rukov Posted February 4, 2015 Report Posted February 4, 2015 OverviewTitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.Features ProcessDebugFlags (NtQueryInformationProcess) ProcessDebugPort (NtQueryInformationProcess) ProcessDebugObjectHandle (NtQueryInformationProcess) DebugObject (NtQueryObject) SystemKernelDebuggerInformation (NtQuerySystemInformation) NtClose (STATUS_INVALID_HANDLE exception) ThreadHideFromDebugger (NtSetInformationThread) Protect DRx (HW BPs) (NtSetContextThread)Test environments Windows 7 x64 & x86 (SP1) Windows XP x86 (SP3) Windows XP x64 (SP1)Compiling Install Visual Studio 2013 (Express Edition untested). Install the WDK. Open TitanHide.sln and hit compile!Installation Method 1 Copy TitanHide.sys to %systemroot%\system32\drivers. Start ServiceManager.exe (available on the download page). Delete the old service (when present). Install a new service (specify the full path to TitanHide.sys). Start the service you just created. Use TitanHideGUI.exe to set hide options for a PID.Installation Method 2 Copy TitanHide.sys to %systemroot%\system32\drivers. Run the command sc create TitanHide binPath=%systemroot%\system32\drivers\TitanHide.sys type=kernel to create the TitanHide service. Run the command sc start TitanHide to start the TitanHide service. Run the command sc query TitanHide to check if TitanHide is running.Testsigning & PatchGuardA simple way to 'bypass' PatchGuard on x64 systems is by enabling a local kernel debugger. This can be done by executing the following commands in an Administrator Console:bcdedit /set testsigning onbcdedit /debug onbcdedit /dbgsettings local /noumexIn addition to the commands above you need to set BreakOnSysRq if you want to use the PrntScr button. Read this article for more information. You can also import BreakOnSysRq.reg to automatically fix this problem.Remarks When using x64_dbg, you can use the TitanHide plugin (available on the download page). When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can re-enable it right afterwardsDownload https://bitbucket.org/mrexodia/titanhide/downloads Quote