Thanks a lot LCF-AT! I forgot to remove the entry bp, that's why it failed on my side...

This means that TitanHide runs the following protectors (with addition of a few simple PEB patches):

- WinLicense x64/x32

- Enigma x64/x32

- Themida x64/x32

- VMProtect x64/x32

Greetings,

Mr. eXoDia

vmprotect_hidden.rar

V0010 Released:

- dynamic retrieval of DebugPortOffset (thanks to mcp!)

- added some alternative code for NtClose (thanks to ahmadmansoor!)

- also updated the TitanHide plugin for x64_dbg

Greetings,

Mr. eXoDia

TitanHide_0010.rar

TitanHide_plugin_0002.rar

What is error 193?

 

 

I use Disable PatchGuard/Driver Signing, v3 - update on 21/01/2012 by Fyyre, but not sure it is working correctly. How it can be checked?

Win 7 x64

Edited February 26, 201411 yr by ChVL

Hello,

You must put full path with driver filename:

Path: c:\windows\system32\drivers\TitanHide.sys

Edited February 26, 201411 yr by Insid3Code

You should also use the ServiceManager, there you get actual error messages.

Greetings

Insid3Code,

Mr. eXoDia

Thank you. Sorry, I'm lost...

 

    I have tested the driver several times.
1. My Win 7 SP1 x64 crashed to BSOD: after 9 min, 6 min, 10 min, 7 min starting the driver.
2. IDA does not see this driver and again displays a message: "A debugger has been found..."

    (In IDA loaded target packed Themida WinLicense).

Hm, really strange... does it happen on a vm too? I kept the driver running for days on my computer (7x64 sp1) and it didnt bsod me. Could you provide a crashdump please? Are you also certain you use the latest version?

Greetings

Mr. eXoDia

 

I do not use the VM. I have multiple OS and from time to time to restore them from the image.

Version TitanHide_0010 is loaded on the link from your post #52.

File .dmp: http://rghost.ru/52709580

 

Sincerely,

ChVL

@ChVL: how did you create the dump file? My visual studio tells me it's not supported :s

Was there any log created in the C:\ drive?

Greetings

Mr. eXoDia

 

This file is in the directory: C:\windows\minidump.

.dmp files can be opened by program see attach. To view, please put my .dmp file in your directory C:\windows\minidump.

Unfortunately for C:\ log has not been created.

 

Sincerely,

ChVL

BlueScreenView.rar

Edited March 1, 201411 yr by ChVL

@ChVL: Using TitanHide on x64 without removing PatchGuard is not possible. It seems like you have (test)signed the driver, but since I don't want it to be used as rootkit directly I did not add PatchGuard circumvention. Check this page for a solution: http://fyyre.ivory-tower.de/

 

Attached a PDF of the crash dump (I forgot that the dump was kernel-mode, so I kinda failed).

 

Greetings,

 

Mr. eXoDia

minidump.pdf

Mr. eXoDia

 

Thanks a lot!
Driver worked for more than 4 hours without a BSOD. Sorry, I did some experiments and forgot to return the initial state.However, unfortunately the IDA does not see driver ...

 

Sincerely,

ChVL

@ChVL: IDA is not supposed to see the driver TitanHideGUI will however hide a process from the tricks you select. PEB is not included in the list, because it should not be part of the driver IMO. Just manually patch the PEB and the TitanHideGUI for the rest.

Try using x64_dbg (see my signature) and the TitanHide plugin. Then use the command 'titanhide 1' to hide all kernel options and also the PEB. If this works with Themida the driver is doing it's job correctly.

Greetings

Mr. eXoDia

 

OK. I understood.

Yes, I am already familiar with x64_dbg and got 100% result when unpacking Armadillo.
I'll try and Themida...
 

Sincerely,

ChVL

Mr. eXoDia

 

In this screenshot it right?

 

 

Run from cmd: x64_dbg.exe /"titanhide 1"

I got again displays a message: "A debugger has been found..." (Target packed Themida WinLicense).

 

Sincerely,

ChVL

Edited March 3, 201411 yr by ChVL

Hi,

Plugin is installed good, but use the 'titanhide 1' in the debugger command bar (press ctrl+enter or look in the view menu)

Greetings

Mr. eXoDia

 

I had to guess myself.
Many thanks for your tools. Everything works fine.Now I have a problem with Target. Check the logs, please. If you will not complicate, then tell me which way to dig.

 

Sincerely,

ChVL

Logs.rar

@ChVL: Its just a first chance exception. Try running with shift+f9.

Greetings

Hi,Yes, I've tried.
But the next step (only F9 or Ctrl+F9 or Shift+F9) goes to last chance exception.
The first and last are the same address.

@ChVL: Sorry, I cannot see from here what the problem could be Can you maybe PM the target?

Greetings

TitanHide plugins:

- OllyDbg v1.10

- OllyDbg v2.01

- TitanEngine (x86 + x64)

- x64_dbg (x32 + x64)

Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia

EDIT: And no, I will not extend the plugin with features, if you find a bug, I will fix it though.

TitanHide_plugins.rar

Edited March 16, 201411 yr by Mr. eXoDia

Note: If you are having Eset Nod32 Antivirus, loading of TitanHide.sys leads to a BSOD. We dont know exactly why but might come up with a fix somewhen

 

Edit: As a workaround, deactivating the "Realtime file protection" option in Eset solves the problem and TitanHide starts fine. After TH started, you can reenable the protection

Edited March 25, 201411 yr by cypher

New version v0011 added https://bitbucket.org/mrexodia/titanhide/downloads/TitanHide_0011.rar

 

Changes:

- Protect DRx (HW BPs) (NtSetContextThread)

 

For instance, this allows to use HW BPs with targets using NtSetContextThread to defeat HW BPs

For use with TitanScript, copy TitanHide.dll to your plugins/x86/ folder and install the TitanHide.sys driver+start it

Edited March 26, 201411 yr by cypher

Hi ,

 

Tools Setup  PcGuard   Vurtial Machıne Debugger  Protections  Launch.exe  PID code Rndom Numbers

 

I'll not fix that in TitanHide.

Greetings