Jump to content
Tuts 4 You

Driver doesn't want to start


cyrex1337

Recommended Posts

Posted (edited)

(Sorry, I may have posted this in the wrong section. I believed this is the TitanHide section -.-)

 

Hey. I wanna use TitanHide driver to hide x64dbg/ollydbg from certain protectors. As Reverse Engineering environment I have set up a virtual machine (VMware Workstation 12.1.1 build-3770994) with Windows 7 Professional x64 (SP1).

Moreover, I compiled TitanHide myself on my host operating system Windows 10 Pro x64 using Win7 Release configuration and x64 platform without errors or warnings. (used WDK 8.1 Update 1)

Since I got an UEFI mainboard I also had to enable Intel VT-x to get the virtual machine to work (idk if this is really important but just listing some differences because on my older computer it worked just fine)

For the VM I have set up 4 GB of DDR4 memory and one core of the CPU can be used.

After that I booted into the Win7 VM and used KPP Destroyer P4 (Final, Patch 4) to patch the kernel patch protection (actually copying kernel and bootloader and then modifying them, providing a new bootloader to boot using the patched files)

Now I spawned an administrator command prompt and enabled testsigning. (double-checked with bcdedit if the current boot's testsigning setting is set to "on").

After a restart, I noticed the absence of the "test mode" text printed in the lower corner of your screen normally if testsigning is enabled. I thought it's just that KPP Destroyer patched it away.

Ofc. that made me open a command prompt and checking again if testsigning is enabled in the current bootloader's setting. And yes it was.

 

So I went on to the testing stage, and tried four installation methods:

with sc.exe - creating the service - no probem. When starting the service, sc.exe tells me that the handle of the driver is invalid.

ServiceManager.exe - invalid handle

loader.exe - invalid handle

OSRLoader - invalid handle

 

before someone asks me to do that:

- I have placed the driver into C:\Windows\system32\drivers

- I have full administrator privileges and every program I described here

- I have already tried other PatchGuard/KPP disablers. One of them doesn't even let me boot with the new bootloader o.O, others: same issue.

 

Thanks if someone can help me out here!

Edited by cyrex1337
  • 2 months later...
Posted

I really don`t understand how did  Windows 7 load unsigned driver o.O

  • 8 months later...
Posted

you can disable the enforcement at boot prompt by hitting F8 and hit disable driver sign enforcement. I have this as default for my boot config that has the KPP disabled.

  • 2 weeks later...
  • 3 years later...
sitikomariah
Posted (edited)

thanks mr. exodia. i will try and post results. because my driver also did not load properly

Edit: And then, where i get the PID values? main64.exe [1020] or TitanHide.sys at service tab? I didn't found in TitanHide process.

Thanks, finally i can load latest vmprotect.

 

 

vmprotect3.5.jpg

Edited by sitikomariah
progress
  • 2 years later...
Posted

I also had this problem... After downloading the latest TitanHide source code from GitHub and compiling Titanhide.sys (adding my own signature) : The driver wouldn't load. But I compile other drivers, such as my own, without this problem (also with my signature). 

Environment: VS2019 Enterprise + Win10 x64 + WDK 10 + SDK 10

  • 3 weeks later...
Posted (edited)
Quote

The driver wouldn't load

Environment: VS2019 Enterprise + Win10 x64 + WDK 10 + SDK 10

8.JPG.2d4c93aea91230306bddb1932d82ea6f.JPG

Working well here on win10 x64

 

Edited by X0rby
Add a color
Posted

Does not work

 

Posted

Quote from the author's GitHub :

Quote

I will permanently ban you from the issue tracker. If you don't know how to properly install the tool you don't know enough to use it responsibly and you should use something else like ScyllaHide

 

Posted (edited)
23 hours ago, jackyjask said:

Does not work

 

Finally, I recompiled sys and added a digital signature to solve this strange problem. Titanhide.sys can be loaded on Win11 x64.

 

 

Edited by boot
Add...
  • Like 1
CodeExplorer
Posted
Quote

and added a digital signature to solve this strange problem

How you did this? What signature did you used?
 

  • Like 1
  • 3 weeks later...
Posted
On 6/24/2023 at 6:02 PM, CodeExplorer said:

How you did this? What signature did you used?
 

Try this driver. I recompiled and tested it, and it was able to load form Win7 x64 to Win11 x64.

https://pan.huang1111.cn/s/mM1Ls1

  • Like 1
  • 1 month later...
Posted
On 7/10/2023 at 6:24 AM, boot said:

Try this driver. I recompiled and tested it, and it was able to load form Win7 x64 to Win11 x64.

https://pan.huang1111.cn/s/mM1Ls1

Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz   1.99 GHz

windows10 21H2 Enterprise Edition   19044.2604

Still blue screen

 

  • Like 1
  • 8 months later...
Progman
Posted
On 9/7/2023 at 6:13 AM, Noob boy said:

Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz   1.99 GHz

windows10 21H2 Enterprise Edition   19044.2604

Still blue screen

 

Drivers are unforgiving on any segfault or error you will crash but you didn't give the bluescreen error details.  Maybe you have a driver for a wrong 32/64 bit x86/arm system or maybe there is a bug in the driver or maybe some permission issue or maybe a dependency missing or some mixture of these things.  Did you try attaching a kernel remote debugger to see the details?

  • Like 1
  • 6 months later...
Posted
On 7/10/2023 at 6:24 AM, boot said:

it was able to load...

For the latest version of Windows 11, some drivers loading requires WHQL signature. However, there are still ways to load drivers with banned signatures without enabling test mode.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...