Jump to content
Tuts 4 You

Driver doesn't want to start


cyrex1337

Recommended Posts

(Sorry, I may have posted this in the wrong section. I believed this is the TitanHide section -.-)

 

Hey. I wanna use TitanHide driver to hide x64dbg/ollydbg from certain protectors. As Reverse Engineering environment I have set up a virtual machine (VMware Workstation 12.1.1 build-3770994) with Windows 7 Professional x64 (SP1).

Moreover, I compiled TitanHide myself on my host operating system Windows 10 Pro x64 using Win7 Release configuration and x64 platform without errors or warnings. (used WDK 8.1 Update 1)

Since I got an UEFI mainboard I also had to enable Intel VT-x to get the virtual machine to work (idk if this is really important but just listing some differences because on my older computer it worked just fine)

For the VM I have set up 4 GB of DDR4 memory and one core of the CPU can be used.

After that I booted into the Win7 VM and used KPP Destroyer P4 (Final, Patch 4) to patch the kernel patch protection (actually copying kernel and bootloader and then modifying them, providing a new bootloader to boot using the patched files)

Now I spawned an administrator command prompt and enabled testsigning. (double-checked with bcdedit if the current boot's testsigning setting is set to "on").

After a restart, I noticed the absence of the "test mode" text printed in the lower corner of your screen normally if testsigning is enabled. I thought it's just that KPP Destroyer patched it away.

Ofc. that made me open a command prompt and checking again if testsigning is enabled in the current bootloader's setting. And yes it was.

 

So I went on to the testing stage, and tried four installation methods:

with sc.exe - creating the service - no probem. When starting the service, sc.exe tells me that the handle of the driver is invalid.

ServiceManager.exe - invalid handle

loader.exe - invalid handle

OSRLoader - invalid handle

 

before someone asks me to do that:

- I have placed the driver into C:\Windows\system32\drivers

- I have full administrator privileges and every program I described here

- I have already tried other PatchGuard/KPP disablers. One of them doesn't even let me boot with the new bootloader o.O, others: same issue.

 

Thanks if someone can help me out here!

Edited by cyrex1337 (see edit history)
Link to post
  • 2 months later...
  • 8 months later...
secursig

you can disable the enforcement at boot prompt by hitting F8 and hit disable driver sign enforcement. I have this as default for my boot config that has the KPP disabled.

Link to post
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...