14

Are there any good WinDbg hiding plugins like OllyDbg's? Or a plugin that's open source and still in development for this purpose?

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
shebaw
  • 685
  • 6
  • 13

4 Answers4

6

You can use ScyllaHide. There are plugins for many debuggers, but it is also possible to use InjectorCLI.exe to inject ScyllaHide into any process. Here are the steps (for a 32 bit process, if you want a 64 bit process, replace every x86 with x64):

  1. Extract ScyllaHide (download) anywhere;
  2. Run NtApiTool\x86\PDBReaderx86.exe and when it's finished, copy NtApiCollection.ini to the same directory as InjectorCLIx86.exe;
  3. Open ScyllaTest_x86.exe with WinDbg (x86) you should be in LdrpDoDebuggerBreak;
  4. Execute InjectorCLIx86.exe ScyllaTest_x86.exe HookLibraryx86.dll;
  5. Run (F5) in WinDbg.

Without using ScyllaHide:

no hiding

When using ScyllaHide:

hiding

This process works for any debugger, if you feel like it you can even make an actual plugin for WinDbg. It should be quite easy.

I just added an option to inject to a process by process id. You can do this with:

InjectorCLIx86.exe pid:1234 HookLibraryx86.dll
mrexodia
  • 1,652
  • 10
  • 19
  • While this does seem to work for usermode applications, I have to test the associated TitanHide (https://github.com/mrexodia/TitanHide/blob/master/README.md) for Kernel mode. ScyllaTest reports NtQuerySystemInformation_KernelDebugger: DETECTED – Kevin Dec 13 '17 at 20:06
  • Yes, ScyllaHide (and TitanHide for that matter) only work on usermode applications. – mrexodia Dec 14 '17 at 00:28
6

I am not sure if plugins exist but you can write simple scripts like below to hide WinDbg on case to case basis.

  • Peb->BeingDebugged

    r?$t0 = (ntdll!_peb *) @$peb;?? @$t0->BeingDebugged;eb (@$t0+2) 0;?? @$t0->BeingDebugged

  • ZwSetInformationThread (XP SP3 syscalls with sysenter)

    bp ntdll!ZwSetInformationThread "r eip = $ip+0n12 ; r eax = 0; gc"

  • ZwQueryInformationProcess

    syntax similar to ZwSetInformationThread in addition you would also need to fakeout DebugPort to NULL with 

    ed poi(ADDRESS)  0

Reading

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
blabb
  • 1,346
  • 9
  • 11
  • 3
    ah, but anti-debugging is fraught with special cases - you can't arbitrarily zero the DebugPort, for example, without first checking the PID, in case the process is being debugged intentionally. Anyway, see my "Ultimate" Anti-Debugging Reference (pferrie.host22.com/papers/unp2011.htm) for a long list of tricks that you'd need to support (and some that you can't because they are direct kernel-returned data). – peter ferrie May 23 '13 at 16:01
  • @peterferrie awesome reference, thanks for sharing! – Till May 25 '13 at 01:44
  • @peterferrie thanks for the comment i wrote case to case basis just because i understand that there are lot of special cases anyway i have read your paper earlier quiet nice collection of antidebug tricks – blabb May 30 '13 at 18:47
4

I don't think such a plugin currently exists. However, if you're willing to implement a minimal windbg backend, you could extend uberstealth, which unfortunately I've never come to finish as a project (actually I think anti-debugging is a dead anyway, but that's another story ;-)). It's essentially IDAStealth, but with all debugger specific functionality factored out (there's a backend for IDA and Olly2). All you'd have to do is write a backend for Windbg (and fix the remaining bugs, I could help you with that though), all other code is debugger independent. Should be less than a few dozen lines of code.

newgre
  • 1,183
  • 7
  • 18
  • Such a plugin indeed does not exist, but you don't need one either. See my answer (posting this comment in case the accepted answer doesn't change). – mrexodia May 31 '17 at 14:31
2

Here you can download QEMU virtual machine with embedded WinDbg stub: https://github.com/ispras/qemu/releases https://github.com/ispras/qemu/tree/windbg

This stub allows debugging with WinDbg without enabling Windows debugging mode.

Pavel Dovgalyuk
  • 21
  • 2