Jump to content

Search the Community

Showing results for tags 'ntqueryinformationprocess'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. rukov

    TitanHide

    Overview TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy. Features ProcessDebugFlags (NtQueryInformationProcess) ProcessDebugPort (NtQueryInformationProcess) ProcessDebugObjectHandle (NtQueryInformationProcess) DebugObject (NtQueryObject) SystemKernelDebuggerInformation (NtQuerySystemInformation) NtClose (STATUS_INVALID_HANDLE exception) ThreadHideFromDebugger (NtSetInformationThread) Protect DRx (HW BPs) (NtSetContextThread) Test environments Windows 7 x64 & x86 (SP1) Windows XP x86 (SP3) Windows XP x64 (SP1) Compiling Install Visual Studio 2013 (Express Edition untested). Install the WDK. Open TitanHide.sln and hit compile! Installation Method 1 Copy TitanHide.sys to %systemroot%\system32\drivers. Start ServiceManager.exe (available on the download page). Delete the old service (when present). Install a new service (specify the full path to TitanHide.sys). Start the service you just created. Use TitanHideGUI.exe to set hide options for a PID. Installation Method 2 Copy TitanHide.sys to %systemroot%\system32\drivers. Run the command sc create TitanHide binPath=%systemroot%\system32\drivers\TitanHide.sys type=kernel to create the TitanHide service. Run the command sc start TitanHide to start the TitanHide service. Run the command sc query TitanHide to check if TitanHide is running. Testsigning & PatchGuard A simple way to 'bypass' PatchGuard on x64 systems is by enabling a local kernel debugger. This can be done by executing the following commands in an Administrator Console: bcdedit /set testsigning on bcdedit /debug on bcdedit /dbgsettings local /noumex In addition to the commands above you need to set BreakOnSysRq if you want to use the PrntScr button. Read this article for more information. You can also import BreakOnSysRq.reg to automatically fix this problem. Remarks When using x64_dbg, you can use the TitanHide plugin (available on the download page). When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can re-enable it right afterwards Download https://bitbucket.org/mrexodia/titanhide/downloads
×
×
  • Create New...