January 26, 2014 by Mr. eXoDia 18
deepzero Posted January 26, 2014 Posted January 26, 2014 cool! I cant get the it to work, though. I put all binary files in on directory, started the loader and put "TitanHide.sys" as path and "TitanHide" as name. The service was added successfully, but when i try to start it with "start" i get Error starting service(2). os is xpsp3 x86, full admin privileges. d. p.s. any reason the source for the loader is not included?
mrexodia Posted January 26, 2014 Author Posted January 26, 2014 Hi, Did you try copying TitanHide.sys to the system32/drivers folder? You'll also need to specify the full path to the driver and I think the path should not include spaces. I also tested it on XP x86 SP3, works fine here (on my normal win7 there are issues though). The reasons the source is not included is that I lost it It was an old thing that I used around 2012. There are plenty of tuts available on making such a loader though. This one for example: http://www.unknowncheats.me/forum/c-and-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html Greetings
LCF-AT Posted January 26, 2014 Posted January 26, 2014 Hi eXoDia, nice idea but it would be better to create a small exsample video to do nothing wrong etc.So I have test it manually now and got a BSOD yeahhh!My first one on my new PC!Also this loader CMD stuff you should prevent and for this you could also create a little GUI so that you don't need to enter the paths etc manually you know so strg+v does not work in your CMD. Just create a video too where you show all steps + all features of the loader file = create / setup service + a using exsample with the GUI and PID + unloading / delete service again etc. Would be nice if you could do this so I don't wanna do again something wrong and get a another BSOD. greetz 1
mrexodia Posted January 26, 2014 Author Posted January 26, 2014 @LCF: A BSOD is something you shouldn't get at all, even when you load the driver incorrectly... What OS + Servicepack are you on?GreetingsPS I'll create the video some time later..
LCF-AT Posted January 26, 2014 Posted January 26, 2014 Hi again, I also use XP SP3. First I tried to setup the driver and enter the path and then I should enter a name and there I did enter tianhide.sys so I think here I had to enter any xy name right?So after this I got a BSOD. HKLM|SYSTEM|ControlSet001|Services|titanhide.sys HKLM|SYSTEM|ControlSet002|Services|titanhide.sys HKLM|SYSTEM|CurrentControlSet|Services|titanhide.sys ---------------------------------------------------- DisplayName: titanhide.sys ErrorConrtol: (1) ImagePath: \??\c:\winxp\system32\drivers\titanhide.sys Start: (3) Type: (1) Security folder|Security any binary string So thats the reason why a simple exsample video is always a good idea to prevent to do something wrong as me now. Yes just make a small video and then all should be going better also for noobs like me. greetz
deepzero Posted January 27, 2014 Posted January 27, 2014 (edited) @LCF: you dont need a video for this. 1) copy TitanHide.sys to c:\windows\system32\drivers 2) open loader.exe 3) type "ss" 4) path = c:\windows\system32\drivers\TitanHide.sys 5) name = TitanHide 6) type "start" 7) name = TitanHide 8) driver successfully loaded 9) launch test.exe and gui.exe 10) take note of the pid printed out by test.exe 11) enter it in the gui.exe textfield 12) check the desired options and hit "hide" What did the bluescreen say? edit: and remove any and all patches you did to the registry...they are not needed. Edited January 27, 2014 by deepzero 1
mrexodia Posted January 27, 2014 Author Posted January 27, 2014 @deepzero: what happened to the old reply? MSDN doesn't state that UNICODE_STRING buffers are terminated anywhere. I fixed the bugs on various places. @LCF-AT: The GUI thing will be done once the real testing stage is over. Currently this loader works perfectly fine You can paste in the console by the way, enable "QuickEdit Mode" (Right click on Title -> Properties -> QuickEdit Mode), select the second option (save for all windows). You can use right-click to paste in the console window. Attached V0002 (should not give more BSODs, because the UNICODE_STRING problem is solved). Greetings TitanHide_0002.rar
deepzero Posted January 27, 2014 Posted January 27, 2014 @deepzero: what happened to the old reply? I dont know! I wanted to add some more information and somehow managed to delete that part. Didnt even notice. Good to see it has all been fixed so fast!
besoeso Posted January 27, 2014 Posted January 27, 2014 Will be good a guide for add hookers.I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.
mrexodia Posted January 27, 2014 Author Posted January 27, 2014 Will be good a guide for add hookers. I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file. That's not what this driver was designed for, but yes indeed, it could be used as rootkit (only on x86 though).
mrexodia Posted January 27, 2014 Author Posted January 27, 2014 you cannot install/use this driver without modifying your system on x64, thats why. Now please stay on topic
LCF-AT Posted January 27, 2014 Posted January 27, 2014 Hi again, ok thanks Deep so I will test it so now. No idea what the BSOD told me so it was just visible for one second and then the PC did restart.So what for patches I have to remove in registry?You mean this what I did post or anything else? Ok eXoDia so I will also test your new file. Feeback comes later after testing and I hope that you are right and that I get no more any BSOD. greetz
LCF-AT Posted January 27, 2014 Posted January 27, 2014 Me again, ok I have test it now but now I get a other problem. 1.) I entered the TitanHide.sys path manually again so strg+v does again not work 2.) I entered the name TitanHide 3.) No BSOD anymore 4.) TitanHide service has been created successfully message etc 5.) I let open the CMD window [yes or no?] 6.) I start TitanHideTest.exe and get a PID of 464 + infos about the Debugs..... ProcessDebugFlags: 0 ProcessDebugPort: 0 ProcessDebugObjectHandle: 0 NtQueryObject: 0 CheckSystemDebugger: 1 CheckNtClose: 0 ...all 0 just CheckSystemDebugger is 1?Also this info list get updated each second again and again...why? 7.) Now I start the new GUI and enter the PID of 464 and check ProcessDebugFlags alone or all other too etc and press Hide button and now I get the info box.... Driver loaded? Could not open TitanHide handle... So whats now the problem again? PS: Just make a video eXoDia from A-Z to prevent to do again something wrong.Thanks. greetz
deepzero Posted January 27, 2014 Posted January 27, 2014 (edited) did you follow all the steps? 6) type "start" 7) name = TitanHide 1.) I entered the TitanHide.sys path manually again so strg+v does again not work right-click onthe title bar -> edit -> paste 5.) I let open the CMD window [yes or no?] yes. this info list get updated each second again and again...why? so you can see the effect the driver will have. Edited January 27, 2014 by deepzero
Insid3Code Posted January 28, 2014 Posted January 28, 2014 Hello,Please, check the attachment...TitanHide_report01.rar 1
kao Posted January 28, 2014 Posted January 28, 2014 Oh boy.. Writing drivers is hard. It really is. 1) Both v1 and v2 drivers BSOD few seconds after load on my i5-2500K (32bit WinXP SP3). Do not crash in VMWare (single core cpu, XP SP2). My best guess - multi-core CPUs are not supported properly. Minidumps attached. If you wish, I could make full dump - even though I really don't appreciate seeing blue screen on my main machine. 2) For LCF-AT and others who prefer GUI - you can use KmdManager to register/start/stop/delete driver: http://blurredlogic.net/ebooks/Kernel_Driver_tut/KmdKit/tools/KmdManager/ minidumps.zip 2
LCF-AT Posted January 28, 2014 Posted January 28, 2014 Hi, oh so you get also a BSOD....and what now? About your KmdManager Kao.So you mean I can use this GUI to reg / run / stop / unreg any .sys files only yes?Is there also any longer description how to use all features of this tool or youtube video etc?Thanks again so far. @ Deep So I see I forgot to enter the start line. Sorry but this manually CMD entering is really no more my thing since a long time so I do prefer simple GUIs instead.Ok lets wait what eXoDia will do also to fix this BSOD problem. greetz
mrexodia Posted January 29, 2014 Author Posted January 29, 2014 I, After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get a BSOD. It has to do with exclusive memory access that needs to be obtained in order to place the hook (7 bytes on x86 and 12 on x64). I'm working on a way to do SSDT hooking on x64 and I will try to release a new hooking model quite soon. Greetings 4
mrexodia Posted January 30, 2014 Author Posted January 30, 2014 Hi everyone, V0003 is out. Changelog: - SSDT hooks instead of inline hooks - fixed the bug reported by Insid3Code - many small fixes Greetings, Mr. eXoDiaTitanHide_0003.rar
mrexodia Posted January 30, 2014 Author Posted January 30, 2014 (edited) A new hotfix V0004: - support for different kernel names - added log file (always in C:\TitanHide.log) When you find a bug, please include the log file + crash dumps... Greetings, Mr. eXoDiaTitanHide_0004.rar Edited January 30, 2014 by Mr. eXoDia 1
mrexodia Posted February 2, 2014 Author Posted February 2, 2014 Another hotfix (potential deadlock), reported by mcp (thanks for that): http://forum.exetools.com/showpost.php?p=89675&postcount=12 Attached the latest build, also available on the downloads page. Greetings, Mr. eXoDia PS I tested this driver on my main PC (Win7x64) and it didn't give me any BSOD, so please start testing again if you stopped because of BSOD.TitanHide_0005.rar
kao Posted February 2, 2014 Posted February 2, 2014 Complete system freeze when starting driver (WinXP SP3, Intel i5-2500K). The only solution is cut power to the box - no BSOD, no TitanHide.log created. 1
Mr.reCoder Posted February 3, 2014 Posted February 3, 2014 Hi,BSOD in windows XP SP3 (original no patches!) when starting service! there is not log file in C drive!! BR. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now