Jump to content
Tuts 4 You
mrexodia

TitanHide

Recommended Posts

Insid3Code

Hello,


 


There is a conflict between UNICODE_STRING objects and RtlStringCbVPrintfA leads to BSOD.



Log("[TITANHIDE] Device %wZ created successfully!\n", DeviceName); Log("[TITANHIDE] Symbolic link %wZ->%wZ created!\n", Win32Device, DeviceName);


I modified the source code as below:

From DeviceName to DeviceName.Buffer

From Win32Device to Win32Device.Buffer

From %wZ to %S



Log("[TITANHIDE] Device %S created successfully!\n",
DeviceName.Buffer); Log("[TITANHIDE] Symbolic link %S->%S created!\n",
Win32Device.Buffer,
DeviceName.Buffer);


I think it's better to recode all project in UNICODE support to avoid this kind of problem...


 


Just for fun :) I recompiled the attached driver (32/64bit tested on (Windows XP SP3 X86/ Windows 7 SP1 X64)





 


TitanHide.rar

  • Like 1

Share this post


Link to post
Share on other sites
mrexodia

Complete system freeze when starting driver (WinXP SP3, Intel i5-2500K). The only solution is cut power to the box - no BSOD, no TitanHide.log created.

Sounds like there is still a problem with dead-locks. I will test the driver on a Dual Core XP SP3 and see if I can find something.

 

 

Hi,

BSOD in windows XP SP3 (original no patches!) when starting service! there is not log file in C drive!!

 

BR.

Ok, I will look at it. Could you please attach the crash dumps, because the information on the BSOD can be of big value. 

 

Hello,

 

There is a conflict between UNICODE_STRING objects and RtlStringCbVPrintfA leads to BSOD.

Log("[TITANHIDE] Device %wZ created successfully!\n", DeviceName);Log("[TITANHIDE] Symbolic link %wZ->%wZ created!\n", Win32Device, DeviceName);
I modified the source code as below:

From DeviceName to DeviceName.Buffer

From Win32Device to Win32Device.Buffer

From %wZ to %S

Log("[TITANHIDE] Device %S created successfully!\n",        DeviceName.Buffer);Log("[TITANHIDE] Symbolic link %S->%S created!\n",        Win32Device.Buffer,        DeviceName.Buffer);
I think it's better to recode all project in UNICODE support to avoid this kind of problem...

 

Just for fun :) I recompiled the attached driver (32/64bit tested on (Windows XP SP3 X86/ Windows 7 SP1 X64)

Hm, very strange... I tested this logging quite extensively on my PC, but maybe the "%Z" thing is not supported on Windows XP (I changed it to %Z on purpose though, because of the NULL-termination problems).

Just using UNICODE_STRING.Buffer is not really safe, because the buffers are not NULL-terminated, but I will look at using UNICODE/ASCII only.

EDIT: I'll go for something like this ('%.*ws'): http://alter.org.ua/docs/nt_kernel/kdprint_ustr/ testing now...

Greetings

Edited by Mr. eXoDia (see edit history)

Share this post


Link to post
Share on other sites
deepzero

Just using UNICODE_STRING.Buffer is not really safe, because the buffers are not NULL-terminated, but I will look at using UNICODE/ASCII only.

 

if you initialize them from static strings, it's fine, because UNICODE_STRING will not create a copy, it will simply assign the pointer to the struct and fill in the length. But yeah it's better not to rely on that, as it's tricky to track which stirng has really been initialized from a static string, with no modifications since.

 

 

i have not looked at the latest code yet, but i saw that you still uhook and rehook the apis when you call the original one. It's better to store the pointer to the original functoin in a global variable and call that as a function pointer. you should be happy that everything went smoothly once the patches are in place, and not touch them again, until the driver is unloaded. :)

Share this post


Link to post
Share on other sites
mrexodia

Released V0006

Fixed the UNICODE_STRING issue (reported by Insid3Code, thanks!)

Tested on Win7x64 and WinXPx86 (SP3), no freezes, no BSOD (before I indeed got a BSOD on the WinXP machine)

@deepzero: The problem with the hooks is that I call the original APIs various times and it becomes tricky with all this pointer stuff (I tried it, but since unhooking is just swapping a DWORD now, I don't think it's much of a problem). It it possible to start keeping track of pointers, but I don't see the value of it really...

Greetings

TitanHide_0006.rar

Share this post


Link to post
Share on other sites
kao

Finally it works as expected. Thanks! :)

  • Like 2

Share this post


Link to post
Share on other sites
mrexodia

Finally it works as expected. Thanks! :)

Glad to hear it works and thanks for testing!

Do you maybe have any suggestions about anti-debug tricks to add?

Greetings

Share this post


Link to post
Share on other sites
Insid3Code

 

Do you maybe have any suggestions about anti-debug tricks to add?

 

Modify some values in EPROCESS structure...

for example handling "ActiveProcessLinks" to hide running process...

 

Attached driver sample designed for/and tested on Windows XP SP3 X86

Please read "readme.txt"...

main.rar

Share this post


Link to post
Share on other sites
LCF-AT

Hi,


 


ok I have test it today again and now I get "Creating service titanhide Error creating service" :( Whats now the problem?So it would be nice if you could create a tiny extra simple loader GUI [choose & buttons etc] so I don't wanna enter each time paths etc.What about the other features you can choose in the loader?Open handle IO / write IO etc so how to use this or what to enter there etc so I don't see a full description readme file in your package.Maybe you can update this too so I don't wanna do something wrong or delete something what should be not deleted etc you know what I mean so I am also no big fan of MSDOS anymore. :)


 


PS: Testet your latest version driver.


 


greetz


Share this post


Link to post
Share on other sites
besoeso

yes, for example, will be good add NtDeviceIoControlFile or DeviceIoControl for handle IO.


 


A greeting.


Share this post


Link to post
Share on other sites
mrexodia

@Insid3Code: Thanks for the suggestion! I will look at this structure.

@LCF-AT: I think you have the service still installed, once you have it installed, you can use the 'start' command to start it. You could also try the command in cmd: "net start TitanHide".

Here is a service manager GUI I coded for you in some minutes. This is the final version.

https://bitbucket.org/mrexodia/servicemanager/

EDIT, @besoeso: No, it is not needed to add this, because there is a GUI for driver interaction.

Greetings,

Mr. eXoDia

ServiceManager_0001.rar

Edited by Mr. eXoDia (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
Insid3Code

For "servicemanager" tool it's better to set the execution level from "asInvoker" to "requireAdministrator" to allow driver installation...


 


Manifest.xml



<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>

main.cpp



#include <commctrl.h> InitCommonControls();

it is not required in current source code...


Share this post


Link to post
Share on other sites
mrexodia

@Insid3Code: I'll add the manifest, thanks for the hint :)

And the call to InitCommonControls is needed, because when the comctl32.dll library is not loaded, the program will not launch (on windows xp) when it includes a manifest (I compile with a different compiler then MSVC)

Greetings

Edited by Mr. eXoDia (see edit history)

Share this post


Link to post
Share on other sites
Insid3Code

 

And the call to InitCommonControls is needed, because when the comctl32.dll library is not loaded, the program will not launch when it includes a manifest (I compile with a different compiler then MSVC)

 

Yeah, Correct...

 

I tested this now (MSVC) Windows XP SP3:

1- Manifest included without InitCommonControls: Failed to launch.

2- Manifest NOT included InitCommonControls not used: Launched.

3- Manifest included InitCommonControls used: Launched.

 

On Windows 7 SP1 X64 the application (64/32bit) launched with all scenarios...

 

I'll add the manifest, thanks for the hint

 

 I replaced only "asInvoker" with "requireAdministrator" into the same manifest.xml file to invoke UAC...

 

Regards!

Edited by Insid3Code (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
LCF-AT

Hi eXoDia,


 


coolio and thank for creating the service GUI helper with simple buttons so now all is working very well. :) So now I could test your driver a little and its already working good so far,nice work.I did test it with some protections + Olly 1 / 2.


 


- Why is NtClose disabled to choose?


 


I checked what you hooked with titanhide...



NtQueryInformationProcess
NtQueryObject
NtQuerySystemInformation
NtSetInformationThread

....so now you could also add more hooks & patches to these...



NtClose
NtCreateProcess
NtCreateProcessEx
NtDublicateOject
NtOpenProcess
NtOpenThread
NtYieldExecution

....same as StrongOD hooks more.


 


Also I think it would be a good idea to create later a better all in one tool GUI where you can setup the driver one time then save in ini file etc and where it loads the driver automatic if you start the tool.Also a added processwindow in your tool would also be nice so that you only doubleclick the process you want and to hide etc.


 


Just keep going. :)


 


greetz


Share this post


Link to post
Share on other sites
mrexodia

Hey,

Its easy to hook these apis, but I don't understand the purpose of most hooks :D

NtClose is disabled, because I need to find a new way of hooking this API, it will probably be the first feature I add.

And creating GUIs kinda sucks :D I plan to create an API (dll) though.

Greetings

Share this post


Link to post
Share on other sites
LCF-AT

Ho,


 


so I also have no idea how the driver do work or hook etc. :) Also I have not much fun to study the whole driver coding stuff etc and I still do looking for any simple basic description "what happend where etc" you know without to have tons of coder knowledge but I did not found something like a cooking recipe example of "how to cook spaghetti bolognese in three steps" etc. :)


 


Maybe you can explain this in a little simple exsample to know what it does etc just that I can imagine whats the way is.So at the moment I think that you hook the export tables of dlls of prcess xy and catch the access + debugprocess stopping + patching return values into structs etc no idea how a driver does handle this.


 


Ah so I think you can do the other hooks / patched too later.


 


What!GUIs are very welcome for me.Don't mess with GUIs. ;) Ok for me its better to work quick with GUIs instead to use CMD or something.Dll is also a good alternativ but don't throw away the GUI stuff later and keep updating this too ok.


 


greetz


Share this post


Link to post
Share on other sites
mrexodia

Hey,

Coding a GUI is more something for later when everything works good enough :) I will probably make a good GUI later.

This is a (simplified) schematic of how TitanHide hooks various APIs, like NtQueryInformationProcess:

image.png

This is all in kernel mode, which means nothing is changed inside the hooked process (which is user mode, the PID is only used for checking if the API return must be faked).

Greetings

  • Like 2

Share this post


Link to post
Share on other sites
mrexodia

Changelog V0008l:

- re-added NtClose, not working on Windows Server 2012, Windows 8 and Windows 8.1

Greetings,

Mr. eXoDia

TitanHide_0008.rar

  • Like 3

Share this post


Link to post
Share on other sites
LCF-AT

Coolio and thanks for the update so NtClose [DEADC0DE] works. :) So the only problem what I now see is with the NtQueryInformationProcess if the InfoClass = 1E value.So if this is called then you get the handle into buffer which is XY.So if this is not 00 in buffer after the API then you get detected by VMProtect = TitanHide failed to run / bypass VMProtect.So I can patch this manually to 00 then your TitanHide does successfully run VMP in Olly 1. :) So you can also test it with a small script too (dbh,ZwQueryInformationProcess | 7-patch,ZwClose patch if dead,ZwQueryInformationProcess | 1E = ProcessDebugObjectHandle patch) = runs in Olly.Only problem is now that if you close / exit the unpackme then the whole unload process does fail etc but this not happend with your driver if I patch buffer to 00 so unload process does work normaly.Just a info of course if you need to know this maybe.


 


PS: Also thanks again for posting the description image of the hook way. :)


 


greetz


Share this post


Link to post
Share on other sites
mrexodia

@LCF-AT: could you please make a video on how to get VMProtect running, also send the unpackme you're using, I couldn't get it working

V0009 released:

- changed logging behavior

- added offsets for windows 8 and server 2012 (2012 not tested), thanks to Insid3Code!

Greetings,

Mr. eXoDia

TitanHide_0009.rar

Edited by Mr. eXoDia (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

Ok listen so I found the possible reason.


 


So you only need to patch the returned buffer to 00 of ZwQueryInformationProcess | 1E (to get VMP run) if the IsDebuggerPresent byte in PEB was NOT patched to 00.So your tool does not patch this so it keeps 01 in PEB = detected VMP not runs.So if you keep IDP in PEB 01 and you then patch the buffer of ZwQueryInformationProcess | 1E to 00 then VMP does run normaly.


 


So all in all what you could do is to add the option to patch the IsDebuggerPresent byte in PEB so then you don't need to check for 1E of ZwQIP API.So on that way your tool does work to run VMP too in Olly 1 without plugins.


 


Also you can get the VMP targets run in a clean Olly without hide plugins but then you have a unload problem etc which you not have if you use your tool.


 


PS: Just check my UnpackMes from my "VMProtect Ultra Unpacker 1.0 Tutorial" package which you can test.Just test this out or send a reply if you still need a video etc.


 


https://forum.tuts4you.com/topic/30733-vmprotect-ultra-unpacker-10/


 


greetz


  • Like 1

Share this post


Link to post
Share on other sites
mrexodia

Okay,
 
So if I understand you correctly, VMProtect runs under the following circumstances:

  • ZwQueryInformationProcess(hProcess, ProcessDebugObjectHandle (0x1e), Buffer, 4, 0) -> Set Buffer to 0, this has PEB->BeingDebugged=1 (sounds like a huge bug in VMProtect implementation to me, but whatever).
  • PEB->BeingDebugged=0, ??? Obviously VMProtect runs using this setting when normally starting the EXE.

 

I will try the unpackmes in the topic you gave, because yesterday I tried the latest VMProtect Ultimate executable, which might have extra checks.

 

Greetings

Share this post


Link to post
Share on other sites
mrexodia

@LCF-AT: Please make a small sample video of how you did bypass VMP if you can, because I tried all possibilities already...

Greetings

Share this post


Link to post
Share on other sites
LCF-AT

Hi eXoDia,


 


ok I made a longer video where you can see all steps for clean Olly 1 and SND 2.3 and TitanHide too.All three testet in the video to get VMP in all run.All in all its the best to use TitanHide for this so you just need to add the ISP PEB patch and then all is working without any trouble.I added also some text infos so just watch / read & test and release later a new version + IDP PEB patch.


 


greetz


AntiDebug VMProtect TitanHide.rar

  • Like 4

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×