IDA Stealth PluginIDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.
DownloadThe plugin itself can be downloaded from here.
The complete source code is available from this location. In order to successfully build the plugin you need to have boost as well as N-CodeHook and N-InjectLib. For the code hook library to work you also need the distorm disassembler library.
InstallationTo install the plugin, copy both files to the plugins directory of your IDA installation. Make sure, that the cfg subdirectory is writable, because that's where the plugin stores its configuration.
If you find bugs or want to suggest new stealth techniques just drop me a mail or create a new forum topic.
Changelog03/25/2009 - v1.0
Bugfix: API hook of GetThreadContext erroneously returned the complete context even if the flags specified that only the DRs should be returned. This interfered with newer Armadillo versions
Improved: GetTickCount hook now mimics the original API algorithm and allows for controlling the increasing delta
Added: RDTSC emulation driver with optional driver name randomization to increase stealthiness. Read these notes carefully before using this feature
09/15/2008 - v1.0 Beta 3
Bugfix: NtQuerySystemInformation hook possibly returned wrong error code when handling SystemKernelDebuggerInformation query
Bugfix: NtQueryObject hook mistakenly assumed that all object names are zero terminated strings
Improved: NtQueryInformationProcess considers the case that the debuggee itself might act as a debugger (see Tuts4You baord)
Improved: Exception triggered by NtClose is now blocked in the first place (detailed description)
Added: Countermeasures against anti-attach techniques
09/02/2008 - v1.0 Beta 2
Bugfix: Due to improper checking of input parameters in the NtQuerySystemInformation hook, the debugged process could raise an exception, finally unveiling the existence of IDA Stealth
Bugfix: Hiding of possibly existing kernel debugger now working correctly
Bugfix: Fake parent process and Hide IDA from process list are no longer mutual exclusive
Bugfix: NtQueryInformationProcess hook accepted too small input buffers
Bugfix: NtQueryInformationProcess hook erroneously assumed the process handle to be always that of the current process
Bugfix: Exception caused by closing an invalid handle is now properly hidden from the debugged process by using SEH or Vectored exception handling
Bugfix: NtSetInformationThread wasn't hooked at all due to a typo
Bugfix: Added checks to hook functions so they behave as expected when an invalid handle is passed. Affected functions:
NtSetInformationThread
SuspendThread
SwitchDesktop
NtTerminateThread
NtTerminateProcess
Bugfix: RtlGetVersion returned wrong platform ID and build number
Added: Console version of IDA is also hidden from process list
Bugfix: Injection of stealth dll could fail in some cases (see N-InjectLib)
07/13/2008 - v1.0 Alpha 3
Added: Multiple stealth techniques (OpenProcess, DBG_PRINTEXCEPTION, hardware breakpoint protection, hide IDA process and windows, to name but a few)
Improved: Overall stealth: xADT as well as Extreme Debugger Detector 0.5 are unable to detect an attached debugger (except for RDTSC based tests and scanning the HDD for various tools)
Bugfix: Plugin didn't correctly de-register from debug callback; crashed with newly created databases
07/06/2008 - v1.0 Alpha 2
Bugfix: Injection of stealth dll failed if IMAGE_DIRECTORY_ENTRY_IAT of process was zero, so the plugin didn't work with most packed executables
Bugfix: NtQueryInformationProcess didn't work (CheckRemoteDebuggerPresent was implicitly affected)
07/04/2008 - v1.0 Alpha
First alpha release, some features still missing, needs testing, major bugs
Known Bugs:
Problems when modifying import directory of packed executables (error 0xC000007B)
发表于 2009-9-8 17:33
发表于 2009-9-8 17:39
发表于 2009-9-8 17:40
发表于 2009-9-8 20:45
