Jump to content
Tuts 4 You

TitanHide


mrexodia

Recommended Posts

Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the original functions.To hide a process, you must pass a simple structure with a ProcessID andthe hiding option(s) to enable to the driver. The internal API isdesigned to add hooks with little effort, which means adding featuresis really easy.Features:- ProcessDebugFlags (NtQueryInformationProcess)- ProcessDebugPort (NtQueryInformationProcess)- ProcessDebugObjectHandle (NtQueryInformationProcess)- DebugObject (NtQueryObject)- SystemKernelDebuggerInformation (NtQuerySystemInformation)- NtClose (STATUS_INVALID_HANDLE exception)- ThreadHideFromDebugger (NtSetInformationThread)Test environments:- Windows 7 x64 (SP1)- Windows XP x86 (SP3)- Windows XP x64 (SP1)Installation:1) Copy TitanHide.sys to %systemroot%\system32\drivers2) Start 'loader.exe' (available on the download page)3) Delete the old service (when present)4) Install a new service5) Start driver6) Use 'TitanHideGUI.exe' to set hide optionsNOTE: When on x64, you have to disable PatchGuard and driver signature      enforcement yourself. Google is your friend 
Repository:

https://bitbucket.org/mrexodia/titanhide/

Downloads:

https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia

TitanHide_0001.rar

loader.rar

Edited by Mr. eXoDia
  • Like 18
Link to comment

cool!


 


 


I cant get the it to work, though.


 


I put all binary files in on directory, started the loader and put "TitanHide.sys" as path and "TitanHide" as name. The service was added successfully, but when i try to start it with "start" i get


 


Error starting service(2).

 


os is xpsp3 x86, full admin privileges.


 


d.


 


p.s. any reason the source for the loader is not included? :)


Link to comment

Hi,

Did you try copying TitanHide.sys to the system32/drivers folder? You'll also need to specify the full path to the driver and I think the path should not include spaces. I also tested it on XP x86 SP3, works fine here (on my normal win7 there are issues though).

The reasons the source is not included is that I lost it :) It was an old thing that I used around 2012. There are plenty of tuts available on making such a loader though. This one for example: http://www.unknowncheats.me/forum/c-and-c/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html

Greetings

Link to comment

Hi eXoDia,


 


nice idea but it would be better to create a small exsample video to do nothing wrong etc.So I have test it manually now and got a BSOD yeahhh!My first one on my new PC!Also this loader CMD stuff you should prevent and for this you could also create a little GUI so that you don't need to enter the paths etc manually you know so strg+v does not work in your CMD.


 


Just create a video too where you show all steps + all features of the loader file = create / setup service + a using exsample with the GUI and PID + unloading / delete service again etc.


 


Would be nice if you could do this so I don't wanna do again something wrong and get a another BSOD. :)


 


greetz


  • Like 1
Link to comment

@LCF: A BSOD is something you shouldn't get at all, even when you load the driver incorrectly... What OS + Servicepack are you on?

Greetings

PS I'll create the video some time later..

Link to comment

Hi again,


 


I also use XP SP3.


First I tried to setup the driver and enter the path and then I should enter a name and there I did enter tianhide.sys :) so I think here I had to enter any xy name right?So after this I got a BSOD.



HKLM|SYSTEM|ControlSet001|Services|titanhide.sys
HKLM|SYSTEM|ControlSet002|Services|titanhide.sys
HKLM|SYSTEM|CurrentControlSet|Services|titanhide.sys
----------------------------------------------------
DisplayName: titanhide.sys
ErrorConrtol: (1)
ImagePath: \??\c:\winxp\system32\drivers\titanhide.sys
Start: (3)
Type: (1) Security folder|Security any binary string

So thats the reason why a simple exsample video is always a good idea to prevent to do something wrong as me now. :) Yes just make a small video and then all should be going better also for noobs like me. :)


 


greetz


Link to comment

@LCF:


 


you dont need a video for this. :)


 


 


1) copy TitanHide.sys to c:\windows\system32\drivers


2) open loader.exe


3) type "ss"


4) path = c:\windows\system32\drivers\TitanHide.sys


5) name = TitanHide


6) type "start"


7) name = TitanHide


8) driver successfully loaded


 


9) launch test.exe and gui.exe


10) take note of the pid printed out by test.exe


11) enter it in the gui.exe textfield


12) check the desired options and hit "hide"


 


 


What did the bluescreen say?


edit: and remove any and all patches you did to the registry...they are not needed.


Edited by deepzero
  • Like 1
Link to comment

@deepzero: what happened to the old reply? MSDN doesn't state that UNICODE_STRING buffers are terminated anywhere. I fixed the bugs on various places.

@LCF-AT: The GUI thing will be done once the real testing stage is over. Currently this loader works perfectly fine :) You can paste in the console by the way, enable "QuickEdit Mode" (Right click on Title -> Properties -> QuickEdit Mode), select the second option (save for all windows). You can use right-click to paste in the console window.

Attached V0002 (should not give more BSODs, because the UNICODE_STRING problem is solved).

Greetings

TitanHide_0002.rar

Link to comment

@deepzero: what happened to the old reply?

 

I dont know! I wanted to add some more information and somehow managed to delete that part. Didnt even notice. :rudolph:

Good to see it has all been fixed so fast!

Link to comment

Will be good a guide for add hookers.

I thinking how add hooking for IoCtl funtion for any process and let save the buffer to log file.

That's not what this driver was designed for, but yes indeed, it could be used as rootkit (only on x86 though).

Link to comment

Hi again,


 


ok thanks Deep so I will test it so now. :) No idea what the BSOD told me so it was just visible for one second and then the PC did restart.So what for patches I have to remove in registry?You mean this what I did post or anything else?


 


Ok eXoDia so I will also test your new file. :) Feeback comes later after testing and I hope that you are right and that I get no more any BSOD.


 


greetz


Link to comment

Me again,


 


ok I have test it now but now I get a other problem.


 


1.) I entered the TitanHide.sys path manually again so strg+v does again not work :(


2.) I entered the name TitanHide


3.) No BSOD anymore :)


4.) TitanHide service has been created successfully message etc


5.) I let open the CMD window [yes or no?]


6.) I start TitanHideTest.exe and get a PID of 464 + infos about the Debugs.....



ProcessDebugFlags: 0
ProcessDebugPort: 0
ProcessDebugObjectHandle: 0
NtQueryObject: 0
CheckSystemDebugger: 1
CheckNtClose: 0

...all 0 just CheckSystemDebugger is 1?Also this info list get updated each second again and again...why?


 


7.) Now I start the new GUI and enter the PID of 464 and check ProcessDebugFlags alone or all other too etc and press Hide button and now I get the info box....


 


Driver loaded?


Could not open TitanHide handle...


 


So whats now the problem again?


 


PS: Just make a video eXoDia from A-Z to prevent to do again something wrong.Thanks.


 


greetz


Link to comment

did you follow all the steps?


 



6) type "start"


7) name = TitanHide



 


 


1.) I entered the TitanHide.sys path manually again so strg+v does again not work :(

 


right-click onthe title bar -> edit -> paste


 


5.) I let open the CMD window [yes or no?]

 


yes.


 


this info list get updated each second again and again...why?

 


so you can see the effect the driver will have.


Edited by deepzero
Link to comment

Oh boy.. Writing drivers is hard. It really is. ;)


 


1) Both v1 and v2 drivers BSOD few seconds after load on my i5-2500K (32bit WinXP SP3). Do not crash in VMWare (single core cpu, XP SP2). My best guess - multi-core CPUs are not supported properly. Minidumps attached. If you wish, I could make full dump - even though I really don't appreciate seeing blue screen on my main machine.


2) For LCF-AT and others who prefer GUI - you can use KmdManager to register/start/stop/delete driver: http://blurredlogic.net/ebooks/Kernel_Driver_tut/KmdKit/tools/KmdManager/


 


minidumps.zip

  • Like 2
Link to comment

Hi,


 


oh so you get also a BSOD....and what now?


About your KmdManager Kao.So you mean I can use this GUI to reg / run / stop / unreg any .sys files only yes?Is there also any longer description how to use all features of this tool or youtube video etc?Thanks again so far.


 


@ Deep


 


So I see I forgot to enter the start line. :) Sorry but this manually CMD entering is really no more my thing since a long time so I do prefer simple GUIs instead.Ok lets wait what eXoDia will do also to fix this BSOD problem.


 


greetz


Link to comment

I,

After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get a BSOD.

It has to do with exclusive memory access that needs to be obtained in order to place the hook (7 bytes on x86 and 12 on x64). I'm working on a way to do SSDT hooking on x64 and I will try to release a new hooking model quite soon.

Greetings

  • Like 4
Link to comment

A new hotfix V0004:

- support for different kernel names

- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

TitanHide_0004.rar

Edited by Mr. eXoDia
  • Like 1
Link to comment

Another hotfix (potential deadlock), reported by mcp (thanks for that): http://forum.exetools.com/showpost.php?p=89675&postcount=12

Attached the latest build, also available on the downloads page.

Greetings,

Mr. eXoDia

PS I tested this driver on my main PC (Win7x64) and it didn't give me any BSOD, so please start testing again if you stopped because of BSOD.

TitanHide_0005.rar

Link to comment

Complete system freeze when starting driver (WinXP SP3, Intel i5-2500K). The only solution is cut power to the box - no BSOD, no TitanHide.log created.

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...