TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
Test environments:
•Windows 7 x64 & x86 (SP1)
•Windows XP x86 (SP3)
•Windows XP x64 (SP1)
Installation:
1) Copy TitanHide.sys to %systemroot%\system32\drivers 2) Start 'ServiceManager.exe' (available on the download page) 3) Delete the old service (when present) 4) Install a new service (specify the full path to TitanHide.sys) 5) Start the service you just created 6) Use 'TitanHideGUI.exe' to set hide options for a PID
NOTE1: When on x64, you have to disable PatchGuard and driver signature enforcement yourself. Google is your friend :)
NOTE2: When using x64_dbg, you can use the TitanHide plugin (available on the download page).
NOTE3: When using EsetNod32 AV, disable "Realtime File Protection", to prevent a BSOD when starting TitanHide. You can reenable it right afterwards
