February 13, 201411 yr Author Thanks a lot LCF-AT! I forgot to remove the entry bp, that's why it failed on my side... This means that TitanHide runs the following protectors (with addition of a few simple PEB patches): - WinLicense x64/x32 - Enigma x64/x32 - Themida x64/x32 - VMProtect x64/x32 Greetings, Mr. eXoDiavmprotect_hidden.rar
February 15, 201411 yr Author V0010 Released: - dynamic retrieval of DebugPortOffset (thanks to mcp!) - added some alternative code for NtClose (thanks to ahmadmansoor!) - also updated the TitanHide plugin for x64_dbg Greetings, Mr. eXoDiaTitanHide_0010.rarTitanHide_plugin_0002.rar
February 26, 201411 yr What is error 193? I use Disable PatchGuard/Driver Signing, v3 - update on 21/01/2012 by Fyyre, but not sure it is working correctly. How it can be checked? Win 7 x64 Edited February 26, 201411 yr by ChVL
February 26, 201411 yr Hello,You must put full path with driver filename:Path: c:\windows\system32\drivers\TitanHide.sys Edited February 26, 201411 yr by Insid3Code
February 26, 201411 yr Author You should also use the ServiceManager, there you get actual error messages.Greetings
February 27, 201411 yr Insid3Code,Mr. eXoDiaThank you. Sorry, I'm lost... I have tested the driver several times.1. My Win 7 SP1 x64 crashed to BSOD: after 9 min, 6 min, 10 min, 7 min starting the driver.2. IDA does not see this driver and again displays a message: "A debugger has been found..." (In IDA loaded target packed Themida WinLicense).
February 27, 201411 yr Author Hm, really strange... does it happen on a vm too? I kept the driver running for days on my computer (7x64 sp1) and it didnt bsod me. Could you provide a crashdump please? Are you also certain you use the latest version?Greetings
February 27, 201411 yr Mr. eXoDia I do not use the VM. I have multiple OS and from time to time to restore them from the image.Version TitanHide_0010 is loaded on the link from your post #52.File .dmp: http://rghost.ru/52709580 Sincerely,ChVL
February 28, 201411 yr Author @ChVL: how did you create the dump file? My visual studio tells me it's not supported :s Was there any log created in the C:\ drive? Greetings
March 1, 201411 yr Mr. eXoDia This file is in the directory: C:\windows\minidump..dmp files can be opened by program see attach. To view, please put my .dmp file in your directory C:\windows\minidump.Unfortunately for C:\ log has not been created. Sincerely,ChVLBlueScreenView.rar Edited March 1, 201411 yr by ChVL
March 1, 201411 yr Author @ChVL: Using TitanHide on x64 without removing PatchGuard is not possible. It seems like you have (test)signed the driver, but since I don't want it to be used as rootkit directly I did not add PatchGuard circumvention. Check this page for a solution: http://fyyre.ivory-tower.de/ Attached a PDF of the crash dump (I forgot that the dump was kernel-mode, so I kinda failed). Greetings, Mr. eXoDiaminidump.pdf
March 2, 201411 yr Mr. eXoDia Thanks a lot!Driver worked for more than 4 hours without a BSOD. Sorry, I did some experiments and forgot to return the initial state.However, unfortunately the IDA does not see driver ... Sincerely,ChVL
March 2, 201411 yr Author @ChVL: IDA is not supposed to see the driver TitanHideGUI will however hide a process from the tricks you select. PEB is not included in the list, because it should not be part of the driver IMO. Just manually patch the PEB and the TitanHideGUI for the rest. Try using x64_dbg (see my signature) and the TitanHide plugin. Then use the command 'titanhide 1' to hide all kernel options and also the PEB. If this works with Themida the driver is doing it's job correctly. Greetings
March 2, 201411 yr Mr. eXoDia OK. I understood.Yes, I am already familiar with x64_dbg and got 100% result when unpacking Armadillo.I'll try and Themida... Sincerely,ChVL
March 3, 201411 yr Mr. eXoDia In this screenshot it right? Run from cmd: x64_dbg.exe /"titanhide 1" I got again displays a message: "A debugger has been found..." (Target packed Themida WinLicense). Sincerely, ChVL Edited March 3, 201411 yr by ChVL
March 3, 201411 yr Author Hi,Plugin is installed good, but use the 'titanhide 1' in the debugger command bar (press ctrl+enter or look in the view menu)Greetings
March 4, 201411 yr Mr. eXoDia I had to guess myself.Many thanks for your tools. Everything works fine.Now I have a problem with Target. Check the logs, please. If you will not complicate, then tell me which way to dig. Sincerely,ChVLLogs.rar
March 4, 201411 yr Author @ChVL: Its just a first chance exception. Try running with shift+f9.Greetings
March 4, 201411 yr Hi,Yes, I've tried.But the next step (only F9 or Ctrl+F9 or Shift+F9) goes to last chance exception.The first and last are the same address.
March 4, 201411 yr Author @ChVL: Sorry, I cannot see from here what the problem could be Can you maybe PM the target? Greetings
March 16, 201411 yr Author TitanHide plugins: - OllyDbg v1.10 - OllyDbg v2.01 - TitanEngine (x86 + x64) - x64_dbg (x32 + x64) Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads Greetings, Mr. eXoDia EDIT: And no, I will not extend the plugin with features, if you find a bug, I will fix it though.TitanHide_plugins.rar Edited March 16, 201411 yr by Mr. eXoDia
March 25, 201411 yr Note: If you are having Eset Nod32 Antivirus, loading of TitanHide.sys leads to a BSOD. We dont know exactly why but might come up with a fix somewhen Edit: As a workaround, deactivating the "Realtime file protection" option in Eset solves the problem and TitanHide starts fine. After TH started, you can reenable the protection Edited March 25, 201411 yr by cypher
March 25, 201411 yr New version v0011 added https://bitbucket.org/mrexodia/titanhide/downloads/TitanHide_0011.rar Changes:- Protect DRx (HW BPs) (NtSetContextThread) For instance, this allows to use HW BPs with targets using NtSetContextThread to defeat HW BPsFor use with TitanScript, copy TitanHide.dll to your plugins/x86/ folder and install the TitanHide.sys driver+start it Edited March 26, 201411 yr by cypher
April 20, 201411 yr Hi , Tools Setup PcGuard Vurtial Machıne Debugger Protections Launch.exe PID code Rndom Numbers
Create an account or sign in to comment