Collaborative RCE Tool Library - Tool Hiding Tools (including sub-categories)

Tool Updated: IDA Stealth

2009-11-15T23:45:08Z

Listed in categories: IDA Extensions, Tool Hiding Tools

Most recent version:
1.1

Most recent release date:
November 15, 2009

Description:
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.

Tool Updated: HideToolz

2009-10-03T23:38:21Z

Listed in categories: Tool Hiding Tools

Most recent version:
2.2

Most recent release date:
October 3, 2009

Description:
This is version 2.2 of HideToolz. Version 2.1 did not work on Windows Vista SP1 or higher. I have modified the device driver so HideToolz now works on Vista SP1 through Windows 7 RTM.

-Fyyre

- - -

HideToolz is a configurable GUI based utilility that allows hiding of RCE tools from annoying detection (such as Themida). It does so by kernel mode driver which hooks functions such as NtQueryInformationProcess, NtSetContextThread, NtQuerySystemInformation, NtOpenProcess, NtOpenThread, etc... allowing you to debug 'protected' applications easily.

Features include:

Hide Processes
Protect Processes
Hide Windows
Protection from Windows hooks
Emulation of partent process (sets parent pid of target PID to explorer.exe).
Anti-Anti debug features.

Runs very stable under Windows XP through Windows 7 (x86 only). Please be aware some anti-virus detections HideToolz driver as a rootkit - this is basically correct, except HideToolz contains no payload, does not access any network api, etc... if you doubt, disasm the driver yourself.

Tool Updated: IceStealth

2009-08-28T01:41:26Z

Listed in categories: SoftICE Extensions, Tool Hiding Tools

Most recent version:
1.69

Most recent release date:
August 28, 2009

Description:
IceStealth is a SoftICE hiding tool, that should protect from:

CreateFileA, CreateFileW, NtCreateFile, also nmtrans.dll wont find SoftICE with these methods
NtQueryDirectoryObject
NtQueryObject
OpenServiceA, OpenServiceW, EnumServicesStatusA,EnumServicesStatusW,EnumServicesStatusExA, EnumServicesStatusExW
UnhandledExceptionFilter (2 Options)
SEH BPM Protection
BPM Protection
NtQuerySystemInformation
int 41 killed + DPL 0
int 1 DPL 0
Basic Registry Protection (if ever needed)
(RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyA, RegOpenKeyW)
SaveDisk Protection

Tool Updated: XFile

2008-09-20T23:56:28Z

Listed in categories: Tool Hiding Tools

Most recent version:
1.4.0.36

Most recent release date:
September 17, 2008

Description:
xFile 1.4.0.36 by anorganix
---------------------------

The File Update Module increases the size of a file to the specified value. Just enter the "Desired Size" in bytes and you're all set. Works with all file types, with compressed/packed files also, but files with integrity check are not supported. Also, backup option has been implemented.

The Hide Caption Tool is ideal for hiding the caption of any application. Just build a list with the full/partial captions you want to hide and hit Enable. Changes apply in realtime and checks are made often to hide all instances of the application.

The Junk Cleanup Module is useful for deleting Olly's UDD and BAK files. Also, there is an option to backup files before deletion (ZIP).

NEW! The Resource Fix Module (based on DreamTheatre's engine) comes in handy after unpacking. Just rebuild the resources, so that you can edit them without crashing the program. You can also dump the resources to file.

Additional features:
* Drag and Drop support
* file CRC Calculator
* auto-refresh of UDD folder
* auto-save settings
* Hide Caption works faster (Partial Captions are now supported)
* fixed minor UI bugs

NB: this tool is compressed and some AV detects it as a malware. Do not worry, we guarantee that it is not a virus at all! If you have doubts anyway se the Arteam ESFV checker to ensure that all the files are unmodified or eventually download a fresh copy from http://arteam.accessroot.com

Tool Added: RE-Pair

2007-10-19T21:44:16Z

Listed in categories: Tool Hiding Tools

Most recent version:
0.6

Most recent release date:
July 1, 2005

Description:
RE-Pair is a tool that will make some of our (reverse engineers) tools a
bit more difficult to detect. Why the name RE-Pair? Simple, it helps
fix our tools, by making them somewhat more difficult to detect.

Currently fixes: Any tool. Either in memory (for packed apps and one time
changes) or on disk (for permanent patches of non-packed apps). It does this
by changing the caption/classname to a random string (defeating FindWindow
method). It also patches OllyDbg to fix the 'OutputDebugString' vulnerability
(Used by Armadillo and others).
NOTE: Using the Fix Other option may take a while to Fix on disk.