OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

File Information

Category	Open Source	# Downloads	Version
IDA Plugins	Yes	N/A	1.2

Download Page

Last updated on Feb 15, 2010 with the following description: v1.2.1
  * Bugfix: DoS in SetThreadContext if supplied context was not readable or
    flags were not writeable
  * Bugfix: Context emulation always used the id of the current thread no
    matter what thread handle was actually given
  * Bugfix: Incorrect handling of ProcessDebugObjectHandle in hook of
    NtQueryinformationProcess in stealth driver
  * Bugfix: Possible dead-lock in context emulation
  * Bugfix: IDAStealth would try to connect to the RemoteStealth server if
    Windbg was selected and would always try to inject the stealth dll for
any win32 application regardless which debugger module was used
  * Bugfix: 0xC000007B error when starting .NET app which was compiled with /clr:pure
  * Bugfix: Inter-process communication could fail if process id was reused
    between debugger runs ("Error while restoring NT headers...")
  * Bugfix: Tick-delta of zero would cause an exception in HideDebugger.dll
  * Improved: Context emulation now hooks the corresponding Nt* APIs instead
    of the kernel32 functions
  * Improved: GetTickCount + RDTSC increase internal counter by a random value
    from specified interval

v1.2
    * Bugfix: RDTSC driver handling; driver service was not deleted in some rare cases
    * Bugfix: RDTSC driver mode was broken due to recent BSOD fix
    * Improved: IDAStealth can hide from Themida with ultra anti debugging settings
    * Added: New stealth driver

v1.1.1
    * Bugfix: Old RDTSC driver version slipped into the last release. The new one is now included
    * Improved: To increase overall stealth, the NT Headers are restored to their original state after the dll has been injected
    * Added: Profile for yoda's Protector added

v1.1:
    * Bugfix: OpenProcess failed on XP when started from a restricted user account
    * Bugfix: Bound imports directory is only cleared if necessary
    * Bugfix: DBG_PRINT DoS due to improper parameter checking
    * Bugfix: BSOD in RDTSC driver
    * Added: Remote debugging support
    * Added: Profiles support
    * Added: Exceptions with unknown exception code can be automatically passed to the debuggee
    * Added: Inline hooks can be forced to use absolute jumps
    * Improved: GUI has been redesigned to be more usable
    * Improved: AWESOME gfx :)
    * Changed: HideDebugger.ini is now located in the user's directory at:
      %APPDATA%\IDAStealth\HideDebugger.ini
    * Improved: Whole project compiles with WL4 and "treat warnings as error"

v1.0:
    * Bugfix: API hook of GetThreadContext erroneously returned the complete context even if the flags specified that only the DRs should be returned. This interfered with newer Armadillo versions
    * Improved: GetTickCount hook now mimics the original API algorithm and allows for controlling the increasing delta
    * Added: RDTSC emulation driver with optional driver name randomization to increase stealthiness.

Beta 3:
    * Bugfix: NtQuerySystemInformation hook possibly returned wrong error code when handling SystemKernelDebuggerInformation query
    * Bugfix: NtQueryObject hook mistakenly assumed that all object names are zero terminated strings
    * Improved: NtQueryInformationProcess considers the case that the debuggee itself might act as a debugger (see Tuts4You baord)
    * Improved: Exception triggered by NtClose is now blocked in the first place (detailed description)
    * Added: Countermeasures against anti-attach techniques

Beta2:
    * Bugfix: Due to improper checking of input parameters in the NtQuerySystemInformation hook, the debugged process could raise an exception, finally unveiling the existence of IDA Stealth
    * Bugfix: Hiding of possibly existing kernel debugger now working correctly
    * Bugfix: Fake parent process and Hide IDA from process list are no longer mutual exclusive
    * Bugfix: NtQueryInformationProcess hook accepted too small input buffers
    * Bugfix: NtQueryInformationProcess hook erroneously assumed the process handle to be always that of the current process
    * Bugfix: Exception caused by closing an invalid handle is now properly hidden from the debugged process by using SEH or Vectored exception handling
    * Bugfix: NtSetInformationThread wasn't hooked at all due to a typo
    * Bugfix: Added checks to hook functions so they behave as expected when an invalid handle is passed. Affected functions:
          o NtSetInformationThread
          o SuspendThread
          o SwitchDesktop
          o NtTerminateThread
          o NtTerminateProcess
    * Bugfix: RtlGetVersion returned wrong platform ID and build number
    * Added: Console version of IDA is also hidden from process list

Beta1:
    * Bugfix: Multiple minor bugfixes
    * Added: Fake OS version
    * Added: Disable NtTerminateThread/NtTerminateProcess

Author Information

Username	Name	E-Mail	URL

Description IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.

Screenshot

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit