Hyde - OllyDbg2 anti-detect plugin
Hi all,Some days ago I released my second plugin for OllyDbg2, Hyde. This plugin is designed to hide OllyDbg2 from the Debugee, yet allow normal usage of Apis for finding other windows and processes.
Also (with reversing in mind) the patch options can be saved to file (as Patch-sets) for easy reloading..
For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file "ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.
Included in the archive as an example is a Patch-Set for V(M)Protect 1.93 ..
As OllyDbg2 is still beta, no direct patching of OllyDbg2 strings or code is done, as that would just lead to too much hassle. Better to wait until final release for that, so all patches are done just to Apis.
In the first version these things are patched:
[*]PEB.IsDebugged
[*]PEB.NtGlobalFlag
[*]PEB.HeapFlags
[*]NtQueryInformationProcess
[*]NtQuerySystemInformation
[*]NtSetInformationThread
[*]FindWindowA
[*]FindWindowW
[*]FindWindowExA
[*]FindWindowExW
[*]EnumWindows
[*]Process32NextW
[*]OutputDebugStringA
[*]OutputDebugStringW
[*]NtQueryObject
[*]GetTickCount
[*]NtOpenProcess
[*]BlockInput
[*]NtClose
[*]GetStartupInfo
Suggestions are welcome, however please note that OllyDbg2 is not detectable by a lot of the old tricks, so please check http://forum.tuts4you.com//public/style_emoticons/default/smile.png
Example: ESI = -1 on startup no longer works as detection, no BPX left on EP ..
I'll try to keep latest release here always as attachment, but you can also check the page for this on my site: http://bob.droppages...s/OllyDbg2/Hyde
Thanks to LCF-AT and Teddy for beta-testing http://forum.tuts4you.com//public/style_emoticons/default/thumbsup.gif
Have fun!
BoB H大的分享!一个字“顶”。。。还是沙发!!{:1_921:} 简单译一下:错误的不要喷哦................
嗨,
前段时间我释放我的第二个插件为OllyDbg2,海德。这个插件是为了隐藏OllyDbg2从Debugee,但允许正常使用的api寻找其他窗口和过程。
也在脑海里颠倒这个补丁选项都可以保存到文件(如Patch-sets易于重装…)
例如,您可以设定一个目标ASProtect补丁,你需要ASProtect并保存到一个文件”ASProtect.SET”。这patch-set文件就可以装在你需要调试ASProtect。
包括在档案为例是一个Patch-Set为V(M)保护1.93 . .
作为OllyDbg2仍然是测试阶段,没有直接的琴弦,OllyDbg2修补代码是做的了,因为那只会导致越来越多的麻烦。最好等到最后的版本,所以补丁做只是为了的api。
第一个版本这些东西了。
PEB.IsDebugged
PEB.NtGlobalFlag
PEB.HeapFlags
NtQueryInformationProcess
NtQuerySystemInformation
NtSetInformationThread
FindWindowA
FindWindowW
FindWindowExA
FindWindowExW
EnumWindows
Process32NextW
OutputDebugStringA
OutputDebugStringW
NtQueryObject
GetTickCount
NtOpenProcess
BlockInput
NtClose
GetStartupInfo
建议是受欢迎的,但是请注意,OllyDbg2不能够被很多老把戏,请核对
例如:应急服务国际公司= 1开机时不再是检测,没有BPX留在EP . .
我会试着把永远在这里当连线最新版本,但你还可以查看网页作在我网站:http://bob.droppages...s/OllyDbg2/Hyde
由于LCF-AT和泰迪为beta-testing
玩得开心!
鲍勃 than's very much 感谢分享啊!!!
页:
[1]