mrexodia Posted February 13, 2014 Author Posted February 13, 2014 Thanks a lot LCF-AT! I forgot to remove the entry bp, that's why it failed on my side... This means that TitanHide runs the following protectors (with addition of a few simple PEB patches): - WinLicense x64/x32 - Enigma x64/x32 - Themida x64/x32 - VMProtect x64/x32 Greetings, Mr. eXoDiavmprotect_hidden.rar 2
mrexodia Posted February 15, 2014 Author Posted February 15, 2014 V0010 Released: - dynamic retrieval of DebugPortOffset (thanks to mcp!) - added some alternative code for NtClose (thanks to ahmadmansoor!) - also updated the TitanHide plugin for x64_dbg Greetings, Mr. eXoDiaTitanHide_0010.rarTitanHide_plugin_0002.rar 2
ChVL Posted February 26, 2014 Posted February 26, 2014 (edited) What is error 193? I use Disable PatchGuard/Driver Signing, v3 - update on 21/01/2012 by Fyyre, but not sure it is working correctly. How it can be checked? Win 7 x64 Edited February 26, 2014 by ChVL
Insid3Code Posted February 26, 2014 Posted February 26, 2014 (edited) Hello,You must put full path with driver filename:Path: c:\windows\system32\drivers\TitanHide.sys Edited February 26, 2014 by Insid3Code 1
mrexodia Posted February 26, 2014 Author Posted February 26, 2014 You should also use the ServiceManager, there you get actual error messages.Greetings
ChVL Posted February 27, 2014 Posted February 27, 2014 Insid3Code,Mr. eXoDiaThank you. Sorry, I'm lost... I have tested the driver several times.1. My Win 7 SP1 x64 crashed to BSOD: after 9 min, 6 min, 10 min, 7 min starting the driver.2. IDA does not see this driver and again displays a message: "A debugger has been found..." (In IDA loaded target packed Themida WinLicense).
mrexodia Posted February 27, 2014 Author Posted February 27, 2014 Hm, really strange... does it happen on a vm too? I kept the driver running for days on my computer (7x64 sp1) and it didnt bsod me. Could you provide a crashdump please? Are you also certain you use the latest version?Greetings
ChVL Posted February 27, 2014 Posted February 27, 2014 Mr. eXoDia I do not use the VM. I have multiple OS and from time to time to restore them from the image.Version TitanHide_0010 is loaded on the link from your post #52.File .dmp: http://rghost.ru/52709580 Sincerely,ChVL 1
mrexodia Posted February 28, 2014 Author Posted February 28, 2014 @ChVL: how did you create the dump file? My visual studio tells me it's not supported :s Was there any log created in the C:\ drive? Greetings
ChVL Posted March 1, 2014 Posted March 1, 2014 (edited) Mr. eXoDia This file is in the directory: C:\windows\minidump..dmp files can be opened by program see attach. To view, please put my .dmp file in your directory C:\windows\minidump.Unfortunately for C:\ log has not been created. Sincerely,ChVLBlueScreenView.rar Edited March 1, 2014 by ChVL
mrexodia Posted March 1, 2014 Author Posted March 1, 2014 @ChVL: Using TitanHide on x64 without removing PatchGuard is not possible. It seems like you have (test)signed the driver, but since I don't want it to be used as rootkit directly I did not add PatchGuard circumvention. Check this page for a solution: http://fyyre.ivory-tower.de/ Attached a PDF of the crash dump (I forgot that the dump was kernel-mode, so I kinda failed). Greetings, Mr. eXoDiaminidump.pdf
ChVL Posted March 2, 2014 Posted March 2, 2014 Mr. eXoDia Thanks a lot!Driver worked for more than 4 hours without a BSOD. Sorry, I did some experiments and forgot to return the initial state.However, unfortunately the IDA does not see driver ... Sincerely,ChVL
mrexodia Posted March 2, 2014 Author Posted March 2, 2014 @ChVL: IDA is not supposed to see the driver TitanHideGUI will however hide a process from the tricks you select. PEB is not included in the list, because it should not be part of the driver IMO. Just manually patch the PEB and the TitanHideGUI for the rest. Try using x64_dbg (see my signature) and the TitanHide plugin. Then use the command 'titanhide 1' to hide all kernel options and also the PEB. If this works with Themida the driver is doing it's job correctly. Greetings
ChVL Posted March 2, 2014 Posted March 2, 2014 Mr. eXoDia OK. I understood.Yes, I am already familiar with x64_dbg and got 100% result when unpacking Armadillo.I'll try and Themida... Sincerely,ChVL
ChVL Posted March 3, 2014 Posted March 3, 2014 (edited) Mr. eXoDia In this screenshot it right? Run from cmd: x64_dbg.exe /"titanhide 1" I got again displays a message: "A debugger has been found..." (Target packed Themida WinLicense). Sincerely, ChVL Edited March 3, 2014 by ChVL
mrexodia Posted March 3, 2014 Author Posted March 3, 2014 Hi,Plugin is installed good, but use the 'titanhide 1' in the debugger command bar (press ctrl+enter or look in the view menu)Greetings
ChVL Posted March 4, 2014 Posted March 4, 2014 Mr. eXoDia I had to guess myself.Many thanks for your tools. Everything works fine.Now I have a problem with Target. Check the logs, please. If you will not complicate, then tell me which way to dig. Sincerely,ChVLLogs.rar
mrexodia Posted March 4, 2014 Author Posted March 4, 2014 @ChVL: Its just a first chance exception. Try running with shift+f9.Greetings
ChVL Posted March 4, 2014 Posted March 4, 2014 Hi,Yes, I've tried.But the next step (only F9 or Ctrl+F9 or Shift+F9) goes to last chance exception.The first and last are the same address.
mrexodia Posted March 4, 2014 Author Posted March 4, 2014 @ChVL: Sorry, I cannot see from here what the problem could be Can you maybe PM the target? Greetings
mrexodia Posted March 16, 2014 Author Posted March 16, 2014 (edited) TitanHide plugins: - OllyDbg v1.10 - OllyDbg v2.01 - TitanEngine (x86 + x64) - x64_dbg (x32 + x64) Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads Greetings, Mr. eXoDia EDIT: And no, I will not extend the plugin with features, if you find a bug, I will fix it though.TitanHide_plugins.rar Edited March 16, 2014 by Mr. eXoDia 4
cypher Posted March 25, 2014 Posted March 25, 2014 (edited) Note: If you are having Eset Nod32 Antivirus, loading of TitanHide.sys leads to a BSOD. We dont know exactly why but might come up with a fix somewhen Edit: As a workaround, deactivating the "Realtime file protection" option in Eset solves the problem and TitanHide starts fine. After TH started, you can reenable the protection Edited March 25, 2014 by cypher
cypher Posted March 25, 2014 Posted March 25, 2014 (edited) New version v0011 added https://bitbucket.org/mrexodia/titanhide/downloads/TitanHide_0011.rar Changes:- Protect DRx (HW BPs) (NtSetContextThread) For instance, this allows to use HW BPs with targets using NtSetContextThread to defeat HW BPsFor use with TitanScript, copy TitanHide.dll to your plugins/x86/ folder and install the TitanHide.sys driver+start it Edited March 26, 2014 by cypher 1
Pr0c3ss Posted April 20, 2014 Posted April 20, 2014 Hi , Tools Setup PcGuard Vurtial Machıne Debugger Protections Launch.exe PID code Rndom Numbers
mrexodia Posted April 20, 2014 Author Posted April 20, 2014 I'll not fix that in TitanHide. Greetings
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now