吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4564|回复: 0
收起左侧

[IDA Plugin] IDA Stealth 1.1

[复制链接]
Hmily 发表于 2009-11-18 15:14
IDA Stealth PluginIDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.



You can grab the plugin only or go for the complete package including the sources and all dependencies.
Consult the readme file on how to install, use and configure the plugin.
The plugin source code should build out of the box, see readme for details.
If you find bugs or want to suggest new features just drop me a mail or create a new forum topic.
Changelog11/15/2009 - v1.1
  • Bugfix: OpenProcess failed on XP when started from a restricted user account
  • Bugfix: Bound imports directory is only cleared if necessary
  • Bugfix: DBG_PRINT DoS due to improper parameter checking
  • Bugfix: BSOD in RDTSC driver
  • Added: Remote debugging support
  • Added: Profiles support
  • Added: Exceptions with unknown exception code can be automatically passed to the debuggee
  • Added: Inline hooks can be forced to use absolute jumps
  • Improved: GUI has been redesigned to be more usable
  • Improved: AWESOME gfx :)
  • Changed: HideDebugger.ini is now located in the user's directory at:
    %APPDATA%\IDAStealth\HideDebugger.ini
  • Improved: Whole project compiles with WL4 and "treat warnings as error"
03/25/2009 - v1.0
  • Bugfix: API hook of GetThreadContext erroneously returned the complete context even if the flags specified that only the DRs should be returned. This interfered with newer Armadillo versions
  • Improved: GetTickCount hook now mimics the original API algorithm and allows for controlling the increasing delta
  • Added: RDTSC emulation driver with optional driver name randomization to increase stealthiness. Read these notes carefully before using this feature
09/15/2008 - v1.0 Beta 3
  • Bugfix: NtQuerySystemInformation hook possibly returned wrong error code when handling SystemKernelDebuggerInformation query
  • Bugfix: NtQueryObject hook mistakenly assumed that all object names are zero terminated strings
  • Improved: NtQueryInformationProcess considers the case that the debuggee itself might act as a debugger (see Tuts4You baord)
  • Improved: Exception triggered by NtClose is now blocked in the first place (detailed description)
  • Added: Countermeasures against anti-attach techniques
09/02/2008 - v1.0 Beta 2
  • Bugfix: Due to improper checking of input parameters in the NtQuerySystemInformation hook, the debugged process could raise an exception, finally unveiling the existence of IDA Stealth
  • Bugfix: Hiding of possibly existing kernel debugger now working correctly
  • Bugfix: Fake parent process and Hide IDA from process list are no longer mutual exclusive
  • Bugfix: NtQueryInformationProcess hook accepted too small input buffers
  • Bugfix: NtQueryInformationProcess hook erroneously assumed the process handle to be always that of the current process
  • Bugfix: Exception caused by closing an invalid handle is now properly hidden from the debugged process by using SEH or Vectored exception handling
  • Bugfix: NtSetInformationThread wasn't hooked at all due to a typo
  • Bugfix: Added checks to hook functions so they behave as expected when an invalid handle is passed. Affected functions:
    • NtSetInformationThread
    • SuspendThread
    • SwitchDesktop
    • NtTerminateThread
    • NtTerminateProcess
  • Bugfix: RtlGetVersion returned wrong platform ID and build number
  • Added: Console version of IDA is also hidden from process list
07/24/2008 - v1.0 Beta 1
  • Bugfix: Multiple minor bugfixes
  • Added: Fake OS version
  • Added: Disable NtTerminateThread/NtTerminateProcess
07/14/2008 - v1.0 Alpha 4
  • Bugfix: Injection of stealth dll could fail in some cases (see N-InjectLib)
07/13/2008 - v1.0 Alpha 3
  • Added: Multiple stealth techniques (OpenProcess, DBG_PRINTEXCEPTION, hardware breakpoint protection, hide IDA process and windows, to name but a few)
  • Improved: Overall stealth: xADT as well as Extreme Debugger Detector 0.5 are unable to detect an attached debugger (except for RDTSC based tests and scanning the HDD for various tools)
  • Bugfix: Plugin didn't correctly de-register from debug callback; crashed with newly created databases
07/06/2008 - v1.0 Alpha 2
  • Bugfix: Injection of stealth dll failed if IMAGE_DIRECTORY_ENTRY_IAT of process was zero, so the plugin didn't work with most packed executables
  • Bugfix: NtQueryInformationProcess didn't work (CheckRemoteDebuggerPresent was implicitly affected)
07/04/2008 - v1.0 Alpha
  • First alpha release, some features still missing, needs testing, major bugs
  • Known Bugs:
    • Problems when modifying import directory of packed executables (error 0xC000007B)

IDAStealth v1.1.rar

791.82 KB, 下载次数: 13, 下载积分: 吾爱币 -1 CB

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-22 20:36

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表