首页
社区
课程
招聘
[转帖]Hyde v 1.02 by BoB
发表于: 2012-10-25 03:01 5507

[转帖]Hyde v 1.02 by BoB

2012-10-25 03:01
5507
Hyde v 1.02 by BoB
Information:
Hyde is a plugin for OllyDbg v2.xx, it's purpose is to hide ollyDbg from detection by the debugee.
This is done by patching memory and apis, and the options (or patch sets) can be saved to file, for easy reloading.
For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file
"ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.
Features:
o All patched apis should work "normally" - They should only hide OllyDbg, but work for other windows/processes etc.
o All patches/hooks are selectable from the menu for quick access, or from options dialog.
o Optional Jmp variations (Push/Ret or Jmp[xxxxxxxx] or fake SysCall) for hooks.
o If possible to hot-patch api then will do this, if syscall then uses fake syscall, else uses selected jmp style.
o Load/Save patch sets. Patch Sets are simply INI files, so can also be edited in notepad.
o Remote allocated memory is seperated into code and data with appropriate access so should be no problems with DEP.
o If you right-click a patch in Options dialog, the code window view will jump to that Api.
Patches:
o PEB.IsDebugged
o PEB.NtGlobalFlag
o PEB.HeapFlag
o NtQueryInformationProcess
o NtSetInformationThread
o FindWindowA
o FindWindowW
o FindWindowExA
o FindWindowExW
o EnumWindows
o Process32NextW
o OutputDebugString
o NtQueryObject
o GetTickCount
o NtOpenProcess
o BlockInput
o NtClose
o GetStartupInfo
o NtQuerySystemInformation
o NtYieldExecution
o GetForegroundWindow
o EnumDesktopWindows
o GetWindowThreadProcessId
Future:
o Custom patches/hooks.
o Repair hooks if app unhooks the Apis.
o Possibly change exception options for OllyDbg in patch-sets?
o Maybe detection of packer targets?
Past:
-> Release [v1.01]
o Fixed hang if OllyDbg closed while Options window was still open
o Check/repair Api bytes more before patch
o Copies bytes without breakpoint byte, if set on Api
o Detects LCF-AT's OllySND 2.1 and disables NtQueryInformationProcess patch
o Added NtYieldExecution check code (by Peter Ferrie) to CheckDebug.exe test program
o Patching is now done at EP, or if target is DLL then DLL EP
o Added NtYieldExecution hook
o Added GetForegroundWindow hook
o Added EnumDesktopWindows hook
o Added GetWindowThreadProcessId hook
o Patching is done at first TLS in EXE that has callbacks
o If SysCall api detected, uses fake SysCall Jmp
o If can hot-patch an Api then will do that instead of selected patch-style
o Fixed weird bug where patches were applied twice sometimes
-> Initial Release [v1.00]
Beta-Tested by:
o LCF-AT
o mudlord
o atom0s

Hyde_OD2_Plugin.RAR

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 1
支持
分享
最新回复 (2)
雪    币: 219
活跃值: (848)
能力值: (RANK:290 )
在线值:
发帖
回帖
粉丝
2
林版主这么早啊!! 早上好
2012-10-25 06:52
0
雪    币: 207
活跃值: (133)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
这个插件怎么用?
放到插件目录后,在od目录下生成了PatchSets文件夹,把VProtect193.SET放进去,
但是用自带的CheckDebug.EXE测试,都被发现了啊。

恳请高手指点!!万分感谢
2012-11-12 18:06
0
游客
登录 | 注册 方可回帖
返回
//