Results 1 to 11 of 11

Thread: IDA Stealth Plugin

  1. #1
    OEPSeeker D-Jester's Avatar
    Join Date
    Jul 2008
    Location
    Ohio, USA
    Posts
    55

    IDA Stealth Plugin

    IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques.

    The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.

    Installation

    To install the plugin, copy both files to the plugins directory of your IDA installation. Make sure, that the cfg subdirectory is writable, because that's where the plugin stores its configuration.

    If you find bugs or want to suggest new stealth techniques just drop me a mail or create a new forum topic.
    Changelog

    07/24/2008 - v1.0 Beta 1

    * Bugfix: Multiple minor bugfixes
    * Added: Fake OS version
    * Added: Disable NtTerminateThread/NtTerminateProcess

    07/14/2008 - v1.0 Alpha 4

    * Bugfix: Injection of stealth dll could fail in some cases (see N-InjectLib)

    07/13/2008 - v1.0 Alpha 3

    * Added: Multiple stealth techniques (OpenProcess, DBG_PRINTEXCEPTION, hardware breakpoint protection, hide IDA process and windows, to name but a few)
    * Improved: Overall stealth: xADT as well as Extreme Debugger Detector 0.5 are unable to detect an attached debugger (except for RDTSC based tests and scanning the HDD for various tools)
    * Bugfix: Plugin didn't correctly de-register from debug callback; crashed with newly created databases

    07/06/2008 - v1.0 Alpha 2

    * Bugfix: Injection of stealth dll failed if IMAGE_DIRECTORY_ENTRY_IAT of process was zero, so the plugin didn't work with most packed executables
    * Bugfix: NtQueryInformationProcess didn't work (CheckRemoteDebuggerPresent was implicitly affected)

    07/04/2008 - v1.0 Alpha

    * First alpha release, some features still missing, needs testing, major bugs
    * Known Bugs:
    o Problems when modifying import directory of packed executables (error 0xC000007B)

    http://newgre.net/idastealth
    Attached Files Attached Files

  2. #2
    D-Jester:

    I've updated the entry in the CRCETL for your tool, shown here:

    <removed>

    I have included the current release date, but you have not specified a version number with this release. Is it 1.0 Beta 1(1) or something else? You, of course, can make the edits directly in the CRCETL yourself if you wish.

    Thanks for sharing your efforts with our readers.

    Regards,
    JMI

  3. #3
    Nice idea, as IDA has 64 bit debugger also, any possible of your tool compiled as 64 bit too?

  4. #4
    OEPSeeker D-Jester's Avatar
    Join Date
    Jul 2008
    Location
    Ohio, USA
    Posts
    55
    Quote Originally Posted by bedrock View Post
    Nice idea, as IDA has 64 bit debugger also, any possible of your tool compiled as 64 bit too?
    This tool is by Jan Newger, he says an x64 isn't possible at this time.

    http://newgre.net/node/55

    Peace

  5. #5
    He said the 64 bit wasn't possible because he doesn't have a copy of IDA 64 bit to play with yet.

    Regards,
    JMI

  6. #6
    IDA64 is a 32-bit program, so one would need to hide the win64_remotex64.exe debug server instead of IDA itself. I don't think plugins would work here.

  7. #7
    Quote Originally Posted by reverser View Post
    IDA64 is a 32-bit program, so one would need to hide the win64_remotex64.exe debug server instead of IDA itself. I don't think plugins would work here.
    I realise this, but in a 32bit environment, does IDA not just execute win32_remote.exe under the covers? So would not compiling the plugin as a PE32+ image allow the dll to be loaded by by win64_remotex64.exe?

  8. #8
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    The injected dll is 32-bit so it wouldn't work as-is on 64-bit processes.

    The 32-bit dll is also injected when using the remote server locally so it could work that way too if the dll was recompiled and fixed for 64-bit.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  9. #9
    win64_remotex64.exe is just a simple 64-bit debugger which talks with IDA (IDA's debugger plugin) over TCP. It doesn't have any plugins.

  10. #10
    FYI: full source code is available by this time
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Very nice with the source code narfzort!

    Oh, btw, there has been some confusion about the CRCETL entry for this tool (duplicate entries). The correct entry is the following, and nothing else:

    http://www.woodmann.com/collaborative/tools/index.php/IDA_Stealth
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. dotNET Tracer 1.1 Stealth
    By Kurapica in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: March 2nd, 2011, 07:15
  2. New IDA Stealth plugin
    By narfzort in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: March 25th, 2009, 18:03
  3. IDA Stealth
    By narfzort in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: July 9th, 2008, 20:06
  4. Crypkey 6.0 Stealth Unpacking
    By squidge in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 18th, 2004, 01:54
  5. New Exe Stealth
    By Zilot in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: November 14th, 2003, 15:40

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •