From Collaborative RCE Tool Library

Jump to: navigation, search

Tool Hiding Tools


Tool name: IDA Stealth
Rating: 5.0 (1 vote)
Author: Jan Newger                        
Website: http://newgre.net/idastealth
Current version: 1.3.3
Last updated: June 28, 2011
Direct D/L link: http://newgre.net/idastealth
License type: Free / Open Source
Description: IDAStealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.
Also listed in: IDA Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IceStealth
Rating: 5.0 (1 vote)
Author:                         
Website: http://www.woodmann.com/forum/showthread.php?t=12131
Current version: 1.81
Last updated: April 10, 2015
Direct D/L link: Locally archived copy
License type: Free
Description: IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
NtQueryDirectoryObject
NtQueryObject
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
NtQuerySystemInformation
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Also Improvements To NTICE
Also listed in: SoftICE Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PhantOm
Rating: 5.0 (2 votes)
Author: Hellsp@wn & Archer & Olenevod                        
Website: N/A
Current version: 1.54
Last updated: January 7, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Plugin (with driver) for hiding OllyDbg from following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput


What's new - 1.30
[*] Captions of main and CPU windows can be manually set (CAPTEXT and PRETEXT in OllyDbg's ini-file). By default, they are named "PhantOm" and "o_O".
[*] Fixed some bugs in "custom handler exceptions" feature
[*] Other minor fixes

What's new - 1.26
[*] Fixed bug with loading driver
[*] Fixed bug with memory breakpoints
(Now, when "custom handler exceptions" option is
checked - memory breapoints on access/write will work,
but break-on-access won't work)
[*] Fixed bug with updating plugin (after previous version)

What's new - 1.25
[*] Now you can manually set names of services (HIDENAME and RDTSCNAME)
[*] Fixed some minor bugs
[*] Fixed bug with memory breakpoints

What's new - 1.20
[*] Added own exception handler (C0000005)
[*] Added option to change caption of main OllyDbg window
[*] Added own exception handler (OUTPUT_DEBUG_STRING_EVENT)
[*] Impoved removing of int 3 breakpoint at EP, when pause is set to "system breakpoint"
[*] Added hook for BlockInput (only for Windows XP)
[*] Added own exception handler (C0000094)
[*] Added hide from GetStartupInfo
[*] Fixed bug with plugin options
[*] Added protection from detecting driver
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: HideToolz
Rating: 3.0 (2 votes)
Author: Ms-Rem                        
Website: http://fyyre.ivory-tower.de/
Current version: 2.2
Last updated: October 3, 2009
Direct D/L link: http://fyyre.l2-fashion.de/projects/HideToolz.zip
License type: Free
Description: This is version 2.2 of HideToolz. Version 2.1 did not work on Windows Vista SP1 or higher. I have modified the device driver so HideToolz now works on Vista SP1 through Windows 7 RTM.

-Fyyre

- - -

HideToolz is a configurable GUI based utilility that allows hiding of RCE tools from annoying detection (such as Themida). It does so by kernel mode driver which hooks functions such as NtQueryInformationProcess, NtSetContextThread, NtQuerySystemInformation, NtOpenProcess, NtOpenThread, etc... allowing you to debug 'protected' applications easily.

Features include:

Hide Processes
Protect Processes
Hide Windows
Protection from Windows hooks
Emulation of partent process (sets parent pid of target PID to explorer.exe).
Anti-Anti debug features.

Runs very stable under Windows XP through Windows 7 (x86 only). Please be aware some anti-virus detections HideToolz driver as a rootkit - this is basically correct, except HideToolz contains no payload, does not access any network api, etc... if you doubt, disasm the driver yourself.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: aadp
Rating: 0.0 (0 votes)
Author: nahuelriva / rcerage                        
Website: http://code.google.com/p/aadp/
Current version: 0.2.1
Last updated: November 21, 2010
Direct D/L link: N/A
License type: GPLv3
Description: aadp is a collection of plugins that aims to hide most of the well knowns debuggers from most of anti-debugging techniques.
Also listed in: OllyDbg Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-Pair
Rating: 0.0 (0 votes)
Author: Crudd                        
Website: http://www.reteam.org/tools.html
Current version: 0.6
Last updated: July 1, 2005
Direct D/L link: Locally archived copy
License type: Free
Description: RE-Pair is a tool that will make some of our (reverse engineers) tools a
bit more difficult to detect. Why the name RE-Pair? Simple, it helps
fix our tools, by making them somewhat more difficult to detect.

Currently fixes: Any tool. Either in memory (for packed apps and one time
changes) or on disk (for permanent patches of non-packed apps). It does this
by changing the caption/classname to a random string (defeating FindWindow
method). It also patches OllyDbg to fix the 'OutputDebugString' vulnerability
(Used by Armadillo and others).
NOTE: Using the Fix Other option may take a while to Fix on disk.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: xFile
Rating: 0.0 (0 votes)
Author: anorganix/ARTeam                        
Website: http://arteam.accessroot.com/releases.html
Current version: 1.4.0.36
Last updated: September 17, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=42
License type: Free
Description: xFile 1.4.0.36 by anorganix
---------------------------

The File Update Module increases the size of a file to the specified value. Just enter the "Desired Size" in bytes and you're all set. Works with all file types, with compressed/packed files also, but files with integrity check are not supported. Also, backup option has been implemented.

The Hide Caption Tool is ideal for hiding the caption of any application. Just build a list with the full/partial captions you want to hide and hit Enable. Changes apply in realtime and checks are made often to hide all instances of the application.

The Junk Cleanup Module is useful for deleting Olly's UDD and BAK files. Also, there is an option to backup files before deletion (ZIP).

NEW! The Resource Fix Module (based on DreamTheatre's engine) comes in handy after unpacking. Just rebuild the resources, so that you can edit them without crashing the program. You can also dump the resources to file.

Additional features:
* Drag and Drop support
* file CRC Calculator
* auto-refresh of UDD folder
* auto-save settings
* Hide Caption works faster (Partial Captions are now supported)
* fixed minor UI bugs

NB: this tool is compressed and some AV detects it as a malware. Do not worry, we guarantee that it is not a virus at all! If you have doubts anyway se the Arteam ESFV checker to ensure that all the files are unmodified or eventually download a fresh copy from http://arteam.accessroot.com
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Needs New Category  (3)