webscene

Title	Content
Title	TitanHide
Version	0.011
Author	Mr. eXoDia
Author website	https://forum.tuts4you.com/topic/34431-titanhide/
Description	TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy. Features: ProcessDebugFlags (NtQueryInformationProcess) ProcessDebugPort (NtQueryInformationProcess) ProcessDebugObjectHandle (NtQueryInformationProcess) DebugObject (NtQueryObject) SystemKernelDebuggerInformation (NtQuerySystemInformation) NtClose (STATUS_INVALID_HANDLE exception) ThreadHideFromDebugger (NtSetInformationThread) Protect DRx (HW BPs) (NtSetContextThread) Test environments: Windows 7 x64 & x86 (SP1) Windows XP x86 (SP3) Windows XP x64 (SP1) Installation: 1) Copy TitanHide.sys to %systemroot%\system32\drivers 2) Start 'ServiceManager.exe' (available on the download page) 3) Delete the old service (when present) 4) Install a new service (specify the full path to TitanHide.sys) 5) Start the service you just created 6) Use 'TitanHideGUI.exe' to set hide options for a PID NOTE1: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :) NOTE2: When using x64_dbg, you can use the TitanHide plugin (available on the download page). NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can reenable it right afterwards
View:	1169
Publish time	6 years ago 2018-04-15 15:22:11
Download	TitanHide v0.011.zip [Size: 24.18 KB ] [Downloads: 163 ]
AcTioN	[ Abuse / Report ]

TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions.

To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.

Features:

ProcessDebugFlags (NtQueryInformationProcess)
ProcessDebugPort (NtQueryInformationProcess)
ProcessDebugObjectHandle (NtQueryInformationProcess)
DebugObject (NtQueryObject)
SystemKernelDebuggerInformation (NtQuerySystemInformation)
NtClose (STATUS_INVALID_HANDLE exception)
ThreadHideFromDebugger (NtSetInformationThread)
Protect DRx (HW BPs) (NtSetContextThread)

Test environments:

Windows 7 x64 & x86 (SP1)
Windows XP x86 (SP3)
Windows XP x64 (SP1)

Installation:

1) Copy TitanHide.sys to %systemroot%\system32\drivers 2) Start 'ServiceManager.exe' (available on the download page) 3) Delete the old service (when present) 4) Install a new service (specify the full path to TitanHide.sys) 5) Start the service you just created 6) Use 'TitanHideGUI.exe' to set hide options for a PID

NOTE1: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :)

NOTE2: When using x64_dbg, you can use the TitanHide plugin (available on the download page).

NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can reenable it right afterwards

#webscene

TitanHide