TitanHide

[mrexodia]

Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- DebugObject (NtQueryObject)- SystemKernelDebuggerInformation (NtQuerySystemInformation)- NtClose (STATUS_INVALID_HANDLE exception)- ThreadHideFromDebugger (NtSetInformationThread)Test environments:- Windows 7 x64 (SP1)- Windows XP x86 (SP3)- Windows XP x64 (SP1)Installation:1) Copy TitanHide.sys to %systemroot%\system32\drivers2) Start 'loader.exe' (available on the download page)3) Delete the old service (when present)4) Install a new service5) Start driver6) Use 'TitanHideGUI.exe' to set hide optionsNOTE: When on x64, you have to disable PatchGuard and driver signature      enforcement yourself. Google is your friend 

Repository:

https://bitbucket.org/mrexodia/titanhide/

Downloads:

https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia

TitanHide_0001.rar

loader.rar

Edited January 26, 2014 by Mr. eXoDia

[deepzero]

cool!

 

 

I cant get the it to work, though.

 

I put all binary files in on directory, started the loader and put "TitanHide.sys" as path and "TitanHide" as name. The service was added successfully, but when i try to start it with "start" i get

 

Error starting service(2).

 

os is xpsp3 x86, full admin privileges.

 

d.

 

p.s. any reason the source for the loader is not included?

[mrexodia]

Hi,

Did you try copying TitanHide.sys to the system32/drivers folder? You'll also need to specify the full path to the driver and I think the path should not include spaces. I also tested it on XP x86 SP3, works fine here (on my normal win7 there are issues though).

The reasons the source is not included is that I lost it It was an old thing that I used around 2012. There are plenty of tuts available on making such a loader though. This one for example: http://www.unknowncheats.me/forum/c-and-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html

Greetings

[LCF-AT]

Hi eXoDia,

 

nice idea but it would be better to create a small exsample video to do nothing wrong etc.So I have test it manually now and got a BSOD yeahhh!My first one on my new PC!Also this loader CMD stuff you should prevent and for this you could also create a little GUI so that you don't need to enter the paths etc manually you know so strg+v does not work in your CMD.

 

Just create a video too where you show all steps + all features of the loader file = create / setup service + a using exsample with the GUI and PID + unloading / delete service again etc.

 

Would be nice if you could do this so I don't wanna do again something wrong and get a another BSOD.

 

greetz

[mrexodia]

@LCF: A BSOD is something you shouldn't get at all, even when you load the driver incorrectly... What OS + Servicepack are you on?

Greetings

PS I'll create the video some time later..

[LCF-AT]

Hi again,

 

I also use XP SP3.

First I tried to setup the driver and enter the path and then I should enter a name and there I did enter tianhide.sys so I think here I had to enter any xy name right?So after this I got a BSOD.

HKLM|SYSTEM|ControlSet001|Services|titanhide.sys

HKLM|SYSTEM|ControlSet002|Services|titanhide.sys

HKLM|SYSTEM|CurrentControlSet|Services|titanhide.sys

----------------------------------------------------

DisplayName:  titanhide.sys

ErrorConrtol: (1)

ImagePath:    \??\c:\winxp\system32\drivers\titanhide.sys

Start:        (3)

Type:         (1)
Security folder|Security any binary string

So thats the reason why a simple exsample video is always a good idea to prevent to do something wrong as me now. Yes just make a small video and then all should be going better also for noobs like me.

 

greetz

[deepzero]

@LCF:

 

you dont need a video for this.

 

 

1) copy TitanHide.sys to c:\windows\system32\drivers

2) open loader.exe

3) type "ss"

4) path = c:\windows\system32\drivers\TitanHide.sys

5) name = TitanHide

6) type "start"

7) name = TitanHide

8) driver successfully loaded

 

9) launch test.exe and gui.exe

10) take note of the pid printed out by test.exe

11) enter it in the gui.exe textfield

12) check the desired options and hit "hide"

 

 

What did the bluescreen say?

edit: and remove any and all patches you did to the registry...they are not needed.

Edited January 27, 2014 by deepzero

[mrexodia]

@deepzero: what happened to the old reply? MSDN doesn't state that UNICODE_STRING buffers are terminated anywhere. I fixed the bugs on various places.

@LCF-AT: The GUI thing will be done once the real testing stage is over. Currently this loader works perfectly fine You can paste in the console by the way, enable "QuickEdit Mode" (Right click on Title -> Properties -> QuickEdit Mode), select the second option (save for all windows). You can use right-click to paste in the console window.

Attached V0002 (should not give more BSODs, because the UNICODE_STRING problem is solved).

Greetings

TitanHide_0002.rar

[deepzero]

@deepzero: what happened to the old reply?

 

I dont know! I wanted to add some more information and somehow managed to delete that part. Didnt even notice.

Good to see it has all been fixed so fast!

[besoeso]

Will be good a guide for add hookers.

I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.

[mrexodia]

Will be good a guide for add hookers.

I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.

That's not what this driver was designed for, but yes indeed, it could be used as rootkit (only on x86 though).

[besoeso]

only for x86? i see TitanHide support x64.

[mrexodia]

you cannot install/use this driver without modifying your system on x64, thats why. Now please stay on topic

[LCF-AT]

Hi again,

 

ok thanks Deep so I will test it so now. No idea what the BSOD told me so it was just visible for one second and then the PC did restart.So what for patches I have to remove in registry?You mean this what I did post or anything else?

 

Ok eXoDia so I will also test your new file. Feeback comes later after testing and I hope that you are right and that I get no more any BSOD.

 

greetz

[LCF-AT]

Me again,

 

ok I have test it now but now I get a other problem.

 

1.) I entered the TitanHide.sys path manually again so strg+v does again not work

2.) I entered the name TitanHide

3.) No BSOD anymore

4.) TitanHide service has been created successfully message etc

5.) I let open the CMD window [yes or no?]

6.) I start TitanHideTest.exe and get a PID of 464 + infos about the Debugs.....

ProcessDebugFlags: 0

ProcessDebugPort: 0

ProcessDebugObjectHandle: 0

NtQueryObject: 0

CheckSystemDebugger: 1

CheckNtClose: 0

...all 0 just CheckSystemDebugger is 1?Also this info list get updated each second again and again...why?

 

7.) Now I start the new GUI and enter the PID of 464 and check ProcessDebugFlags alone or all other too etc and press Hide button and now I get the info box....

 

Driver loaded?

Could not open TitanHide handle...

 

So whats now the problem again?

 

PS: Just make a video eXoDia from A-Z to prevent to do again something wrong.Thanks.

 

greetz

[deepzero]

did you follow all the steps?

 

6) type "start"

7) name = TitanHide

 

 

1.) I entered the TitanHide.sys path manually again so strg+v does again not work

 

right-click onthe title bar -> edit -> paste

 

5.) I let open the CMD window [yes or no?]

 

yes.

 

this info list get updated each second again and again...why?

 

so you can see the effect the driver will have.

Edited January 27, 2014 by deepzero

[Insid3Code]

Hello,

Please, check the attachment...

TitanHide_report01.rar

[kao]

Oh boy.. Writing drivers is hard. It really is.

 

1) Both v1 and v2 drivers BSOD few seconds after load on my i5-2500K (32bit WinXP SP3). Do not crash in VMWare (single core cpu, XP SP2). My best guess - multi-core CPUs are not supported properly. Minidumps attached. If you wish, I could make full dump - even though I really don't appreciate seeing blue screen on my main machine.

2) For LCF-AT and others who prefer GUI - you can use KmdManager to register/start/stop/delete driver: http://blurredlogic.net/ebooks/Kernel_Driver_tut/KmdKit/tools/KmdManager/

 

minidumps.zip

[LCF-AT]

Hi,

 

oh so you get also a BSOD....and what now?

About your KmdManager Kao.So you mean I can use this GUI to reg / run / stop / unreg any .sys files only yes?Is there also any longer description how to use all features of this tool or youtube video etc?Thanks again so far.

 

@ Deep

 

So I see I forgot to enter the start line. Sorry but this manually CMD entering is really no more my thing since a long time so I do prefer simple GUIs instead.Ok lets wait what eXoDia will do also to fix this BSOD problem.

 

greetz

[mrexodia]

I,

After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get a BSOD.

It has to do with exclusive memory access that needs to be obtained in order to place the hook (7 bytes on x86 and 12 on x64). I'm working on a way to do SSDT hooking on x64 and I will try to release a new hooking model quite soon.

Greetings

[mrexodia]

Hi everyone,

V0003 is out.

Changelog:

- SSDT hooks instead of inline hooks

- fixed the bug reported by Insid3Code

- many small fixes

Greetings,

Mr. eXoDia

TitanHide_0003.rar

[mrexodia]

A new hotfix V0004:

- support for different kernel names

- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

TitanHide_0004.rar

Edited January 30, 2014 by Mr. eXoDia

[mrexodia]

Another hotfix (potential deadlock), reported by mcp (thanks for that): http://forum.exetools.com/showpost.php?p=89675&postcount=12

Attached the latest build, also available on the downloads page.

Greetings,

Mr. eXoDia

PS I tested this driver on my main PC (Win7x64) and it didn't give me any BSOD, so please start testing again if you stopped because of BSOD.

TitanHide_0005.rar

[kao]

Complete system freeze when starting driver (WinXP SP3, Intel i5-2500K). The only solution is cut power to the box - no BSOD, no TitanHide.log created.

[Mr.reCoder]

Hi,

BSOD in windows XP SP3 (original no patches!) when starting service! there is not log file in C drive!!

 

BR.