Defeating Anti-Debugging with TitanHide

Recently I was looking for bugs in a Windows program which employs a variety of anti-debugging techniques including:

These measures and more can be defeated with an off the shelf driver called TitanHide which is designed to hide a debugger from the debugee. It works by hooking “various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions” (https://github.com/mrexodia/TitanHide). The concept is quite simple, but having a driver like this that works reliably across different versions of Windows is a real gift to the community. The author describes a bit about how it works here: https://mrexodia.github.io/reversing/2015/02/05/TitanHide.

How do we use it?

  • Download a release of the code from the github page linked above. Run the following command using the version of TitanHide that matches the OS architecture in an admin prompt:
            copy TitanHide.sys %systemroot%\system32\drivers\ 
  • Boot the vm that you’ll be debugging with into test mode by running these commands in an admin prompt then rebooting. Booting into test mode is required since this is an unsigned driver.
            bcdedit.exe /set nointegritychecks on
            bcdedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS
            bcdedit.exe -set TESTSIGNING ON
  • Run the following commands in an admin prompt. Yes, keep the spaces which follow the equal signs:
            sc create TitanHide binPath= %systemroot%\system32\drivers\TitanHide.sys type= kernel
            sc start TitanHide
  • Launch TitanHideGUI.exe, check off the box for each technique you want it to use against the debugee.
  • Launch the target process in WinDbg, letting it break immediately.
  • Note the PID of the process and type it into the TitanHide GUI then click Hide.

What Else?

For my target this took care of IsDebuggerPresent and NtSetInformationThread, but there was still the pesky INT 2d instruction. To deal with that I told WinDbg to pass all exceptions to the application with this command:

.foreach(exc {.echo "ct et cpr epr ld ud ser ibp iml out av asrt aph bpe bpec eh clr clrn cce cc dm dbce gp ii ip dz iov ch hc lsq isc 3c svh sse ssec sbo sov vs vcpp wkd rto rtt wob wos *"}) {.catch{sxd ${exc}}}
// https://stackoverflow.com/questions/28306310/windbg-how-to-set-all-exception-to-be-passed-into-app