Jump to content
Tuts 4 You

TitanHide


mrexodia

Recommended Posts

mrexodia

Thanks a lot LCF-AT! I forgot to remove the entry bp, that's why it failed on my side...

This means that TitanHide runs the following protectors (with addition of a few simple PEB patches):

- WinLicense x64/x32

- Enigma x64/x32

- Themida x64/x32

- VMProtect x64/x32

Greetings,

Mr. eXoDia

vmprotect_hidden.rar

  • Like 2
Link to post
  • Replies 154
  • Created
  • Last Reply

Top Posters In This Topic

  • mrexodia

    60

  • GIV

    13

  • LCF-AT

    11

  • Insid3Code

    9

Top Posters In This Topic

Popular Posts

Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the o

I, After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get

Updated to V0013! Changelog: - MIT license - crappy win10 support - fixed some exploits kao found - hopefully now the .sys works on win7 (target = win7 instead of win8.1) Download: https://

Posted Images

  • 2 weeks later...

Insid3Code,

Mr. eXoDia

Thank you. Sorry, I'm lost...

 

    I have tested the driver several times.
1. My Win 7 SP1 x64 crashed to BSOD: after 9 min, 6 min, 10 min, 7 min starting the driver.
2. IDA does not see this driver and again displays a message
: "A debugger has been found..."

    (In IDA loaded target packed Themida WinLicense).

Link to post
mrexodia

Hm, really strange... does it happen on a vm too? I kept the driver running for days on my computer (7x64 sp1) and it didnt bsod me. Could you provide a crashdump please? Are you also certain you use the latest version?

Greetings

Link to post
mrexodia

@ChVL: how did you create the dump file? My visual studio tells me it's not supported :s

Was there any log created in the C:\ drive?

Greetings

Link to post

Mr. eXoDia





 





This file is in the directory: C:\windows\minidump.

.dmp files can be opened by program see attach. To view, please put my .dmp file in your directory C:\windows\minidump.

Unfortunately for C:\ log has not been created.

 


Sincerely,


ChVL



BlueScreenView.rar

Edited by ChVL (see edit history)
Link to post
mrexodia

@ChVL: Using TitanHide on x64 without removing PatchGuard is not possible. It seems like you have (test)signed the driver, but since I don't want it to be used as rootkit directly I did not add PatchGuard circumvention. Check this page for a solution: http://fyyre.ivory-tower.de/


 


Attached a PDF of the crash dump (I forgot that the dump was kernel-mode, so I kinda failed).


 


Greetings,


 


Mr. eXoDia


minidump.pdf

Link to post

Mr. eXoDia

 

Thanks a lot!
Driver worked for more than 4 hours without a BSOD. Sorry, I did some experiments and forgot to return the initial state.However, unfortunately the IDA does not see driver ...

 

Sincerely,

ChVL

Link to post
mrexodia

@ChVL: IDA is not supposed to see the driver :) TitanHideGUI will however hide a process from the tricks you select. PEB is not included in the list, because it should not be part of the driver IMO. Just manually patch the PEB and the TitanHideGUI for the rest.

Try using x64_dbg (see my signature) and the TitanHide plugin. Then use the command 'titanhide 1' to hide all kernel options and also the PEB. If this works with Themida the driver is doing it's job correctly.

Greetings

Link to post

Mr. eXoDia

 

OK. I understood.

Yes, I am already familiar with x64_dbg and got 100% result when unpacking Armadillo.
I'll try and Themida...

 

Sincerely,

ChVL

Link to post

Mr. eXoDia


 


In this screenshot it right?


 


image.png


 


Run from cmd: x64_dbg.exe /"titanhide 1"


I got again displays a message: "A debugger has been found..." (Target packed Themida WinLicense).


 


Sincerely,


ChVL

Edited by ChVL (see edit history)
Link to post
mrexodia

Hi,

Plugin is installed good, but use the 'titanhide 1' in the debugger command bar (press ctrl+enter or look in the view menu)

Greetings

Link to post

Mr. eXoDia

 

I had to guess myself.
Many thanks for your tools. Everything works fine.Now I have a problem with Target. Check the logs, please. If you will not complicate, then tell me which way to dig.

 

Sincerely,

ChVL

Logs.rar

Link to post
mrexodia

@ChVL: Its just a first chance exception. Try running with shift+f9.

Greetings

Link to post

Hi,Yes, I've tried.
But the next step (only F9 or Ctrl+F9 or Shift+F9) goes to last chance exception.
The first and last are the same address.

Link to post
mrexodia

@ChVL: Sorry, I cannot see from here what the problem could be :) Can you maybe PM the target?

Greetings

Link to post
  • 2 weeks later...
mrexodia

TitanHide plugins:

- OllyDbg v1.10

- OllyDbg v2.01

- TitanEngine (x86 + x64)

- x64_dbg (x32 + x64)

Attached a full archive, latest versions can be downloaded from https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia

EDIT: And no, I will not extend the plugin with features, if you find a bug, I will fix it though.

TitanHide_plugins.rar

Edited by Mr. eXoDia (see edit history)
  • Like 4
Link to post
  • 2 weeks later...

Note: If you are having Eset Nod32 Antivirus, loading of TitanHide.sys leads to a BSOD. We dont know exactly why but might come up with a fix somewhen


 


Edit: As a workaround, deactivating the "Realtime file protection" option in Eset solves the problem and TitanHide starts fine. After TH started, you can reenable the protection


Edited by cypher (see edit history)
Link to post

New version v0011 added https://bitbucket.org/mrexodia/titanhide/downloads/TitanHide_0011.rar


 


Changes:


- Protect DRx (HW BPs) (NtSetContextThread)


 


For instance, this allows to use HW BPs with targets using NtSetContextThread to defeat HW BPs


For use with TitanScript, copy TitanHide.dll to your plugins/x86/ folder and install the TitanHide.sys driver+start it


Edited by cypher (see edit history)
  • Like 1
Link to post
  • 4 weeks later...

Hi ,


 


Tools Setup  PcGuard   Vurtial Machıne Debugger  Protections  Launch.exe  PID code Rndom Numbers


 


post-63487-0-52973100-1397938784.png


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...