首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. IDA Pro插件区
    3. 发新帖
IDA Stealth Plugin
2008-7-5 11:13 19729

IDA Stealth Plugin

m4gic 活跃值
2
2008-7-5 11:13
19729
IDA Stealth Plugin 
IDA Stealth Plugin IDA Stealth Plugin 
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process. 

 

Installation 
To install the plugin, copy both files to the plugins directory of your IDA installation. To install the plugin, copy both files to the plugins directory of your IDA installation. Make sure, that the cfg subdirectory is writable, because that's where the plugins stores its configuration. Make sure, that the cfg subdirectory is writable, because that's where the plugins stores its configuration. 

Changelog 
07/04/2008 - v1.0 Alpha 07/04/2008 - v1.0 Alpha 

First alpha release, some features still missing, needs testing First alpha release, some features still missing, needs testing 
Known Bugs: Known Bugs: 
Problems when modifying import directory of packed executables (error 0xC000007B) Problems when modifying import directory of packed executables (error 0xC000007B) 

http://newgre.net/system/files/IDAStealth.rar

[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

收藏
点赞0
打赏
分享
最新回复 (22)
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-7-5 12:56
2
0
本地备档一份.
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-7-13 08:49
3
0
IDA Stealth 1.0 (ALPHA 3) July 13, 2008
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-7-14 20:24
4
0
07/14/2008 - v1.0 Alpha 4

Bugfix: Injection of stealth dll could fail in some cases (see N-InjectLib)
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-7-24 17:51
5
0
IDA Stealth 1.0 (BETA 1)  July 24, 2008
上传的附件:
newpublic
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
newpublic 2008-7-30 19:04
6
0
先收藏
呵呵
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-8-14 07:23
7
0
IDA Stealth Plugin 1.0 Beta 1(1)

http://newgre.net/system/files/IDAStealth.rar
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-8-14 07:25
8
0
本地备档一份.
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-9-3 22:06
9
0
09/02/2008 - v1.0 Beta 2

Bugfix: Due to improper checking of input parameters in the NtQuerySystemInformation hook, the
debugged process could raise an exception,
finally unveiling the existence of IDA Stealth
Bugfix: Hiding of possibly existing kernel debugger now working correctly
Bugfix: Fake parent process and Hide IDA from process list are no longer mutual
exclusive
Bugfix: NtQueryInformationProcess hook accepted too small input buffers
Bugfix: NtQueryInformationProcess hook erroneously assumed the process
handle to be always that of the current process
Bugfix: Exception caused by closing an invalid handle is now properly hidden from
the debugged process by using SEH or Vectored exception handling
Bugfix: NtSetInformationThread wasn't hooked at all due to a typo
Bugfix: Added checks to hook functions so they behave as expected when an
invalid handle is passed. Affected functions:
NtSetInformationThread
SuspendThread
SwitchDesktop
NtTerminateThread
NtTerminateProcess
Bugfix: RtlGetVersion returned wrong platform ID and build number
Added: Console version of IDA is also hidden from process list

http://newgre.net/system/files/IDAStealth.rar
http://newgre.net/system/files/IDAStealth_Sources.rar
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-9-3 22:08
10
0
本地备档一份.
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2008-9-15 21:25
11
0
09/15/2008 - v1.0 Beta 3

* Bugfix: NtQuerySystemInformation hook possibly returned wrong error code when handling
SystemKernelDebuggerInformation query
* Bugfix: NtQueryObject hook mistakenly assumed that all object names are zero terminated
strings
* Improved: NtQueryInformationProcess considers the case that the debuggee itself might act
as a debugger (see Tuts4You baord)
* Improved: Exception triggered by NtClose is now blocked in the first place (detailed
description)
* Added: Countermeasures against anti-attach techniques
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2009-5-5 10:30
12
0
IDA Stealth v1.0 final

03/25/2009 - v1.0

Bugfix: API hook of GetThreadContext erroneously returned the complete context even if the flags specified that only the DRs should be returned. This interfered with newer Armadillo versions
Improved: GetTickCount hook now mimics the original API algorithm and allows for controlling the increasing delta
Added: RDTSC emulation driver with optional driver name randomization to increase stealthiness. Read these notes carefully before using this feature 


http://newgre.net/system/files/IDAStealth.rar
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2009-5-5 10:31
13
0
本地备档一份.
上传的附件:
lrkfev
雪    币: 217
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
lrkfev 2009-9-2 09:45
14
0
先收藏, 呵呵
b23526
雪    币: 4581
活跃值: (942)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
b23526 2009-9-2 09:49
15
0
IDA也反反调试了,不过偶不用IDA调试的,纯顶了
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2009-12-6 09:23
16
0
11/24/2009 - v1.1.1
Bugfix: Old RDTSC driver version slipped into the last release. The new one is now included
Improved: To increase overall stealth, the NT Headers are restored to their original state after the dll has been injected
Added: Profile for yoda's Protector added

http://newgre.net/system/files/idastealth.rar
bornny
雪    币: 243
活跃值: (41)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
bornny 2009-12-20 21:42
17
0
新版 IDA Stealth Plugin v1.2

http://newgre.net/idastealth
上传的附件:
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2010-2-17 18:03
18
0
02/15/2010 - v1.2.1

* Bugfix: DoS in SetThreadContext if supplied context was not readable or flags were not writeable
* Bugfix: Context emulation always used the id of the current thread no matter what thread handle was actually given
* Bugfix: Incorrect handling of ProcessDebugObjectHandle in hook of NtQueryinformationProcess in stealth driver
* Bugfix: Possible dead-lock in context emulation
* Bugfix: IDAStealth would try to connect to the RemoteStealth server if Windbg was selected and would always try to inject the stealth dll for any win32 application regardless which debugger module was used
* Bugfix: 0xC000007B error when starting .NET app which was compiled with /clr:pure
* Bugfix: Inter-process communication could fail if process id was reused between debugger runs ("Error while restoring NT headers...")
* Bugfix: Tick-delta of zero would cause an exception in HideDebugger.dll
* Improved: Context emulation now hooks the corresponding Nt* APIs instead of the kernel32 functions
* Improved: GetTickCount + RDTSC increase internal counter by a random value from specified interval

http://newgre.net/idastealth
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2011-7-12 11:04
19
0
IDA Stealth 1.3.3

IDAStealth v1.3.3.rar

Welcome forum.forum is a home.

Please respect the copyright from the Internet.

Пожалуйста, уважайте авторское право в Интернете.

來源于互聯網, 請尊重版權.

You can Google.  

Программное обеспечение выпуска и Windows Crack Обучение
Нам-Dabei Guanyin Бодхисаттва Нам без митабха
上传的附件:
nicaiwss
雪    币: 201
活跃值: (23)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
nicaiwss 2011-7-16 15:18
20
0
官方网站似乎要密码了
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2011-7-18 09:59
21
0
http://newgre.net/idastealth

Welcome forum.forum is a home.

Please respect the copyright from the Internet.
Пожалуйста, уважайте авторское право в Интернете.
來源于互聯網, 請尊重版權.
所發資源全部來自對互聯網公共資源的收集和整理,僅供學習之用,請于下載后24小時自行刪除!
Issued by all the resources of public resources from the Internet to collect and collate, study purposes only,
please delete themselves 24 hours after downloading!
Выпущено всеми ресурсами государственных ресурсов из Интернет
а на сбор и обобщение, изучение целей, пожалуйста, удалите себя
24 часов после скачивания!
You can Google.

Программное обеспечение выпуска и Windows Crack Обучение
Нам-Dabei Guanyin Бодхисаттва Нам без митабха
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
快雪时晴 4 2011-7-18 11:08
22
0
从该站看到2个好东西
N-CodeHook
N-InjectLib
linhanshi
雪    币: 85167
活跃值: (198500)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
linhanshi 2011-7-18 13:38
23
0


Welcome forum.forum is a home.

Please respect the copyright from the Internet.
Пожалуйста, уважайте авторское право в Интернете.
來源于互聯網, 請尊重版權.
所發資源全部來自對互聯網公共資源的收集和整理,僅供學習之用,請于下載后24小時自行刪除!
Issued by all the resources of public resources from the Internet to collect and collate, study purposes only,
please delete themselves 24 hours after downloading!
Выпущено всеми ресурсами государственных ресурсов из Интернет
а на сбор и обобщение, изучение целей, пожалуйста, удалите себя
24 часов после скачивания!
You can Google.

Программное обеспечение выпуска и Windows Crack Обучение
Нам-Dabei Guanyin Бодхисаттва Нам без митабха
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回