首页
论坛
课程
招聘
[转帖]Hyde v 1.02 by BoB
2012-10-25 03:01 3687

[转帖]Hyde v 1.02 by BoB

2012-10-25 03:01
3687
Hyde v 1.02 by BoB
Information:
Hyde is a plugin for OllyDbg v2.xx, it's purpose is to hide ollyDbg from detection by the debugee.
This is done by patching memory and apis, and the options (or patch sets) can be saved to file, for easy reloading.
For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file
"ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.
Features:
o All patched apis should work "normally" - They should only hide OllyDbg, but work for other windows/processes etc.
o All patches/hooks are selectable from the menu for quick access, or from options dialog.
o Optional Jmp variations (Push/Ret or Jmp[xxxxxxxx] or fake SysCall) for hooks.
o If possible to hot-patch api then will do this, if syscall then uses fake syscall, else uses selected jmp style.
o Load/Save patch sets. Patch Sets are simply INI files, so can also be edited in notepad.
o Remote allocated memory is seperated into code and data with appropriate access so should be no problems with DEP.
o If you right-click a patch in Options dialog, the code window view will jump to that Api.
Patches:
o PEB.IsDebugged
o PEB.NtGlobalFlag
o PEB.HeapFlag
o NtQueryInformationProcess
o NtSetInformationThread
o FindWindowA
o FindWindowW
o FindWindowExA
o FindWindowExW
o EnumWindows
o Process32NextW
o OutputDebugString
o NtQueryObject
o GetTickCount
o NtOpenProcess
o BlockInput
o NtClose
o GetStartupInfo
o NtQuerySystemInformation
o NtYieldExecution
o GetForegroundWindow
o EnumDesktopWindows
o GetWindowThreadProcessId
Future:
o Custom patches/hooks.
o Repair hooks if app unhooks the Apis.
o Possibly change exception options for OllyDbg in patch-sets?
o Maybe detection of packer targets?
Past:
-> Release [v1.01]
o Fixed hang if OllyDbg closed while Options window was still open
o Check/repair Api bytes more before patch
o Copies bytes without breakpoint byte, if set on Api
o Detects LCF-AT's OllySND 2.1 and disables NtQueryInformationProcess patch
o Added NtYieldExecution check code (by Peter Ferrie) to CheckDebug.exe test program
o Patching is now done at EP, or if target is DLL then DLL EP
o Added NtYieldExecution hook
o Added GetForegroundWindow hook
o Added EnumDesktopWindows hook
o Added GetWindowThreadProcessId hook
o Patching is done at first TLS in EXE that has callbacks
o If SysCall api detected, uses fake SysCall Jmp
o If can hot-patch an Api then will do that instead of selected patch-style
o Fixed weird bug where patches were applied twice sometimes
-> Initial Release [v1.00]
Beta-Tested by:
o LCF-AT
o mudlord
o atom0s

Hyde_OD2_Plugin.RAR

【公告】看雪团队招聘安全工程师,将兴趣和工作融合在一起!看雪20年安全圈的口碑,助你快速成长!

上传的附件:
收藏
点赞1
打赏
分享
最新回复 (2)
雪    币: 177
活跃值: 活跃值 (299)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
viphack 活跃值 4 2012-10-25 06:52
2
0
林版主这么早啊!! 早上好
雪    币: 195
活跃值: 活跃值 (20)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
jinyurong 活跃值 2012-11-12 18:06
3
0
这个插件怎么用?
放到插件目录后,在od目录下生成了PatchSets文件夹,把VProtect193.SET放进去,
但是用自带的CheckDebug.EXE测试,都被发现了啊。

恳请高手指点!!万分感谢
游客
登录 | 注册 方可回帖
返回