Jump to content

Recommended Posts

Posted

Overview

TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.

Features

ProcessDebugFlags (NtQueryInformationProcess)

ProcessDebugPort (NtQueryInformationProcess)

ProcessDebugObjectHandle (NtQueryInformationProcess)

DebugObject (NtQueryObject)

SystemKernelDebuggerInformation (NtQuerySystemInformation)

NtClose (STATUS_INVALID_HANDLE exception)

ThreadHideFromDebugger (NtSetInformationThread)

Protect DRx (HW BPs) (NtSetContextThread)

Test environments

Windows 7 x64 & x86 (SP1)

Windows XP x86 (SP3)

Windows XP x64 (SP1)

Compiling

Install Visual Studio 2013 (Express Edition untested).

Install the WDK.

Open TitanHide.sln and hit compile!

Installation Method 1

Copy TitanHide.sys to %systemroot%\system32\drivers.

Start ServiceManager.exe (available on the download page).

Delete the old service (when present).

Install a new service (specify the full path to TitanHide.sys).

Start the service you just created.

Use TitanHideGUI.exe to set hide options for a PID.

Installation Method 2

Copy TitanHide.sys to %systemroot%\system32\drivers.

Run the command sc create TitanHide binPath=%systemroot%\system32\drivers\TitanHide.sys type=kernel to create the TitanHide service.

Run the command sc start TitanHide to start the TitanHide service.

Run the command sc query TitanHide to check if TitanHide is running.

Testsigning & PatchGuard

A simple way to 'bypass' PatchGuard on x64 systems is by enabling a local kernel debugger. This can be done by executing the following commands in an Administrator Console:

bcdedit /set testsigning on

bcdedit /debug on

bcdedit /dbgsettings local /noumex

In addition to the commands above you need to set BreakOnSysRq if you want to use the PrntScr button. Read this article for more information. You can also import BreakOnSysRq.reg to automatically fix this problem.

Remarks

When using x64_dbg, you can use the TitanHide plugin (available on the download page).

When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can re-enable it right afterwards

Download https://bitbucket.org/mrexodia/titanhide/downloads

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...