cyrex1337 Posted August 23, 2016 Share Posted August 23, 2016 (edited) (Sorry, I may have posted this in the wrong section. I believed this is the TitanHide section -.-) Hey. I wanna use TitanHide driver to hide x64dbg/ollydbg from certain protectors. As Reverse Engineering environment I have set up a virtual machine (VMware Workstation 12.1.1 build-3770994) with Windows 7 Professional x64 (SP1). Moreover, I compiled TitanHide myself on my host operating system Windows 10 Pro x64 using Win7 Release configuration and x64 platform without errors or warnings. (used WDK 8.1 Update 1) Since I got an UEFI mainboard I also had to enable Intel VT-x to get the virtual machine to work (idk if this is really important but just listing some differences because on my older computer it worked just fine) For the VM I have set up 4 GB of DDR4 memory and one core of the CPU can be used. After that I booted into the Win7 VM and used KPP Destroyer P4 (Final, Patch 4) to patch the kernel patch protection (actually copying kernel and bootloader and then modifying them, providing a new bootloader to boot using the patched files) Now I spawned an administrator command prompt and enabled testsigning. (double-checked with bcdedit if the current boot's testsigning setting is set to "on"). After a restart, I noticed the absence of the "test mode" text printed in the lower corner of your screen normally if testsigning is enabled. I thought it's just that KPP Destroyer patched it away. Ofc. that made me open a command prompt and checking again if testsigning is enabled in the current bootloader's setting. And yes it was. So I went on to the testing stage, and tried four installation methods: with sc.exe - creating the service - no probem. When starting the service, sc.exe tells me that the handle of the driver is invalid. ServiceManager.exe - invalid handle loader.exe - invalid handle OSRLoader - invalid handle before someone asks me to do that: - I have placed the driver into C:\Windows\system32\drivers - I have full administrator privileges and every program I described here - I have already tried other PatchGuard/KPP disablers. One of them doesn't even let me boot with the new bootloader o.O, others: same issue. Thanks if someone can help me out here! Edited August 23, 2016 by cyrex1337 Link to comment
mrexodia Posted August 23, 2016 Share Posted August 23, 2016 Someone recently got it working https://mega.nz/#!m5AmlLrZ!EFpzM1uvilbOwYVCYtf4V_HV5mJcitPWpmJ0EdCLszA 2 Link to comment
cyrex1337 Posted August 23, 2016 Author Share Posted August 23, 2016 45 minutes ago, Mr. eXoDia said: Someone recently got it working https://mega.nz/#!m5AmlLrZ!EFpzM1uvilbOwYVCYtf4V_HV5mJcitPWpmJ0EdCLszA I'm really grateful. Thanks mate! Link to comment
Mecanik Posted October 31, 2016 Share Posted October 31, 2016 I really don`t understand how did Windows 7 load unsigned driver o.O Link to comment
secursig Posted July 14, 2017 Share Posted July 14, 2017 you can disable the enforcement at boot prompt by hitting F8 and hit disable driver sign enforcement. I have this as default for my boot config that has the KPP disabled. Link to comment
mrexodia Posted July 25, 2017 Share Posted July 25, 2017 You can use https://github.com/hfiref0x/UPGDSED Link to comment
sitikomariah Posted May 26, 2021 Share Posted May 26, 2021 (edited) thanks mr. exodia. i will try and post results. because my driver also did not load properly Edit: And then, where i get the PID values? main64.exe [1020] or TitanHide.sys at service tab? I didn't found in TitanHide process. Thanks, finally i can load latest vmprotect. Edited May 26, 2021 by sitikomariah progress Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now