Jump to content
Tuts 4 You

TitanHide


mrexodia

Recommended Posts

DarkInjection

titanhide seems to not work in my windows 7 64
 
i used TitanHideTest.exe to test the functionality but it always return 0 in values also themida detect my program
 

ProcessDebugFlags: 0ProcessDebugPort: 0ProcessDebugObjectHandle: 0NtQueryObject: 0CheckSystemDebugger: 0CheckNtClose: 0

i used fyrre's no patchguard v3

Link to post
  • Replies 154
  • Created
  • Last Reply

Top Posters In This Topic

  • mrexodia

    60

  • GIV

    13

  • LCF-AT

    11

  • Insid3Code

    9

Top Posters In This Topic

Popular Posts

Overview:TitanHide is a driver intended to hide debuggers from certain processes.The driver hooks various Nt* kernel functions (using inline hooks at themoment) and modifies the return values of the o

I, After some talking with deepzero, I realized that the hooking model is completely unreliable. It is therefore not recommended to use this driver outside of a VM, because you eventually WILl get

Updated to V0013! Changelog: - MIT license - crappy win10 support - fixed some exploits kao found - hopefully now the .sys works on win7 (target = win7 instead of win8.1) Download: https://

Posted Images

mrexodia

@DarkInjection, 0 means not detected. So if you're running TitanHide under a debugger, it works perfectly fine :)

Greetings

Link to post
  • 4 weeks later...
mrexodia

It's 100% a false-positive (programs installing services are dangerous, because they could install rootkits). If you don't trust the file, you can compile it yourself (the source is available).

Greetings

Link to post

TitanHide doesnot support multiple hide ?


 


I need to hide debugger for 2 processes.


 


But it seeks like it doesnot work

Link to post
mrexodia

@kgh0701: You can use TitanHideGUI to hide the debugger from any PID you want.

Greetings

Link to post
  • 4 weeks later...
serseri_1453

Hello Mr. eXoDia


 


titanhide PcGuard the support?


 


download links are shared in "Download repository" link I build?


 


all the places to plug-ins x64 dbg down ready for even more would be nice


 


if you do from the beginning, if possible, installation and video settings way to stop talking about it you know?


Link to post

Hi eXoDia,

 

ok I made a longer video where you can see all steps for clean Olly 1 and SND 2.3 and TitanHide too.All three testet in the video to get VMP in all run.All in all its the best to use TitanHide for this so you just need to add the ISP PEB patch and then all is working without any trouble.I added also some text infos so just watch / read & test and release later a new version + IDP PEB patch.

 

greetz

thank s LCF-AT very much

Link to post
  • 4 months later...
mrexodia

probably because you didn't read the instructions correctly. it is also recommended to disable your AV completely.

Link to post
  • 3 weeks later...

I have Windows 8.1 Enterprise 64-bit (6.3, Build 9600) installed on my workstation machine (Dell Precision M4700 with Intel Core i7-3740QM CPU @ 2.70GHz (8 CPUs) & 32.0 GB of RAM) & I have PATCHED its KERNEL to DISABLE PatchGuard and Signed Driver Enforcement using KPP-Destroyer-P4 tool (take a look HERE about the tool), & HERE is its latest version made by how02, & take a look HERE for how the tool works.

 

I have followed all the steps one by one to install TitanHide.

I have Copied "TitanHide.sys" x64 version to "C:\Windows\system32\drivers"

I have used the ServiceManager to Create a TitanHide service, but when I try to start the TitanHide service, I always end up with this error message :

------------------------------------------------------------------------

PS C:\Windows\system32> net start TitanHide
System error 31 has occurred.A device attached to the system is not functioning.

------------------------------------------------------------------------

What could be the error cause !?

Help me please.

Thank you for your understanding.

Edited by Tomay (see edit history)
Link to post

i dont think that method will work on latest fully updated win8.1x64. there is pg bypass source code for current win8.1x64 but it's not distro'd as easy to use binary. i'd recomend recompiling driver and sign it w/test sig, enable test sign mode, then use fyyre pg disable method on older win8.1 x64 or switch to win8/7.


Link to post
mrexodia

i dont think that method will work on latest fully updated win8.1x64. there is pg bypass source code for current win8.1x64 but it's not distro'd as easy to use binary. i'd recomend recompiling driver and sign it w/test sig, enable test sign mode, then use fyyre pg disable method on older win8.1 x64 or switch to win8/7.

Yea.. it's also possible to go in debug mode, this way patchguard should be fully disabled as well. Fyyre doesn't work with newer UEFI systems (without re-signing the winload.exe, which is lot of a hassle). I still gotta test this on Windows 10 lol, but I think it's not gonna work.

Link to post

i dont think that method will work on latest fully updated win8.1x64. there is pg bypass source code for current win8.1x64 but it's not distro'd as easy to use binary. i'd recomend recompiling driver and sign it w/test sig, enable test sign mode, then use fyyre pg disable method on older win8.1 x64 or switch to win8/7.

 

Indeed, my Windows 8.1 x64 OS is fully updated.

 

Yea.. it's also possible to go in debug mode, this way patchguard should be fully disabled as well. Fyyre doesn't work with newer UEFI systems (without re-signing the winload.exe, which is lot of a hassle). I still gotta test this on Windows 10 lol, but I think it's not gonna work.

 

I will try the debug mode to see if PatchGuard will be fully disabled or not !

If not, I think I will give-up, and go for "Windows XP SP3 x86" on VMware Workstation.

 

EDIT:

I tried the debug mode; with no luck for disabling the PatchGuard :(

Edited by Tomay (see edit history)
Link to post
mrexodia

Try these commands: 

bcdedit /set testsigning onbcdedit /debug onbcdedit /dbgsettings local
Today I started working on TitanHide again, somehow the NtQueryInformationProcess hook is giving a BSOD all the time, does anyone know why? http://pastebin.com/2570uheJ

Greetings

Edited by Mr. eXoDia (see edit history)
Link to post

Try these commands: 

bcdedit /set testsigning onbcdedit /debug onbcdedit /dbgsettings local
Today I started working on TitanHide again, somehow the NtQueryInformationProcess hook is giving a BSOD all the time, does anyone know why? http://pastebin.com/2570uheJ

Greetings

 

I try last week to use your driver under XP SP3 and all time it reset my PC.

So i quit and now i have a fear of destroy my PC......

Maybe was a good ideea to use in a VM first :ltongue:

Link to post
mrexodia

I try last week to use your driver under XP SP3 and all time it reset my PC.

So i quit and now i have a fear of destroy my PC......

Maybe was a good ideea to use in a VM first :ltongue:

yea.. i tried it today on a VM with Win8.1.. do you have the dumps? C:\windows\minidumps

Link to post

yea.. i tried it today on a VM with Win8.1.. do you have the dumps? C:\windows\minidumps

In c:\WINDOWS\Minidump\ is no file.

My PC was resetted (power off and on again like you press the reset button) not BSOD so i guess is kinda a protection feature of the PC (software or hardware???) that have been triggeder by the driver, not a BSOD exception.

I will try with your latest version and i will report back.

Link to post

Try these commands: 

bcdedit /set testsigning onbcdedit /debug onbcdedit /dbgsettings local
Today I started working on TitanHide again, somehow the NtQueryInformationProcess hook is giving a BSOD all the time, does anyone know why? http://pastebin.com/2570uheJ

Greetings

 

 

I will try:

bcdedit /set testsigning onbcdedit /debug onbcdedit /dbgsettings local

Thanks ;)

Edited by Tomay (see edit history)
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...