Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

TitanHide

Featured Replies

  • Author

Thanks a lot LCF-AT! I forgot to remove the entry bp, that's why it failed on my side...

This means that TitanHide runs the following protectors (with addition of a few simple PEB patches):

- WinLicense x64/x32

- Enigma x64/x32

- Themida x64/x32

- VMProtect x64/x32

Greetings,

Mr. eXoDia

vmprotect_hidden.rar

  • Replies 164
  • Views 215.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Stuttered
    Stuttered

    TitanHide has been updated to support the latest VMProtect v3.9.4 changes. The service name is now used as the device name, as well, so the check for \\.\TitanHide will fail if you name the servi

  • I, After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get

  • Hi eXoDia,   ok I made a longer video where you can see all steps for clean Olly 1 and SND 2.3 and TitanHide too.All three testet in the video to get VMP in all run.All in all its the best to use Ti

Posted Images

  • Author

V0010 Released:

- dynamic retrieval of DebugPortOffset (thanks to mcp!)

- added some alternative code for NtClose (thanks to ahmadmansoor!)

- also updated the TitanHide plugin for x64_dbg

Greetings,

Mr. eXoDia

TitanHide_0010.rar

TitanHide_plugin_0002.rar

  • 2 weeks later...

What is error 193?


 


image.png


 


I use Disable PatchGuard/Driver Signing, v3 - update on 21/01/2012 by Fyyre, but not sure it is working correctly. How it can be checked?


Win 7 x64


Edited by ChVL

Hello,


You must put full path with driver filename:


Path: c:\windows\system32\drivers\TitanHide.sys


Edited by Insid3Code

  • Author

You should also use the ServiceManager, there you get actual error messages.

Greetings

Insid3Code,

Mr. eXoDia

Thank you. Sorry, I'm lost...

 

    I have tested the driver several times.
1. My Win 7 SP1 x64 crashed to BSOD: after 9 min, 6 min, 10 min, 7 min starting the driver.
2. IDA does not see this driver and again displays a message
: "A debugger has been found..."

    (In IDA loaded target packed Themida WinLicense).

  • Author

Hm, really strange... does it happen on a vm too? I kept the driver running for days on my computer (7x64 sp1) and it didnt bsod me. Could you provide a crashdump please? Are you also certain you use the latest version?

Greetings

Mr. eXoDia


 


I do not use the VM. I have multiple OS and from time to time to restore them from the image.


Version TitanHide_0010 is loaded on the link from your post #52.


File .dmp: http://rghost.ru/52709580


 


Sincerely,


ChVL


  • Author

@ChVL: how did you create the dump file? My visual studio tells me it's not supported :s

Was there any log created in the C:\ drive?

Greetings

Mr. eXoDia





 





This file is in the directory: C:\windows\minidump.

.dmp files can be opened by program see attach. To view, please put my .dmp file in your directory C:\windows\minidump.

Unfortunately for C:\ log has not been created.

 


Sincerely,


ChVL



BlueScreenView.rar

Edited by ChVL

  • Author

@ChVL: Using TitanHide on x64 without removing PatchGuard is not possible. It seems like you have (test)signed the driver, but since I don't want it to be used as rootkit directly I did not add PatchGuard circumvention. Check this page for a solution: http://fyyre.ivory-tower.de/


 


Attached a PDF of the crash dump (I forgot that the dump was kernel-mode, so I kinda failed).


 


Greetings,


 


Mr. eXoDia


minidump.pdf

Mr. eXoDia

 

Thanks a lot!
Driver worked for more than 4 hours without a BSOD. Sorry, I did some experiments and forgot to return the initial state.However, unfortunately the IDA does not see driver ...

 

Sincerely,

ChVL

  • Author

@ChVL: IDA is not supposed to see the driver :) TitanHideGUI will however hide a process from the tricks you select. PEB is not included in the list, because it should not be part of the driver IMO. Just manually patch the PEB and the TitanHideGUI for the rest.

Try using x64_dbg (see my signature) and the TitanHide plugin. Then use the command 'titanhide 1' to hide all kernel options and also the PEB. If this works with Themida the driver is doing it's job correctly.

Greetings

Mr. eXoDia

 

OK. I understood.

Yes, I am already familiar with x64_dbg and got 100% result when unpacking Armadillo.
I'll try and Themida...

 

Sincerely,

ChVL

Mr. eXoDia


 


In this screenshot it right?


 


image.png


 


Run from cmd: x64_dbg.exe /"titanhide 1"


I got again displays a message: "A debugger has been found..." (Target packed Themida WinLicense).


 


Sincerely,


ChVL

Edited by ChVL

  • Author

Hi,

Plugin is installed good, but use the 'titanhide 1' in the debugger command bar (press ctrl+enter or look in the view menu)

Greetings

Mr. eXoDia

 

I had to guess myself.
Many thanks for your tools. Everything works fine.Now I have a problem with Target. Check the logs, please. If you will not complicate, then tell me which way to dig.

 

Sincerely,

ChVL

Logs.rar

  • Author

@ChVL: Its just a first chance exception. Try running with shift+f9.

Greetings

Hi,Yes, I've tried.
But the next step (only F9 or Ctrl+F9 or Shift+F9) goes to last chance exception.
The first and last are the same address.

  • Author

@ChVL: Sorry, I cannot see from here what the problem could be :) Can you maybe PM the target?

Greetings

  • 2 weeks later...
  • Author

TitanHide plugins:

- OllyDbg v1.10

- OllyDbg v2.01

- TitanEngine (x86 + x64)

- x64_dbg (x32 + x64)

Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia

EDIT: And no, I will not extend the plugin with features, if you find a bug, I will fix it though.

TitanHide_plugins.rar

Edited by Mr. eXoDia

  • 2 weeks later...

Note: If you are having Eset Nod32 Antivirus, loading of TitanHide.sys leads to a BSOD. We dont know exactly why but might come up with a fix somewhen


 


Edit: As a workaround, deactivating the "Realtime file protection" option in Eset solves the problem and TitanHide starts fine. After TH started, you can reenable the protection


Edited by cypher

New version v0011 added https://bitbucket.org/mrexodia/titanhide/downloads/TitanHide_0011.rar


 


Changes:


- Protect DRx (HW BPs) (NtSetContextThread)


 


For instance, this allows to use HW BPs with targets using NtSetContextThread to defeat HW BPs


For use with TitanScript, copy TitanHide.dll to your plugins/x86/ folder and install the TitanHide.sys driver+start it


Edited by cypher

  • 4 weeks later...

Hi ,


 


Tools Setup  PcGuard   Vurtial Machıne Debugger  Protections  Launch.exe  PID code Rndom Numbers


 


post-63487-0-52973100-1397938784.png


  • Author

I'll not fix that in TitanHide.

Greetings

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.