Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

TitanHide

Featured Replies

Posted
Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- DebugObject (NtQueryObject)- SystemKernelDebuggerInformation (NtQuerySystemInformation)- NtClose (STATUS_INVALID_HANDLE exception)- ThreadHideFromDebugger (NtSetInformationThread)Test environments:- Windows 7 x64 (SP1)- Windows XP x86 (SP3)- Windows XP x64 (SP1)Installation:1) Copy TitanHide.sys to %systemroot%\system32\drivers2) Start 'loader.exe' (available on the download page)3) Delete the old service (when present)4) Install a new service5) Start driver6) Use 'TitanHideGUI.exe' to set hide optionsNOTE: When on x64, you have to disable PatchGuard and driver signature      enforcement yourself. Google is your friend 
Repository:

https://bitbucket.org/mrexodia/titanhide/

Downloads:

https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia

TitanHide_0001.rar

loader.rar

Edited by Mr. eXoDia

  • Replies 164
  • Views 215.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Stuttered
    Stuttered

    TitanHide has been updated to support the latest VMProtect v3.9.4 changes. The service name is now used as the device name, as well, so the check for \\.\TitanHide will fail if you name the servi

  • I, After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get

  • Hi eXoDia,   ok I made a longer video where you can see all steps for clean Olly 1 and SND 2.3 and TitanHide too.All three testet in the video to get VMP in all run.All in all its the best to use Ti

Posted Images

cool!


 


 


I cant get the it to work, though.


 


I put all binary files in on directory, started the loader and put "TitanHide.sys" as path and "TitanHide" as name. The service was added successfully, but when i try to start it with "start" i get


 


Error starting service(2).

 


os is xpsp3 x86, full admin privileges.


 


d.


 


p.s. any reason the source for the loader is not included? :)


  • Author

Hi,

Did you try copying TitanHide.sys to the system32/drivers folder? You'll also need to specify the full path to the driver and I think the path should not include spaces. I also tested it on XP x86 SP3, works fine here (on my normal win7 there are issues though).

The reasons the source is not included is that I lost it :) It was an old thing that I used around 2012. There are plenty of tuts available on making such a loader though. This one for example: http://www.unknowncheats.me/forum/c-and-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html

Greetings

Hi eXoDia,


 


nice idea but it would be better to create a small exsample video to do nothing wrong etc.So I have test it manually now and got a BSOD yeahhh!My first one on my new PC!Also this loader CMD stuff you should prevent and for this you could also create a little GUI so that you don't need to enter the paths etc manually you know so strg+v does not work in your CMD.


 


Just create a video too where you show all steps + all features of the loader file = create / setup service + a using exsample with the GUI and PID + unloading / delete service again etc.


 


Would be nice if you could do this so I don't wanna do again something wrong and get a another BSOD. :)


 


greetz


  • Author

@LCF: A BSOD is something you shouldn't get at all, even when you load the driver incorrectly... What OS + Servicepack are you on?

Greetings

PS I'll create the video some time later..

Hi again,


 


I also use XP SP3.


First I tried to setup the driver and enter the path and then I should enter a name and there I did enter tianhide.sys :) so I think here I had to enter any xy name right?So after this I got a BSOD.



HKLM|SYSTEM|ControlSet001|Services|titanhide.sys
HKLM|SYSTEM|ControlSet002|Services|titanhide.sys
HKLM|SYSTEM|CurrentControlSet|Services|titanhide.sys
----------------------------------------------------
DisplayName: titanhide.sys
ErrorConrtol: (1)
ImagePath: \??\c:\winxp\system32\drivers\titanhide.sys
Start: (3)
Type: (1) Security folder|Security any binary string

So thats the reason why a simple exsample video is always a good idea to prevent to do something wrong as me now. :) Yes just make a small video and then all should be going better also for noobs like me. :)


 


greetz


@LCF:


 


you dont need a video for this. :)


 


 


1) copy TitanHide.sys to c:\windows\system32\drivers


2) open loader.exe


3) type "ss"


4) path = c:\windows\system32\drivers\TitanHide.sys


5) name = TitanHide


6) type "start"


7) name = TitanHide


8) driver successfully loaded


 


9) launch test.exe and gui.exe


10) take note of the pid printed out by test.exe


11) enter it in the gui.exe textfield


12) check the desired options and hit "hide"


 


 


What did the bluescreen say?


edit: and remove any and all patches you did to the registry...they are not needed.


Edited by deepzero

  • Author

@deepzero: what happened to the old reply? MSDN doesn't state that UNICODE_STRING buffers are terminated anywhere. I fixed the bugs on various places.

@LCF-AT: The GUI thing will be done once the real testing stage is over. Currently this loader works perfectly fine :) You can paste in the console by the way, enable "QuickEdit Mode" (Right click on Title -> Properties -> QuickEdit Mode), select the second option (save for all windows). You can use right-click to paste in the console window.

Attached V0002 (should not give more BSODs, because the UNICODE_STRING problem is solved).

Greetings

TitanHide_0002.rar

@deepzero: what happened to the old reply?

 

I dont know! I wanted to add some more information and somehow managed to delete that part. Didnt even notice. :rudolph:

Good to see it has all been fixed so fast!

Will be good a guide for add hookers.

I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.

  • Author

Will be good a guide for add hookers.

I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.

That's not what this driver was designed for, but yes indeed, it could be used as rootkit (only on x86 though).

only for x86? i see TitanHide support x64.

  • Author

you cannot install/use this driver without modifying your system on x64, thats why. Now please stay on topic

Hi again,


 


ok thanks Deep so I will test it so now. :) No idea what the BSOD told me so it was just visible for one second and then the PC did restart.So what for patches I have to remove in registry?You mean this what I did post or anything else?


 


Ok eXoDia so I will also test your new file. :) Feeback comes later after testing and I hope that you are right and that I get no more any BSOD.


 


greetz


Me again,


 


ok I have test it now but now I get a other problem.


 


1.) I entered the TitanHide.sys path manually again so strg+v does again not work :(


2.) I entered the name TitanHide


3.) No BSOD anymore :)


4.) TitanHide service has been created successfully message etc


5.) I let open the CMD window [yes or no?]


6.) I start TitanHideTest.exe and get a PID of 464 + infos about the Debugs.....



ProcessDebugFlags: 0
ProcessDebugPort: 0
ProcessDebugObjectHandle: 0
NtQueryObject: 0
CheckSystemDebugger: 1
CheckNtClose: 0

...all 0 just CheckSystemDebugger is 1?Also this info list get updated each second again and again...why?


 


7.) Now I start the new GUI and enter the PID of 464 and check ProcessDebugFlags alone or all other too etc and press Hide button and now I get the info box....


 


Driver loaded?


Could not open TitanHide handle...


 


So whats now the problem again?


 


PS: Just make a video eXoDia from A-Z to prevent to do again something wrong.Thanks.


 


greetz


did you follow all the steps?


 



6) type "start"


7) name = TitanHide



 


 


1.) I entered the TitanHide.sys path manually again so strg+v does again not work :(

 


right-click onthe title bar -> edit -> paste


 


5.) I let open the CMD window [yes or no?]

 


yes.


 


this info list get updated each second again and again...why?

 


so you can see the effect the driver will have.


Edited by deepzero

Hello,


Please, check the attachment...


TitanHide_report01.rar

Oh boy.. Writing drivers is hard. It really is. ;)


 


1) Both v1 and v2 drivers BSOD few seconds after load on my i5-2500K (32bit WinXP SP3). Do not crash in VMWare (single core cpu, XP SP2). My best guess - multi-core CPUs are not supported properly. Minidumps attached. If you wish, I could make full dump - even though I really don't appreciate seeing blue screen on my main machine.


2) For LCF-AT and others who prefer GUI - you can use KmdManager to register/start/stop/delete driver: http://blurredlogic.net/ebooks/Kernel_Driver_tut/KmdKit/tools/KmdManager/


 


minidumps.zip

Hi,


 


oh so you get also a BSOD....and what now?


About your KmdManager Kao.So you mean I can use this GUI to reg / run / stop / unreg any .sys files only yes?Is there also any longer description how to use all features of this tool or youtube video etc?Thanks again so far.


 


@ Deep


 


So I see I forgot to enter the start line. :) Sorry but this manually CMD entering is really no more my thing since a long time so I do prefer simple GUIs instead.Ok lets wait what eXoDia will do also to fix this BSOD problem.


 


greetz


  • Author

I,

After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get a BSOD.

It has to do with exclusive memory access that needs to be obtained in order to place the hook (7 bytes on x86 and 12 on x64). I'm working on a way to do SSDT hooking on x64 and I will try to release a new hooking model quite soon.

Greetings

  • Author

Hi everyone,

V0003 is out.

Changelog:

- SSDT hooks instead of inline hooks

- fixed the bug reported by Insid3Code

- many small fixes

Greetings,

Mr. eXoDia

TitanHide_0003.rar

  • Author

A new hotfix V0004:

- support for different kernel names

- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

TitanHide_0004.rar

Edited by Mr. eXoDia

  • Author

Another hotfix (potential deadlock), reported by mcp (thanks for that): http://forum.exetools.com/showpost.php?p=89675&postcount=12

Attached the latest build, also available on the downloads page.

Greetings,

Mr. eXoDia

PS I tested this driver on my main PC (Win7x64) and it didn't give me any BSOD, so please start testing again if you stopped because of BSOD.

TitanHide_0005.rar

Complete system freeze when starting driver (WinXP SP3, Intel i5-2500K). The only solution is cut power to the box - no BSOD, no TitanHide.log created.

Hi,


BSOD in windows XP SP3 (original no patches!) when starting service! there is not log file in C drive!!


 


BR.


Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.