├── HideDebugger ├── .gitignore ├── HideDebugger.def ├── distorm.lib ├── distorm_dbg.lib ├── DebugEvent.cpp ├── DebugEvent.h ├── RemoteEventWriter.cpp ├── RemoteEventCommon.h ├── resource.h ├── IPCDebugEventWriter.cpp ├── RemoteEventCommon.cpp ├── IPCDebugEventHelper.h ├── RemoteEventWriter.h ├── HideDebugger.h ├── IPCDebugEventWriter.h ├── IPCConfigExchangeReader.h ├── IPCDebugEventHelper.cpp ├── IPCConfigExchangeReader.cpp ├── ThreadDebugRegisterState.h ├── HideDebugger.sln ├── HookHelper.h ├── ObjectTextSerialization.h ├── ThreadDebugRegisterState.cpp ├── HideDebugger.rc └── HideDebuggerProfile.cpp ├── RDTSCEmu ├── driver │ ├── .gitignore │ ├── drvversion.rc │ ├── distorm_dummy.c │ ├── makefile │ ├── HookInt.h │ ├── sources │ ├── drvcommon.h │ ├── RDTSCEmu.h │ ├── HookInt.cpp │ ├── RDTSCEmu.WLH.vcxproj.filters │ ├── drvversion.h │ └── RDTSCEmu.sln └── distorm │ ├── src │ ├── prefix.c │ ├── dummy.c │ ├── insts.h │ ├── wstring.c │ ├── operands.h │ ├── decoder.h │ ├── wstring.h │ ├── pydistorm.h │ ├── distorm.c │ ├── prefix.h │ ├── textdefs.h │ ├── pydistorm.c │ └── x86defs.h │ └── config.h ├── StealthDriver ├── StealthDriver │ ├── .gitignore │ ├── DynamicDriverNameDummy.cpp │ ├── StealthImplementation.h │ ├── makefile │ ├── sources │ ├── StealthDriver.h │ ├── drvcommon.h │ ├── drvversion.h │ ├── drvversion.rc │ ├── StealthDriver.W7.vcxproj.filters │ └── StealthDriver.cpp ├── .gitignore └── StealthDriver.sln ├── uberstealth ├── .gitignore ├── distorm.lib ├── distorm_dbg.lib ├── uberstealth_logo.jpg ├── WTLCommon.h ├── IDACommon.h ├── IPCConfigExchangeCommon.cpp ├── StealthSession.h ├── OllyEngine.h ├── ResourceItem.h ├── DriverControl.h ├── IPCConfigExchangeWriter.h ├── ProfileEventConsumer.h ├── IPCConfigExchangeCommon.h ├── ResourceItem.cpp ├── OllyEngine.cpp ├── UberstealthPropertyPage.h ├── WTLInputBox.h ├── SaveChangesDialog.h ├── UberstealthPage2.h ├── RemoteStealthSession.h ├── version.h ├── IPCConfigExchangeWriter.cpp ├── WTLWrapper.h ├── ConfigProvider.h ├── UberstealthDriversPage.h ├── IDAEngine.h ├── UberstealthOptionsDialog.h ├── UberstealthPage1.h ├── RemoteStealthSession.cpp ├── UberstealthPageMisc.h ├── UberstealthAboutPage.h ├── OllyStealth.cpp ├── IDAEngine.cpp ├── UberstealthPage2.cpp ├── uberstealth.sln ├── DriverControl.cpp └── UberstealthPage1.cpp ├── README.md ├── bin ├── uberstealth.plw └── HideDebugger.dll ├── NInjectLib ├── GenericInjector.cpp ├── RemoteLibCall.h ├── InjectLib.h ├── GenericInjector.h ├── Readme.txt ├── IATModifier.h ├── Process.h └── RemoteLibCall.cpp ├── NCodeHook ├── NCodeHookInstantiation.h ├── NCodeHookItem.h ├── NCodeHook.h └── distorm.h ├── DynamicDriverName ├── DynamicDriverName.h └── DynamicDriverName.cpp ├── uberstealthRemote ├── IDAStealthRemote.h ├── TemporaryConfigFile.h ├── resource.h ├── RemoteStealthServer.h ├── RemoteStealthClient.h ├── TemporaryConfigFile.cpp ├── RemoteStealthClient.cpp ├── IDAStealthRemote.cpp ├── RemoteStealthSession.h ├── uberstealthRemote.sln ├── RemoteStealthSession.cpp ├── RemoteStealthProtocol.h ├── IDAStealthRemote.rc ├── RemoteStealthConnection.h ├── RemoteStealthServer.cpp └── .gitignore ├── common ├── InjectionBeacon.h ├── StringHelper.h ├── StringHelper.cpp └── InjectionBeacon.cpp └── .gitignore /HideDebugger/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.user -------------------------------------------------------------------------------- /RDTSCEmu/driver/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.user -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.user -------------------------------------------------------------------------------- /uberstealth/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.user 3 | *.ncb 4 | *.suo 5 | *.aps -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/DynamicDriverNameDummy.cpp: -------------------------------------------------------------------------------- 1 | #include "DynamicDriverName.cpp" -------------------------------------------------------------------------------- /HideDebugger/HideDebugger.def: -------------------------------------------------------------------------------- 1 | LIBRARY "HideDebugger" 2 | 3 | EXPORTS 4 | dummyExport @1 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | uberstealth 2 | =========== 3 | 4 | https://code.google.com/p/uberstealth/ 5 | -------------------------------------------------------------------------------- /bin/uberstealth.plw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/bin/uberstealth.plw -------------------------------------------------------------------------------- /bin/HideDebugger.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/bin/HideDebugger.dll -------------------------------------------------------------------------------- /HideDebugger/distorm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/HideDebugger/distorm.lib -------------------------------------------------------------------------------- /uberstealth/distorm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/uberstealth/distorm.lib -------------------------------------------------------------------------------- /HideDebugger/distorm_dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/HideDebugger/distorm_dbg.lib -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/prefix.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/RDTSCEmu/distorm/src/prefix.c -------------------------------------------------------------------------------- /RDTSCEmu/driver/drvversion.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/RDTSCEmu/driver/drvversion.rc -------------------------------------------------------------------------------- /uberstealth/distorm_dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/uberstealth/distorm_dbg.lib -------------------------------------------------------------------------------- /NInjectLib/GenericInjector.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/NInjectLib/GenericInjector.cpp -------------------------------------------------------------------------------- /uberstealth/uberstealth_logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nihilus/uberstealth/HEAD/uberstealth/uberstealth_logo.jpg -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/StealthImplementation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "StealthDriver.h" 5 | 6 | void hookSysCall(StealthHook hook); 7 | void unhookSysCall(StealthHook hook); 8 | bool initSysCallHooking(); -------------------------------------------------------------------------------- /HideDebugger/DebugEvent.cpp: -------------------------------------------------------------------------------- 1 | #include "DebugEvent.h" 2 | #include 3 | 4 | extern void issueDebugEvent(DebugEvent event, uintptr_t retAddress) 5 | { 6 | event; 7 | retAddress; 8 | RaiseException(DebugEventExceptionCode, 0, 0, NULL); 9 | } -------------------------------------------------------------------------------- /RDTSCEmu/driver/distorm_dummy.c: -------------------------------------------------------------------------------- 1 | #include "x86defs.c" 2 | #include "wstring.c" 3 | #include "textdefs.c" 4 | #include "prefix.c" 5 | #include "operands.c" 6 | #include "insts.c" 7 | #include "instructions.c" 8 | #include "distorm.c" 9 | #include "decoder.c" -------------------------------------------------------------------------------- /HideDebugger/DebugEvent.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | enum DebugEvent { PreSehHandlerInvocationEvent, PreNtContinueEvent }; 6 | 7 | const unsigned int DebugEventExceptionCode = 0x42424242; 8 | 9 | extern void issueDebugEvent(DebugEvent event, uintptr_t retAddress); -------------------------------------------------------------------------------- /RDTSCEmu/driver/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /RDTSCEmu/driver/HookInt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __cplusplus 4 | extern "C" { 5 | #endif 6 | #include 7 | #include 8 | #ifdef __cplusplus 9 | }; // extern "C" 10 | #endif 11 | 12 | VOID hookInterrupt(PVOID newHandler, ULONG number, PUINT_PTR oldHandler); 13 | VOID switchToCPU(CCHAR cpu); -------------------------------------------------------------------------------- /uberstealth/WTLCommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #define _WTL_NEW_PAGE_NOTIFY_HANDLERS 12 | #include 13 | #include -------------------------------------------------------------------------------- /NCodeHook/NCodeHookInstantiation.h: -------------------------------------------------------------------------------- 1 | // Convenience typedefs xor IA32 and X64. 2 | 3 | #pragma once 4 | 5 | #include "NCodeHook.cpp" 6 | 7 | template class NCodeHook; 8 | typedef NCodeHook NCodeHookIA32; 9 | 10 | template class NCodeHook; 11 | typedef NCodeHook NCodeHookX64; -------------------------------------------------------------------------------- /uberstealth/IDACommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef IDASTEALTH 4 | 5 | #define USE_STANDARD_FILE_FUNCTIONS 6 | #pragma warning(disable : 4996 4512 4127 4201 4244) 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #pragma warning(default : 4996 4512 4127 4201 4244) 13 | 14 | #endif -------------------------------------------------------------------------------- /DynamicDriverName/DynamicDriverName.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __cplusplus 4 | extern "C" { 5 | #endif 6 | 7 | #include 8 | #include 9 | 10 | bool initDeviceNames(PUNICODE_STRING registryPath); 11 | 12 | #ifdef __cplusplus 13 | }; // extern "C" 14 | #endif 15 | 16 | extern UNICODE_STRING DynamicDeviceName; 17 | extern UNICODE_STRING DynamicDosDeviceName; -------------------------------------------------------------------------------- /HideDebugger/RemoteEventWriter.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteEventWriter.h" 2 | #include "ObjectTextSerialization.h" 3 | 4 | uberstealth::RemoteEventWriter::RemoteEventWriter() : 5 | mq_(boost::interprocess::open_only, genRemoteEventName().c_str()) {} 6 | 7 | void uberstealth::RemoteEventWriter::sendEvent(const RemoteEventData& /*data*/) const { 8 | //serialize(data, mq_); 9 | //mq_.send() 10 | } -------------------------------------------------------------------------------- /uberstealth/IPCConfigExchangeCommon.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeCommon.h" 2 | #include 3 | 4 | namespace uberstealth { 5 | std::string getSegmentName(unsigned int processID) { 6 | std::ostringstream oss; 7 | oss << "HideDebugger" << processID; 8 | return oss.str(); 9 | } 10 | 11 | std::string getSegmentName() { 12 | return getSegmentName(GetCurrentProcessId()); 13 | } 14 | } -------------------------------------------------------------------------------- /uberstealthRemote/IDAStealthRemote.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // minimum OS is Windows 2000 4 | #ifndef _WIN32_WINNT 5 | #define _WIN32_WINNT 0x0500 6 | #endif 7 | 8 | #include 9 | 10 | #pragma warning(disable : 4702) 11 | #include 12 | #pragma warning(default : 4702) 13 | 14 | #include 15 | #include "RemoteStealthServer.h" 16 | #include -------------------------------------------------------------------------------- /HideDebugger/RemoteEventCommon.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // common data structures for remote event inter process communication 4 | 5 | #include 6 | 7 | namespace uberstealth 8 | { 9 | struct RemoteEventData 10 | { 11 | std::string functionName; 12 | unsigned int threadID; 13 | }; 14 | 15 | std::string genRemoteEventName(unsigned int processID); 16 | std::string genRemoteEventName(); 17 | } -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/dummy.c: -------------------------------------------------------------------------------- 1 | // Since the DDK's nmake is limited with directories, we will bypass that with this simple hack. 2 | // Thanks to Razvan Hobeanu. 3 | // Sep 2009. 4 | 5 | #include "x86defs.c" 6 | #include "wstring.c" 7 | #include "textdefs.c" 8 | #include "prefix.c" 9 | #include "operands.c" 10 | #include "insts.c" 11 | #include "instructions.c" 12 | #include "distorm.c" 13 | #include "decoder.c" 14 | -------------------------------------------------------------------------------- /RDTSCEmu/driver/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=RDTSCEmu 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) -DSUPPORT_64BIT_OFFSET 12 | 13 | SOURCES=RDTSCEmu.cpp \ 14 | distorm_dummy.c \ 15 | HookInt.cpp \ 16 | drvversion.rc 17 | 18 | INCLUDES=..\distorm\src; -------------------------------------------------------------------------------- /HideDebugger/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by HideDebugger.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=StealthDriver 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | 7 | # Create browse info 8 | #BROWSER_INFO=1 9 | #BROWSERFILE= 10 | 11 | # Additional defines for the C/C++ preprocessor 12 | C_DEFINES=$(C_DEFINES) 13 | 14 | SOURCES=StealthDriver.cpp \ 15 | StealthImplementation.cpp \ 16 | drvversion.rc \ 17 | DynamicDriverNameDummy.cpp 18 | 19 | INCLUDES=..\..\DynamicDriverName; -------------------------------------------------------------------------------- /uberstealth/StealthSession.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace uberstealth { 4 | 5 | class StealthSession { 6 | public: 7 | virtual void handleDebuggerStart(unsigned int processId, uintptr_t baseAddress) =0; 8 | virtual void handleDebuggerAttach(unsigned int processId) =0; 9 | virtual void handleDebuggerExit() =0; 10 | virtual void handleBreakpoint(unsigned int threadId, uintptr_t address) =0; 11 | virtual void handleException(unsigned int exceptionCode) =0; 12 | }; 13 | 14 | } -------------------------------------------------------------------------------- /HideDebugger/IPCDebugEventWriter.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCDebugEventWriter.h" 2 | 3 | hidedebugger::IPCDebugEventWriter::IPCDebugEventWriter() 4 | { 5 | sharedMem_ = createAntiDebugEventIPC(); 6 | } 7 | 8 | bool hidedebugger::IPCDebugEventWriter::issueDebugEvent(AntiDebuggingEvent event, uintptr_t returnAddress) 9 | { 10 | event; 11 | returnAddress; 12 | return false; 13 | } 14 | 15 | hidedebugger::IPCDebugEventWriter::~IPCDebugEventWriter() 16 | { 17 | // remove managed_shared_memory 18 | } -------------------------------------------------------------------------------- /HideDebugger/RemoteEventCommon.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteEventCommon.h" 2 | #include 3 | #include 4 | 5 | namespace uberstealth 6 | { 7 | // gen unique name for message queue object 8 | std::string genRemoteEventName(unsigned int processID) 9 | { 10 | std::ostringstream oss; 11 | oss << "IDAStealthRemoteEvent" << processID; 12 | return oss.str(); 13 | } 14 | 15 | std::string genRemoteEventName() 16 | { 17 | return genRemoteEventName(GetCurrentProcessId()); 18 | } 19 | } -------------------------------------------------------------------------------- /uberstealth/OllyEngine.h: -------------------------------------------------------------------------------- 1 | // The OllyDbg specific functions required to implement uberstealth. 2 | 3 | #pragma once 4 | 5 | #include 6 | 7 | namespace uberstealth { 8 | 9 | class OllyEngine 10 | { 11 | public: 12 | bool setBreakpoint(uintptr_t address) const; 13 | bool removeBreakpoint(uintptr_t address) const; 14 | void setExceptionOption(unsigned int exceptionCode, bool ignore) const; 15 | bool continueProcess() const; 16 | void logString(const char* str, ...) const; 17 | }; 18 | 19 | } -------------------------------------------------------------------------------- /NCodeHook/NCodeHookItem.h: -------------------------------------------------------------------------------- 1 | // Describes a hooked function and contains all necessary data to restore the jump to the original function. 2 | 3 | #pragma once 4 | 5 | struct NCodeHookItem { 6 | NCodeHookItem() : OriginalFunc(0), HookFunc(0), PatchSize(0), Trampoline(0) {}; 7 | NCodeHookItem(uintptr_t of, uintptr_t hf, uintptr_t tp, uintptr_t ps) 8 | : OriginalFunc(of), HookFunc(hf), Trampoline(tp), PatchSize(ps) {}; 9 | uintptr_t OriginalFunc; 10 | uintptr_t HookFunc; 11 | uintptr_t PatchSize; 12 | uintptr_t Trampoline; 13 | }; -------------------------------------------------------------------------------- /uberstealthRemote/TemporaryConfigFile.h: -------------------------------------------------------------------------------- 1 | // Creates a temporary file that is deleted on destruction of the object instance. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | class TemporaryConfigFile : public boost::noncopyable { 10 | public: 11 | TemporaryConfigFile(const std::string& serializedConfig); 12 | ~TemporaryConfigFile(); 13 | boost::filesystem::path getFileName() const { return fileName_; } 14 | 15 | private: 16 | boost::filesystem::path fileName_; 17 | }; -------------------------------------------------------------------------------- /HideDebugger/IPCDebugEventHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /** 4 | * Helper functions to construct ipc objects for both, reader and writer components of the debug event mechanism. 5 | **/ 6 | 7 | #include 8 | #include 9 | 10 | namespace hidedebugger 11 | { 12 | typedef boost::shared_ptr managed_shared_memory_ptr; 13 | 14 | managed_shared_memory_ptr createAntiDebugEventIPC(); 15 | 16 | managed_shared_memory_ptr openAntiDebugEventIPC(unsigned int processId); 17 | } -------------------------------------------------------------------------------- /HideDebugger/RemoteEventWriter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "RemoteEventCommon.h" 5 | //#include 6 | #include 7 | 8 | namespace uberstealth 9 | { 10 | class RemoteEventWriter 11 | { 12 | public: 13 | 14 | RemoteEventWriter(); 15 | ~RemoteEventWriter() {} 16 | 17 | void sendEvent(const RemoteEventData& data) const; 18 | 19 | private: 20 | 21 | boost::interprocess::message_queue mq_; 22 | }; 23 | 24 | //typedef boost::shared_ptr RemoteEventWriterPtr; 25 | } -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/insts.h: -------------------------------------------------------------------------------- 1 | /* 2 | insts.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef INSTS_H 10 | #define INSTS_H 11 | 12 | #include "instructions.h" 13 | 14 | /* Root Trie DB */ 15 | extern _InstNode Instructions; 16 | /* 3DNow! Trie DB */ 17 | extern _InstNode Table_0F_0F; 18 | /* NOP/XCHG instruction. */ 19 | extern _InstInfo II_90; 20 | /* LEA instruction. */ 21 | extern _InstInfo II_8D; 22 | 23 | /* See instructions.cpp for more info. */ 24 | 25 | #endif /* INSTS_H */ 26 | -------------------------------------------------------------------------------- /uberstealth/ResourceItem.h: -------------------------------------------------------------------------------- 1 | // Represents a resource specified by an ID and a name in the resource section of a given module. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | 8 | namespace uberstealth { 9 | 10 | class ResourceItem { 11 | public: 12 | ResourceItem(HMODULE hModule, int resourceID, const std::string& resourceType); 13 | void* getData() const; 14 | bool saveDataToFile(const std::string& fileName) const; 15 | size_t getDataSize() const { return size_; }; 16 | 17 | private: 18 | HMODULE hModule_; 19 | int resID_; 20 | std::string resType_; 21 | mutable size_t size_; 22 | }; 23 | 24 | } -------------------------------------------------------------------------------- /uberstealthRemote/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by IDAStealthRemote.rc 4 | // 5 | #define IDR_RDTSC 101 6 | #define IDR_DRV1 102 7 | #define IDR_STEALTH 102 8 | 9 | // Next default values for new objects 10 | // 11 | #ifdef APSTUDIO_INVOKED 12 | #ifndef APSTUDIO_READONLY_SYMBOLS 13 | #define _APS_NEXT_RESOURCE_VALUE 103 14 | #define _APS_NEXT_COMMAND_VALUE 40001 15 | #define _APS_NEXT_CONTROL_VALUE 1001 16 | #define _APS_NEXT_SYMED_VALUE 101 17 | #endif 18 | #endif 19 | -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthServer.h: -------------------------------------------------------------------------------- 1 | // Implements the IDAStealth remote server. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include 8 | #include "RemoteStealthConnection.h" 9 | #include "RemoteStealthProtocol.h" 10 | 11 | namespace uberstealth { 12 | class RemoteStealthServer { 13 | public: 14 | RemoteStealthServer(boost::asio::io_service& ioService, unsigned short port); 15 | void run(); 16 | 17 | private: 18 | void session(boost::shared_ptr connection); 19 | 20 | boost::asio::ip::tcp::acceptor acceptor_; 21 | boost::asio::io_service& ioService_; 22 | uberstealth::RSProtocolItem protocolItem_; 23 | }; 24 | } -------------------------------------------------------------------------------- /HideDebugger/HideDebugger.h: -------------------------------------------------------------------------------- 1 | // The following ifdef block is the standard way of creating macros which make exporting 2 | // from a DLL simpler. All files within this DLL are compiled with the HIDEDEBUGGER_EXPORTS 3 | // symbol defined on the command line. this symbol should not be defined on any project 4 | // that uses this DLL. This way any other project whose source files include this file see 5 | // HIDEDEBUGGER_API functions as being imported from a DLL, whereas this DLL sees symbols 6 | // defined with this macro as being exported. 7 | #ifdef HIDEDEBUGGER_EXPORTS 8 | #define HIDEDEBUGGER_API __declspec(dllexport) 9 | #else 10 | #define HIDEDEBUGGER_API __declspec(dllimport) 11 | #endif 12 | 13 | HIDEDEBUGGER_API int dummyExport() { return 42; } -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/wstring.c: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.c 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #include "wstring.h" 10 | 11 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf) 12 | { 13 | s->pos = (unsigned int)strlen((const char*)buf); 14 | memcpy((int8_t*)s->p, buf, s->pos + 1); 15 | } 16 | 17 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len) 18 | { 19 | s->pos = len; 20 | memcpy((int8_t*)s->p, buf, len + 1); 21 | } 22 | 23 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len) 24 | { 25 | memcpy((int8_t*)&s->p[s->pos], buf, len + 1); 26 | s->pos += len; 27 | } 28 | -------------------------------------------------------------------------------- /common/InjectionBeacon.h: -------------------------------------------------------------------------------- 1 | // The injection beacon is used to test whether the HideDebugger.dll should initialize all the stealth measures. 2 | // If a process loads the dll manually via LoadLibrary (e.g. OllyDbg), the dll cannot access the shared memory 3 | // which is used to communicate between debugger and debuggee. Thus, all functionality must be disabled. 4 | 5 | #pragma once 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | namespace uberstealth { 12 | 13 | class InjectionBeacon : public boost::noncopyable { 14 | public: 15 | InjectionBeacon() : 16 | hMutex_(NULL) {} 17 | InjectionBeacon(uintptr_t processId); 18 | ~InjectionBeacon(); 19 | bool queryBeacon(); 20 | 21 | private: 22 | HANDLE hMutex_; 23 | }; 24 | 25 | } -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthClient.h: -------------------------------------------------------------------------------- 1 | // Implements the IDAStealth remote client. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include "RemoteStealthConnection.h" 8 | #include "RemoteStealthProtocol.h" 9 | 10 | namespace uberstealth { 11 | class RemoteStealthClient { 12 | public: 13 | RemoteStealthClient(boost::asio::io_service& ioService,boost::asio::ip::tcp::resolver::iterator endPointIterator); 14 | void sendData(const RSProtocolItem& item); 15 | void connect(); 16 | 17 | private: 18 | RemoteStealthClient& operator=(const RemoteStealthClient &); 19 | boost::asio::io_service& ioService_; 20 | boost::asio::ip::tcp::resolver::iterator endPointIterator_; 21 | boost::shared_ptr connection_; 22 | }; 23 | } -------------------------------------------------------------------------------- /HideDebugger/IPCDebugEventWriter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "IPCDebugEventHelper.h" 5 | 6 | enum AntiDebuggingEvent { PreSEHException }; 7 | 8 | namespace hidedebugger 9 | { 10 | /* 11 | * Defines the single-instance IPC object which is used to inform the IDAStealth plugin 12 | * about the invocation of an anti-debugging technique in a specific thread. 13 | **/ 14 | class IPCDebugEventWriter 15 | { 16 | public: 17 | 18 | static IPCDebugEventWriter& getInstance() 19 | { 20 | static IPCDebugEventWriter instance; 21 | return instance; 22 | } 23 | 24 | ~IPCDebugEventWriter(); 25 | bool issueDebugEvent(AntiDebuggingEvent event, uintptr_t returnAddress); 26 | 27 | private: 28 | 29 | IPCDebugEventWriter(); 30 | managed_shared_memory_ptr sharedMem_; 31 | }; 32 | } -------------------------------------------------------------------------------- /HideDebugger/IPCConfigExchangeReader.h: -------------------------------------------------------------------------------- 1 | // Used by the injected dll to read the original PE header, the path to the debugger profile 2 | // as well as the process id of the debugger. 3 | 4 | #pragma once 5 | 6 | #include 7 | #pragma warning(disable : 4189) 8 | #include 9 | #pragma warning(default : 4189) 10 | #include "uberstealth/IPCConfigExchangeCommon.h" 11 | 12 | namespace uberstealth { 13 | 14 | class IPCConfigExchangeReader { 15 | public: 16 | IPCConfigExchangeReader(); 17 | std::string getProfileFile(); 18 | std::string getProfile(); 19 | unsigned int getDebuggerProcessID(); 20 | uberstealth::IPCPEHeaderData getIPCPEHeaderData(); 21 | bool isPERestoreRequired(); 22 | 23 | private: 24 | boost::interprocess::managed_shared_memory segment_; 25 | }; 26 | } -------------------------------------------------------------------------------- /NInjectLib/RemoteLibCall.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "InjectLib.h" 7 | #include "GenericInjector.h" 8 | #include "Process.h" 9 | 10 | const int MaxFuncNameLength = 42; 11 | 12 | // class to perform a procedure call to an dll which was previously injected into a remote process 13 | class RemoteLibCall 14 | { 15 | public: 16 | RemoteLibCall(const InjectLibrary& library, const Process& process); 17 | ~RemoteLibCall(); 18 | bool remoteCall(const std::string& functionName); 19 | bool remoteCall(unsigned int exportNumber); 20 | 21 | private: 22 | bool remoteCall(); 23 | INJECT_DATAPAYLOAD createDataPayload(); 24 | INJECT_CODEPAYLOAD createCodePayload(); 25 | 26 | Process process_; 27 | HMODULE hDll_; 28 | std::string functionName_; 29 | int functionNumber_; 30 | }; 31 | -------------------------------------------------------------------------------- /uberstealth/DriverControl.h: -------------------------------------------------------------------------------- 1 | // This class allows for starting/stopping kernel mode drivers. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include "ResourceItem.h" 7 | 8 | namespace uberstealth { 9 | 10 | class DriverControl { 11 | public: 12 | DriverControl(); 13 | void startDriver(const ResourceItem& ri, const std::string& driverName); 14 | void stopDriver(); 15 | void setMode(unsigned int ioctlCode, void* param, size_t paramSize) const; 16 | std::string getDriverPath() const { return driverPath_; } 17 | bool isRunning() const { return running_; } 18 | 19 | private: 20 | void controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const; 21 | void throwSysError(unsigned int lastError, const std::string& msg) const; 22 | bool running_; 23 | std::string driverPath_; 24 | std::string driverName_; 25 | }; 26 | 27 | } -------------------------------------------------------------------------------- /uberstealth/IPCConfigExchangeWriter.h: -------------------------------------------------------------------------------- 1 | // Allows the debugger to transfer all needed configuration data to the debugge via IPC. 2 | 3 | #pragma once 4 | 5 | #pragma warning(disable : 4189) 6 | #include 7 | #pragma warning(default : 4189) 8 | #include 9 | #include "IPCConfigExchangeCommon.h" 10 | 11 | namespace uberstealth { 12 | class IPCConfigExchangeWriter { 13 | public: 14 | IPCConfigExchangeWriter(unsigned int processID); 15 | ~IPCConfigExchangeWriter(); 16 | void setProfileFile(const std::string& configFile); 17 | void setIDAProcessID(unsigned int processID); 18 | void setIPCPEHeaderData(const IPCPEHeaderData& headerData); 19 | void setPERestoreRequired(bool required); 20 | 21 | private: 22 | boost::interprocess::managed_shared_memory segment_; 23 | unsigned int processID_; 24 | }; 25 | } -------------------------------------------------------------------------------- /uberstealthRemote/TemporaryConfigFile.cpp: -------------------------------------------------------------------------------- 1 | #include "TemporaryConfigFile.h" 2 | #include 3 | 4 | TemporaryConfigFile::TemporaryConfigFile(const std::string& serializedConfig) { 5 | wchar_t tmpPath[MAX_PATH]; 6 | wchar_t tmpFileName[MAX_PATH]; 7 | GetTempPath(MAX_PATH, tmpPath); 8 | if (!GetTempFileName(tmpPath, L"h4x0r", 0, tmpFileName)) 9 | throw std::runtime_error("Error while trying to serialize configuration to file: unable to get path for temp file."); 10 | fileName_ = boost::filesystem::path(tmpFileName); 11 | std::ofstream ofs(fileName_.string().c_str()); 12 | ofs.write(serializedConfig.c_str(), serializedConfig.length()); 13 | } 14 | 15 | TemporaryConfigFile::~TemporaryConfigFile() { 16 | try { 17 | boost::filesystem::remove(fileName_); 18 | } catch (const std::exception& exception) { 19 | std::cerr << exception.what(); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthClient.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteStealthClient.h" 2 | #include 3 | 4 | uberstealth::RemoteStealthClient::RemoteStealthClient(boost::asio::io_service& ioService, boost::asio::ip::tcp::resolver::iterator endPointIterator) : 5 | ioService_(ioService), 6 | endPointIterator_(endPointIterator) {} 7 | 8 | void uberstealth::RemoteStealthClient::sendData(const RSProtocolItem& item) { 9 | connection_->syncWrite(item); 10 | RSProtocolResponse response; 11 | connection_->syncRead(response); 12 | if (!response.success) { 13 | throw std::runtime_error("Error while performing remote command: " + response.error); 14 | } 15 | } 16 | 17 | void uberstealth::RemoteStealthClient::connect() { 18 | connection_ = boost::make_shared(boost::ref(ioService_)); 19 | connection_->socket().connect(*endPointIterator_); 20 | } -------------------------------------------------------------------------------- /NInjectLib/InjectLib.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "GenericInjector.h" 7 | #include "Process.h" 8 | 9 | // class to inject a dll into a remote process which is already running 10 | class InjectLibrary 11 | { 12 | public: 13 | InjectLibrary(const std::string& fileName, const Process& process); 14 | InjectLibrary(HMODULE hRemoteLib, const Process& process); 15 | ~InjectLibrary(); 16 | HMODULE getDllHandle() const; 17 | const Process& getProcess() const; 18 | bool injectLib(); 19 | bool unloadLib(); 20 | 21 | private: 22 | INJECT_DATAPAYLOAD createLoadLibData(); 23 | INJECT_CODEPAYLOAD createLoadLibCode(); 24 | INJECT_DATAPAYLOAD createUnloadLibData(); 25 | INJECT_CODEPAYLOAD createUnloadLibCode(); 26 | 27 | std::string fileName_; 28 | Process process_; 29 | HMODULE hDll_; 30 | }; 31 | -------------------------------------------------------------------------------- /NInjectLib/GenericInjector.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "Process.h" 5 | 6 | struct INJECT_DATAPAYLOAD 7 | { 8 | void* data; 9 | size_t size; 10 | }; 11 | 12 | struct INJECT_CODEPAYLOAD 13 | { 14 | void* code; 15 | size_t size; 16 | }; 17 | 18 | // abstract base class for injection of code and data into a remote process 19 | // derived classes need to implement methods that generate specific code and data payload 20 | class GenericInjector 21 | { 22 | public: 23 | GenericInjector(const Process& process); 24 | ~GenericInjector(); 25 | 26 | void doInjection(INJECT_DATAPAYLOAD dataPayload, INJECT_CODEPAYLOAD codePayload); 27 | void* getAddrOfData() const; 28 | void* getAddrOfCode() const; 29 | 30 | private: 31 | void freeMem(); 32 | Process process_; 33 | void* injectedData_; 34 | void* injectedCode_; 35 | }; 36 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/operands.h: -------------------------------------------------------------------------------- 1 | /* 2 | operands.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef OPERANDS_H 10 | #define OPERANDS_H 11 | 12 | #include "../config.h" 13 | 14 | #include "decoder.h" 15 | #include "prefix.h" 16 | #include "wstring.h" 17 | #include "instructions.h" 18 | 19 | /* Return codes from extract_operand. */ 20 | typedef enum {EO_HALT, EO_CONTINUE, EO_SUFFIX} _ExOpRCType; 21 | 22 | _ExOpRCType extract_operand(_CodeInfo* ci, 23 | _WString* instructionHex, _WString* operandText, _OpType type, _OpType op2, 24 | _OperandNumberType opNum, _iflags instFlags, unsigned int modrm, 25 | _PrefixState* ps, _DecodeType dt, int* lockableInstruction); 26 | 27 | #endif /* OPERANDS_H */ 28 | -------------------------------------------------------------------------------- /common/StringHelper.h: -------------------------------------------------------------------------------- 1 | // Convert a given std::string (containing UTF-8 chars) to a unicode string and vice versa. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | 8 | namespace uberstealth { 9 | 10 | class StringToUnicode : public boost::noncopyable { 11 | public: 12 | StringToUnicode(const std::string& str) : 13 | s_(str), 14 | ws_(NULL) {} 15 | 16 | ~StringToUnicode() { 17 | delete[] ws_; 18 | } 19 | 20 | operator const wchar_t*(); 21 | 22 | private: 23 | const std::string& s_; 24 | wchar_t* ws_; 25 | }; 26 | 27 | class UnicodeToString : public boost::noncopyable { 28 | public: 29 | UnicodeToString(const std::wstring& str) : 30 | s_(str), 31 | as_(NULL) {}; 32 | 33 | ~UnicodeToString() { 34 | delete[] as_; 35 | } 36 | 37 | operator const char*(); 38 | operator std::string(); 39 | 40 | private: 41 | const std::wstring& s_; 42 | char* as_; 43 | }; 44 | 45 | } -------------------------------------------------------------------------------- /uberstealthRemote/IDAStealthRemote.cpp: -------------------------------------------------------------------------------- 1 | #include "IDAStealthRemote.h" 2 | #include 3 | #include "../uberstealth/version.h" 4 | 5 | int _tmain(int argc, char* argv[]) { 6 | try { 7 | std::wcout << REMOTESTEALTH_INFO_STRING << std::endl << std::endl; 8 | 9 | if (!boost::filesystem::exists("HideDebugger.dll")) { 10 | std::cout << "HideDebugger.dll not found...terminating." << std::endl; 11 | return 1; 12 | } 13 | 14 | unsigned short port = 4242; 15 | if (argc == 2) port = boost::lexical_cast(argv[1]); 16 | else std::cout << "Usage: IDAStealthRemote.exe " << std::endl 17 | << "Using standard port " << port << std::endl; 18 | std::cout << "Starting server..." << std::endl; 19 | 20 | boost::asio::io_service ioService; 21 | uberstealth::RemoteStealthServer server(ioService, port); 22 | server.run(); 23 | } 24 | catch (const std::exception& e) { 25 | std::cerr << e.what() << std::endl; 26 | } 27 | return 0; 28 | } -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthSession.h: -------------------------------------------------------------------------------- 1 | // Represents the stealth session on the server side if "remote stealth" is used. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include "RemoteStealthProtocol.h" 8 | #include "RemoteStealthLogger.h" 9 | #include 10 | #include 11 | 12 | namespace uberstealth { 13 | 14 | class RemoteStealthSession : public StealthSession { 15 | public: 16 | RemoteStealthSession(const boost::filesystem::path& configFile); 17 | virtual void handleBreakPoint(unsigned int threadID, uintptr_t address); 18 | virtual void handleException(unsigned int exceptionCode); 19 | 20 | private: 21 | virtual ResourceItem getRDTSCDriverResource(); 22 | virtual ResourceItem getStealthDriverResource(); 23 | virtual std::string getStealthDllPath(); 24 | std::string serializeConfig(const std::string& configStr); 25 | std::string stealthDll_; 26 | }; 27 | } -------------------------------------------------------------------------------- /HideDebugger/IPCDebugEventHelper.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCDebugEventHelper.h" 2 | #include 3 | #include 4 | 5 | namespace hidedebugger 6 | { 7 | const char* SegmentName = "AntiDebugEventIPC"; 8 | const size_t SegmentSize = sizeof(int) + sizeof(uintptr_t); 9 | 10 | std::string getSegmentName(unsigned int processId) 11 | { 12 | std::ostringstream oss; 13 | oss << SegmentName << processId; 14 | return oss.str(); 15 | } 16 | } 17 | 18 | hidedebugger::managed_shared_memory_ptr hidedebugger::createAntiDebugEventIPC() 19 | { 20 | using namespace boost::interprocess; 21 | return managed_shared_memory_ptr(new managed_shared_memory(create_only, getSegmentName(GetCurrentProcessId()).c_str(), SegmentSize)); 22 | } 23 | 24 | hidedebugger::managed_shared_memory_ptr hidedebugger::openAntiDebugEventIPC(unsigned int processId) 25 | { 26 | using namespace boost::interprocess; 27 | return managed_shared_memory_ptr(new managed_shared_memory(open_only, getSegmentName(processId).c_str())); 28 | } -------------------------------------------------------------------------------- /uberstealthRemote/uberstealthRemote.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "uberstealthRemote", "uberstealthRemote.vcxproj", "{5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Debug|Win32.Build.0 = Debug|Win32 14 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Release|Win32.ActiveCfg = Release|Win32 15 | {5C3801A0-3EFE-4D6A-9138-1CF5E8A05A07}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /common/StringHelper.cpp: -------------------------------------------------------------------------------- 1 | #include "StringHelper.h" 2 | #include 3 | 4 | uberstealth::StringToUnicode::operator const wchar_t*() { 5 | if (!ws_) { 6 | size_t length = s_.length() + 1; 7 | int numberOfElements = MultiByteToWideChar(CP_UTF8, 0, s_.c_str(), static_cast(length), 0, 0); 8 | ws_ = new wchar_t[numberOfElements]; 9 | MultiByteToWideChar(CP_UTF8, 0, s_.c_str(), static_cast(length), ws_, numberOfElements); 10 | } 11 | return ws_; 12 | } 13 | 14 | uberstealth::UnicodeToString::operator const char*() { 15 | if (!as_) { 16 | size_t length = s_.length() + 1; 17 | int numberOfElements = WideCharToMultiByte(CP_UTF8, 0, s_.c_str(), static_cast(length), NULL, 0, NULL, NULL); 18 | as_ = new char[numberOfElements]; 19 | WideCharToMultiByte(CP_UTF8, 0, s_.c_str(), static_cast(length), as_, numberOfElements, NULL, NULL); 20 | } 21 | return as_; 22 | } 23 | 24 | uberstealth::UnicodeToString::operator std::string() { 25 | return std::string(operator const char*()); 26 | } 27 | -------------------------------------------------------------------------------- /uberstealth/ProfileEventConsumer.h: -------------------------------------------------------------------------------- 1 | // All classes which want to be informed about profile events need to implement this interface. 2 | 3 | #pragma once 4 | 5 | namespace uberstealth { 6 | 7 | class ProfileEventConsumer 8 | { 9 | public: 10 | // The consumer should update its internal state based on the given profile. 11 | virtual void loadProfile(const uberstealth::HideDebuggerProfile& profile) =0; 12 | 13 | // The consumer should update the given profile regarding to its internal state. 14 | // If its internal state cannot be mapped to the supplied profile it should return false and the profile is not saved (e.g. invalid characters entered by the user). 15 | virtual void flushProfile(uberstealth::HideDebuggerProfile& profile) =0; 16 | 17 | // The consumer should update its controls according to the given enable state. 18 | virtual void changeGlobalEnableState(bool globalEnable) =0; 19 | 20 | // The consumer needs to tell whether its internal state has unmodified changes. 21 | virtual bool isProfileDirty() =0; 22 | }; 23 | 24 | } -------------------------------------------------------------------------------- /common/InjectionBeacon.cpp: -------------------------------------------------------------------------------- 1 | #include "InjectionBeacon.h" 2 | #include 3 | #include 4 | #include "StringHelper.h" 5 | 6 | namespace { 7 | 8 | std::string generateMutexName(unsigned int processId) { 9 | std::ostringstream oss; 10 | oss << "uberstealth" << processId; 11 | return oss.str(); 12 | } 13 | 14 | std::string generateMutexName() { 15 | return generateMutexName(GetCurrentProcessId()); 16 | } 17 | 18 | } 19 | 20 | uberstealth::InjectionBeacon::~InjectionBeacon() { 21 | if (hMutex_) CloseHandle(hMutex_); 22 | } 23 | 24 | bool uberstealth::InjectionBeacon::queryBeacon() { 25 | HANDLE hMutex = OpenMutex(MUTEX_ALL_ACCESS, FALSE, uberstealth::StringToUnicode(generateMutexName())); 26 | if (hMutex) { 27 | CloseHandle(hMutex); 28 | return true; 29 | } 30 | else return false; 31 | } 32 | 33 | uberstealth::InjectionBeacon::InjectionBeacon(uintptr_t processId) { 34 | hMutex_ = CreateMutex(NULL, TRUE, StringToUnicode(generateMutexName(processId))); 35 | if (!hMutex_) throw std::runtime_error(std::string("Unable to create injection beacon mutex: ") + generateMutexName(processId)); 36 | } -------------------------------------------------------------------------------- /uberstealth/IPCConfigExchangeCommon.h: -------------------------------------------------------------------------------- 1 | // Defines the data structure that is read by the injected dll via IPC. 2 | // This data structure contains the original PE header of the debuggee as well as the image base address. 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | 9 | namespace uberstealth { 10 | static const char* ConfigFileDataStr = "HideDebuggerPathStrData212"; 11 | static const char* IDAProcessIDStr = "IDAProcessID"; 12 | static const char* PEHeaderDataStr = "PEHeaderData"; 13 | static const char* PERestoreRequiredStr = "PERestore"; 14 | static const size_t ConfigDataSegmentSize = MAX_PATH; 15 | static const size_t SegmentSize = 4096; 16 | 17 | std::string getSegmentName(unsigned int processID); 18 | std::string getSegmentName(); 19 | 20 | // TODO(jan.newger@newgre.net): store everything else in this struct as well (path, profile, etc). 21 | struct IPCPEHeaderData { 22 | IPCPEHeaderData() : imageBase(0) {} 23 | IPCPEHeaderData(uintptr_t base, const IMAGE_NT_HEADERS& headers) : 24 | imageBase(base), 25 | ntHeaders(headers) {} 26 | 27 | uintptr_t imageBase; 28 | IMAGE_NT_HEADERS ntHeaders; 29 | }; 30 | } -------------------------------------------------------------------------------- /HideDebugger/IPCConfigExchangeReader.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeReader.h" 2 | 3 | uberstealth::IPCConfigExchangeReader::IPCConfigExchangeReader() { 4 | segment_ = boost::interprocess::managed_shared_memory(boost::interprocess::open_read_only, uberstealth::getSegmentName().c_str()); 5 | } 6 | 7 | std::string uberstealth::IPCConfigExchangeReader::getProfileFile() { 8 | std::pair dataPtr = segment_.find(uberstealth::ConfigFileDataStr); 9 | return std::string(dataPtr.first); 10 | } 11 | 12 | unsigned int uberstealth::IPCConfigExchangeReader::getDebuggerProcessID() { 13 | std::pair dataPtr = segment_.find(uberstealth::IDAProcessIDStr); 14 | return *(dataPtr.first); 15 | } 16 | 17 | uberstealth::IPCPEHeaderData uberstealth::IPCConfigExchangeReader::getIPCPEHeaderData() { 18 | std::pair dataPtr = segment_.find(uberstealth::PEHeaderDataStr); 19 | return *dataPtr.first; 20 | } 21 | 22 | bool uberstealth::IPCConfigExchangeReader::isPERestoreRequired() { 23 | std::pair dataPtr = segment_.find(uberstealth::PERestoreRequiredStr); 24 | return *(dataPtr.first); 25 | } -------------------------------------------------------------------------------- /uberstealth/ResourceItem.cpp: -------------------------------------------------------------------------------- 1 | #include "ResourceItem.h" 2 | #include 3 | 4 | uberstealth::ResourceItem::ResourceItem(HMODULE hModule, int resourceID, const std::string& resourceType) : 5 | hModule_(hModule), 6 | resID_(resourceID), 7 | resType_(resourceType) {} 8 | 9 | void* uberstealth::ResourceItem::getData() const { 10 | HRSRC hResInfo = FindResource(hModule_, (LPCWSTR)resID_, uberstealth::StringToUnicode(resType_)); 11 | if (!hResInfo) { 12 | return NULL; 13 | } 14 | 15 | HGLOBAL resData = LoadResource(hModule_, hResInfo); 16 | if (!resData) { 17 | return NULL; 18 | } 19 | 20 | void* dataPtr = LockResource(resData); 21 | size_ = 0; 22 | if (dataPtr) size_ = SizeofResource(hModule_, hResInfo); 23 | return dataPtr; 24 | } 25 | 26 | bool uberstealth::ResourceItem::saveDataToFile(const std::string& fileName) const { 27 | void* dataPtr = getData(); 28 | if (!dataPtr) { 29 | return false; 30 | } 31 | 32 | FILE* hFile; 33 | fopen_s(&hFile, fileName.c_str(), "wb"); 34 | if (!hFile) { 35 | return false; 36 | } 37 | 38 | bool retVal = false; 39 | if (fwrite(dataPtr, size_, 1, hFile)) { 40 | retVal = true; 41 | } 42 | fclose(hFile); 43 | 44 | return retVal; 45 | } -------------------------------------------------------------------------------- /uberstealth/OllyEngine.cpp: -------------------------------------------------------------------------------- 1 | #ifdef OLLYSTEALTH 2 | 3 | #include 4 | #include "OllyEngine.h" 5 | #pragma warning(disable : 4200) 6 | #include 7 | #pragma warning(default : 4200) 8 | 9 | // TODO(jan.newger@newgre.net): NEEDS OFFICIAL IMPORT LIB!!! 10 | extern "C" __declspec(dllimport) int Run(t_status status,int pass); 11 | extern "C" __declspec(dllimport) int Setint3breakpoint(ulong addr, ulong type, int fnindex, int limit, int count, wchar_t *condition, wchar_t *expression, wchar_t *exprtype); 12 | 13 | bool uberstealth::OllyEngine::setBreakpoint(uintptr_t address) const { 14 | //Setint3breakpoint(address, BP_MANUAL, 0, 0, 0, NULL, NULL, NULL); 15 | return false; 16 | } 17 | 18 | bool uberstealth::OllyEngine::removeBreakpoint(uintptr_t /*address*/) const 19 | { 20 | //Removeint3breakpoint 21 | return false; 22 | } 23 | 24 | void uberstealth::OllyEngine::setExceptionOption(unsigned int /*exceptionCode*/, bool /*ignore*/) const { 25 | // TODO 26 | } 27 | 28 | bool uberstealth::OllyEngine::continueProcess() const { 29 | //Run(t_status status,int pass); 30 | //return Run(STAT_RUNNING, 0) == 1; 31 | return false; 32 | } 33 | 34 | void uberstealth::OllyEngine::logString(const char* /*str*/, ...) const { 35 | // TODO 36 | } 37 | 38 | #endif -------------------------------------------------------------------------------- /NInjectLib/Readme.txt: -------------------------------------------------------------------------------- 1 | http://newgre.net/ninjectlib 2 | 3 | About N-InjectLib 4 | N-InjectLib is a library written in C++ which allows for injecting dynamic link libraries into a remote (i.e. foreign) process. 5 | Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running. 6 | 7 | Changelog 8 | 07/16/2011 - v1.0.5 9 | 10 | Bugfix: Injection didn't work if the size size field of the import directory was wrong 11 | 02/14/2010 - v1.0.4 12 | 13 | Improved: Injection now also works with .NET applications 14 | Bugfix: Example was broken 15 | 11/16/2009 - v1.0.3 16 | 17 | Bugfix: Injection failed if issued from non-Administrator account 18 | Improved: Method to retrieve IBA of remote process more robust 19 | Added: Simple example on how to use the library 20 | 07/14/2008 - v1.0.2 21 | 22 | Bugfix: Injection failed if new IMAGE_IMPORT_DESCRIPTOR was outside existing sections 23 | Bugfix: Injection failed if executable had bound imports 24 | 07/06/2008 - v1.0.1 25 | 26 | Bugfix: Injection failed if IMAGE_DIRECTORY_ENTRY_IAT was zero, which is true for most packed PE images 27 | 05/19/2008 - v1.0 28 | 29 | First release -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/decoder.h: -------------------------------------------------------------------------------- 1 | /* 2 | decoder.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef DECODER_H 10 | #define DECODER_H 11 | 12 | #include "../config.h" 13 | 14 | #include "wstring.h" 15 | 16 | typedef unsigned int _iflags; 17 | 18 | /* DEFAULT instructions decoding mode. */ 19 | typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType; 20 | 21 | typedef OFFSET_INTEGER _OffsetType; 22 | 23 | typedef struct { 24 | _WString mnemonic; 25 | _WString operands; 26 | _WString instructionHex; 27 | unsigned int size; 28 | _OffsetType offset; 29 | } _DecodedInst; 30 | 31 | typedef struct { 32 | const uint8_t* code; 33 | int codeLen; 34 | _OffsetType codeOffset; 35 | } _CodeInfo; 36 | 37 | typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR} _DecodeResult; 38 | _DecodeResult internal_decode(_OffsetType codeOffset, const uint8_t* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxResultCount, unsigned int* usedEntriesCount); 39 | 40 | _DecodeType ADDR_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes); 41 | _DecodeType OP_SIZE_AFFECT(_DecodeType dt, _iflags totalPrefixes, unsigned int rex, _iflags instFlags); 42 | 43 | #endif /* DECODER_H */ 44 | -------------------------------------------------------------------------------- /HideDebugger/ThreadDebugRegisterState.h: -------------------------------------------------------------------------------- 1 | // Represents the debug registers thread context and provides methods to handle different events 2 | // corresponding to invocations of (internal) windows API functions. 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | 9 | class ThreadDebugRegisterState { 10 | public: 11 | ThreadDebugRegisterState(DWORD threadId) : 12 | threadId_(threadId) {} 13 | 14 | bool handleSetContext(LPCONTEXT context); 15 | void handleGetContext(const LPCONTEXT context) const; 16 | void handlePreSEH(LPCONTEXT context); 17 | void handlePostSEH(LPCONTEXT context); 18 | 19 | private: 20 | struct DebugRegisters { 21 | DebugRegisters() : 22 | dr0(0), 23 | dr1(0), 24 | dr2(0), 25 | dr3(0), 26 | dr6(0), 27 | dr7(0) {} 28 | 29 | DebugRegisters(DWORD dr0, DWORD dr1, DWORD dr2, DWORD dr3, DWORD dr6, DWORD dr7) : 30 | dr0(dr0), 31 | dr1(dr1), 32 | dr2(dr2), 33 | dr3(dr3), 34 | dr6(dr6), 35 | dr7(dr7) {} 36 | 37 | DWORD dr0; 38 | DWORD dr1; 39 | DWORD dr2; 40 | DWORD dr3; 41 | DWORD dr6; 42 | DWORD dr7; 43 | }; 44 | 45 | void copyToContext(const DebugRegisters& debugRegisters, LPCONTEXT context) const; 46 | DebugRegisters copyFromContext(LPCONTEXT context) const; 47 | 48 | DWORD threadId_; 49 | DebugRegisters debugRegisters_; 50 | DebugRegisters preSehDebugRegisters_; 51 | }; 52 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/wstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef WSTRING_H 10 | #define WSTRING_H 11 | 12 | #include "../config.h" 13 | 14 | /* Make sure the buffer isn't overflowed. */ 15 | #define MAX_TEXT_SIZE (60) 16 | 17 | typedef struct { 18 | unsigned int pos; 19 | int8_t p[MAX_TEXT_SIZE]; 20 | } _WString; 21 | 22 | /* 23 | * Warning, this macro should be used only when the compiler knows the size of string in advance! 24 | * This macro is used in order to spare the call to strlen when the strings are known already. 25 | * Note: sizeof includes NULL terminated character. 26 | */ 27 | #define strcat_WSN(s, t) strcatlen_WS((s), (t), sizeof((t))-1) 28 | #define strcpy_WSN(s, t) strcpylen_WS((s), (t), sizeof((t))-1) 29 | 30 | void _FASTCALL_ strcpy_WS(_WString* s, const int8_t* buf); 31 | void _FASTCALL_ strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len); 32 | void _FASTCALL_ strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len); 33 | 34 | _INLINE_ void strclear_WS(_WString* s) 35 | { 36 | s->p[0] = '\0'; 37 | s->pos = 0; 38 | } 39 | 40 | _INLINE_ void chrcat_WS(_WString* s, uint8_t ch) 41 | { 42 | s->p[s->pos] = ch; 43 | s->p[s->pos + 1] = '\0'; 44 | s->pos += 1; 45 | } 46 | 47 | 48 | #endif /* WSTRING_H */ 49 | -------------------------------------------------------------------------------- /uberstealth/UberstealthPropertyPage.h: -------------------------------------------------------------------------------- 1 | // All property sheets dealing with profile configuiration have to derive from this class. 2 | 3 | #pragma once 4 | 5 | #include "WTLCommon.h" 6 | #include "ConfigProvider.h" 7 | #include 8 | #include "ProfileEventConsumer.h" 9 | 10 | namespace uberstealth { 11 | 12 | template 13 | class UberstealthPropertyPage : 14 | public CPropertyPageImpl, 15 | public CWinDataExchange, 16 | public ProfileEventConsumer { 17 | public: 18 | enum { IDD = idd }; 19 | 20 | UberstealthPropertyPage(ConfigProvider* configProvider) : 21 | configProvider_(configProvider), 22 | enableState_(false) { 23 | configProvider_->addListener(this); 24 | } 25 | 26 | void changeGlobalEnableState(bool enableState) { 27 | enableState_ = enableState; 28 | if (m_hWnd) { 29 | enableControls(enableState); 30 | } 31 | } 32 | 33 | protected: 34 | BOOL OnInitDialog(HWND /*hwndFocus*/, LPARAM /*lParam*/) 35 | { 36 | loadProfile(configProvider_->getCurrentProfile()); 37 | enableControls(enableState_); 38 | return TRUE; 39 | } 40 | 41 | virtual void enableControls(bool enabled) =0; 42 | 43 | BEGIN_MSG_MAP(UberstealthPropertyPage) 44 | MSG_WM_INITDIALOG(OnInitDialog) 45 | CHAIN_MSG_MAP(CPropertyPageImpl) 46 | END_MSG_MAP() 47 | 48 | ConfigProvider* configProvider_; 49 | 50 | private: 51 | bool enableState_; 52 | }; 53 | 54 | } -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/pydistorm.h: -------------------------------------------------------------------------------- 1 | /* 2 | pydistorm.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef PYDISTORM_H 10 | #define PYDISTORM_H 11 | 12 | #ifdef SUPPORT_64BIT_OFFSET 13 | /* 14 | * PyArg_ParseTuple/Py_BuildValue uses a format string in order to parse/build the offset. 15 | * type: int 64 16 | */ 17 | #define _PY_OFF_INT_SIZE_ "K" 18 | #else 19 | #define _PY_OFF_INT_SIZE_ "k" 20 | #endif 21 | 22 | #include "decoder.h" 23 | 24 | #ifdef __GNUC__ 25 | #include 26 | #elif _MSC_VER 27 | #include 28 | #endif 29 | 30 | PyObject* distorm_Decode(PyObject* pSelf, PyObject* pArgs); 31 | 32 | char distorm_Decode_DOCSTR[] = 33 | "Disassemble a given buffer.\r\n" 34 | #ifdef SUPPORT_64BIT_OFFSET 35 | "Decode(INT64 offset, string code, int type)\r\n" 36 | #else 37 | "Decode(unsigned long offset, string code, int type)\r\n" 38 | #endif 39 | "type:\r\n" 40 | " Decode16Bits - 16 bits decoding.\r\n" 41 | " Decode32Bits - 32 bits decoding.\r\n" 42 | " Decode64Bits - AMD64 decoding.\r\n" 43 | "Returns a list of tuples of offset, size, mnemonic and hex string.\r\n"; 44 | 45 | static PyMethodDef distormModulebMethods[] = { 46 | {"Decode", distorm_Decode, METH_VARARGS, distorm_Decode_DOCSTR}, 47 | {NULL, NULL, 0, NULL} 48 | }; 49 | 50 | #endif /* PYDISTORM_H */ 51 | 52 | -------------------------------------------------------------------------------- /uberstealth/WTLInputBox.h: -------------------------------------------------------------------------------- 1 | // A simple dialog to query the user for text input. 2 | 3 | #pragma once 4 | 5 | #include "WTLCommon.h" 6 | #include 7 | #include 8 | 9 | namespace uberstealth { 10 | 11 | class WTLInputBox : 12 | public CDialogImpl, 13 | public CWinDataExchange 14 | { 15 | public: 16 | enum { IDD = IDD_INPUTBOX }; 17 | 18 | std::string getInput() const 19 | { 20 | if (txt_.GetLength()) 21 | { 22 | return std::string(CT2A(txt_, CP_UTF8)); 23 | } 24 | else return ""; 25 | } 26 | 27 | private: 28 | LRESULT OnOkClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 29 | { 30 | DoDataExchange(TRUE); 31 | EndDialog(0); 32 | return 0; 33 | } 34 | 35 | LRESULT OnCancelClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 36 | { 37 | txt_ = ""; 38 | EndDialog(0); 39 | return 0; 40 | } 41 | 42 | BOOL OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) 43 | { 44 | DoDataExchange(FALSE); 45 | return TRUE; 46 | } 47 | 48 | WTL::CString txt_; 49 | 50 | BEGIN_DDX_MAP(WTLInputBox) 51 | DDX_TEXT(IDC_EDITBOX, txt_) 52 | END_DDX_MAP() 53 | 54 | BEGIN_MSG_MAP(WTLInputBox) 55 | MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog) 56 | COMMAND_HANDLER(IDOK, BN_CLICKED, OnOkClick) 57 | COMMAND_HANDLER(IDCANCEL, BN_CLICKED, OnCancelClick) 58 | END_MSG_MAP() 59 | }; 60 | 61 | } -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/StealthDriver.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: StealthDriver.h 6 | /// Project : StealthDriver 7 | /// Date of creation : 8 | /// Author(s) : 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 14 | /////////////////////////////////////////////////////////////////////////////// 15 | 16 | // $Id$ 17 | 18 | #ifndef __STEALTHDRIVER_H_VERSION__ 19 | #define __STEALTHDRIVER_H_VERSION__ 100 20 | 21 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 22 | #pragma once 23 | #endif 24 | 25 | #include "drvcommon.h" 26 | #include "drvversion.h" 27 | 28 | #ifndef FILE_DEVICE_STEALTHDRIVER 29 | #define FILE_DEVICE_STEALTHDRIVER 0x8000 30 | #endif 31 | 32 | // Values defined for "Method" 33 | // METHOD_BUFFERED 34 | // METHOD_IN_DIRECT 35 | // METHOD_OUT_DIRECT 36 | // METHOD_NEITHER 37 | // 38 | // Values defined for "Access" 39 | // FILE_ANY_ACCESS 40 | // FILE_READ_ACCESS 41 | // FILE_WRITE_ACCESS 42 | 43 | enum StealthHook { 44 | SH_NtSetInformationThread, 45 | SH_NtQueryInformationProcess 46 | }; 47 | 48 | const ULONG IOCTL_STEALTHDRIVER_ENABLE_HOOKS = (ULONG)CTL_CODE(FILE_DEVICE_STEALTHDRIVER, 0x801, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA); 49 | 50 | #endif // __STEALTHDRIVER_H_VERSION__ 51 | -------------------------------------------------------------------------------- /HideDebugger/HideDebugger.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HideDebugger", "HideDebugger.vcxproj", "{59339E37-7C43-4CD2-B7B5-DF10D9197655}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | OllyStealth Debug|Win32 = OllyStealth Debug|Win32 10 | OllyStealth Release|Win32 = OllyStealth Release|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Debug|Win32.Build.0 = Debug|Win32 16 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Debug|Win32.ActiveCfg = OllyStealth Debug|Win32 17 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Debug|Win32.Build.0 = OllyStealth Debug|Win32 18 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Release|Win32.ActiveCfg = OllyStealth Release|Win32 19 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Release|Win32.Build.0 = OllyStealth Release|Win32 20 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Release|Win32.ActiveCfg = Release|Win32 21 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.Release|Win32.Build.0 = Release|Win32 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /RDTSCEmu/driver/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /RDTSCEmu/driver/RDTSCEmu.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: RDTSCEmu.h 6 | /// Project : RDTSCEmu 7 | /// Date of creation : 8 | /// Author(s) : 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 14 | /////////////////////////////////////////////////////////////////////////////// 15 | 16 | // $Id$ 17 | 18 | #ifndef __RDTSCEMU_H_VERSION__ 19 | #define __RDTSCEMU_H_VERSION__ 100 20 | 21 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 22 | #pragma once 23 | #endif 24 | 25 | #include "drvcommon.h" 26 | #include "drvversion.h" 27 | 28 | #define DEVICE_NAME "\\Device\\" 29 | #define SYMLINK_NAME "\\DosDevices\\" 30 | 31 | #ifndef FILE_DEVICE_RDTSCEMU 32 | #define FILE_DEVICE_RDTSCEMU 0x8000 33 | #endif 34 | 35 | // Values defined for "Method" 36 | // METHOD_BUFFERED 37 | // METHOD_IN_DIRECT 38 | // METHOD_OUT_DIRECT 39 | // METHOD_NEITHER 40 | // 41 | // Values defined for "Access" 42 | // FILE_ANY_ACCESS 43 | // FILE_READ_ACCESS 44 | // FILE_WRITE_ACCESS 45 | 46 | enum RDTSCMode { 47 | constant, 48 | increasing 49 | }; 50 | 51 | #define IOCTL_RDTSCEMU_METHOD_ALWAYS_CONST CTL_CODE(FILE_DEVICE_RDTSCEMU, 0x02, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) 52 | #define IOCTL_RDTSCEMU_METHOD_INCREASING CTL_CODE(FILE_DEVICE_RDTSCEMU, 0x03, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA) 53 | 54 | #endif // __RDTSCEMU_H_VERSION__ 55 | -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthSession.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteStealthSession.h" 2 | #include 3 | #include 4 | #include 5 | #include "RemoteStealthConnection.h" 6 | #include "resource.h" 7 | #include 8 | 9 | namespace { 10 | 11 | const std::string StealthDllFileName = "HideDebugger.dll"; 12 | 13 | } 14 | 15 | uberstealth::RemoteStealthSession::RemoteStealthSession(const boost::filesystem::path& configFile) : 16 | StealthSession(configFile) { 17 | wchar_t buffer[MAX_PATH]; 18 | if (!GetModuleFileName(NULL, buffer, MAX_PATH)) { 19 | throw std::runtime_error("Unable to determine location of executable for current process."); 20 | } 21 | boost::filesystem::path p = buffer; 22 | p.remove_leaf(); 23 | p /= StealthDllFileName; 24 | stealthDll_ = p.string(); 25 | } 26 | 27 | ResourceItem uberstealth::RemoteStealthSession::getRDTSCDriverResource() { 28 | return ResourceItem(GetModuleHandle(NULL), IDR_RDTSC, "DRV"); 29 | } 30 | 31 | ResourceItem uberstealth::RemoteStealthSession::getStealthDriverResource() { 32 | return ResourceItem(GetModuleHandle(NULL), IDR_STEALTH, "DRV"); 33 | } 34 | 35 | std::string uberstealth::RemoteStealthSession::getStealthDllPath() { 36 | return stealthDll_; 37 | } 38 | 39 | void uberstealth::RemoteStealthSession::handleBreakPoint(unsigned int /*threadID*/, uintptr_t /*address*/) { 40 | // TODO(jan.newger@newgre.net): implement. 41 | } 42 | 43 | void uberstealth::RemoteStealthSession::handleException(unsigned int /*exceptionCode*/) { 44 | // TODO(jan.newger@newgre.net): implement. 45 | } -------------------------------------------------------------------------------- /uberstealth/SaveChangesDialog.h: -------------------------------------------------------------------------------- 1 | // Ask the user if he wants to save the modified profile. 2 | 3 | #pragma once 4 | 5 | #include "WTLCommon.h" 6 | #include 7 | 8 | namespace uberstealth { 9 | 10 | class SaveChangesDialog : 11 | public CDialogImpl 12 | { 13 | public: 14 | enum { IDD = IDD_SAVE_CHANGES }; 15 | enum SaveChanges { Save, DontSave, Cancel }; 16 | 17 | SaveChanges getAnswer() const { return answer_; } 18 | 19 | private: 20 | LRESULT OnSaveClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 21 | { 22 | answer_ = Save; 23 | EndDialog(0); 24 | return 0; 25 | } 26 | 27 | LRESULT OnDontSaveClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 28 | { 29 | answer_ = DontSave; 30 | EndDialog(0); 31 | return 0; 32 | } 33 | 34 | LRESULT OnCancelClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 35 | { 36 | answer_ = Cancel; 37 | EndDialog(0); 38 | return 0; 39 | } 40 | 41 | BOOL OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) 42 | { 43 | iconControl_.Attach(GetDlgItem(IDC_QUESTION_ICON)); 44 | iconControl_.SetIcon(LoadIcon(NULL, IDI_QUESTION)); 45 | return TRUE; 46 | } 47 | 48 | BEGIN_MSG_MAP(SaveChangesDialog) 49 | MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog) 50 | COMMAND_HANDLER(IDC_SAVE, BN_CLICKED, OnSaveClick) 51 | COMMAND_HANDLER(IDC_DONT_SAVE, BN_CLICKED, OnDontSaveClick) 52 | COMMAND_HANDLER(IDC_CANCEL, BN_CLICKED, OnCancelClick) 53 | END_MSG_MAP() 54 | 55 | CStatic iconControl_; 56 | SaveChanges answer_; 57 | }; 58 | 59 | } -------------------------------------------------------------------------------- /NInjectLib/IATModifier.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "Process.h" 6 | 7 | class IATModifier 8 | { 9 | public: 10 | 11 | IATModifier(const Process& process); 12 | ~IATModifier(); 13 | std::vector readImportTable(); 14 | void setImageBase(uintptr_t address); 15 | void writeIAT(const std::vector& dlls); 16 | void writeIAT(const std::string& dll); 17 | IMAGE_NT_HEADERS readNTHeaders() const; 18 | 19 | private: 20 | 21 | DWORD pad(DWORD val, DWORD amount) { return (val+amount) & ~amount; }; 22 | DWORD padToDword(DWORD val) { return pad(val, 3); }; 23 | void* allocateMemAboveBase(void* baseAddress, size_t size); 24 | DWORD determineIIDSize(PIMAGE_IMPORT_DESCRIPTOR importDescriptorTableAddress); 25 | Process process_; 26 | PIMAGE_IMPORT_DESCRIPTOR importDescrTblAddr_; 27 | uintptr_t ntHeadersAddr_; 28 | unsigned int importDescrTblSize_; 29 | }; 30 | 31 | // general exception for this class 32 | class IATModifierException : public std::runtime_error 33 | { 34 | public: 35 | IATModifierException::IATModifierException(const std::string& msg) : std::runtime_error(msg) {}; 36 | }; 37 | 38 | // exception while writing image import descriptors 39 | class WriteIIDException : public std::runtime_error 40 | { 41 | public: 42 | WriteIIDException::WriteIIDException(const std::string& msg, const MemoryAccessException& e) : std::runtime_error(msg), innerException_(e) {}; 43 | MemoryAccessException innerException() const { return innerException_; }; 44 | 45 | private: 46 | MemoryAccessException innerException_; 47 | }; -------------------------------------------------------------------------------- /RDTSCEmu/driver/HookInt.cpp: -------------------------------------------------------------------------------- 1 | #include "HookInt.h" 2 | 3 | extern "C" KAFFINITY KeSetAffinityThread(IN PKTHREAD Thread, IN KAFFINITY Affinity); 4 | 5 | #define RESTORE_INTS 6 | #define DISABLE_INTS 7 | 8 | #define MAKELONG(a, b) ((ULONG)(((USHORT)(((ULONG)(a)) & 0xffff)) | ((ULONG)((USHORT)(((ULONG)(b)) & 0xffff))) << 16)) 9 | 10 | // layout of data struct retrieved from sidt instruction 11 | typedef struct 12 | { 13 | USHORT limit; 14 | USHORT lowBase; 15 | USHORT highBase; 16 | } IDT_INFO, *PIDT_INFO; 17 | 18 | // simplified layout of an IDT entry 19 | // (all the flag details have been omitted, we don't change them anyway) 20 | typedef struct 21 | { 22 | USHORT lowOffset; 23 | USHORT segSelector; 24 | USHORT flags; 25 | USHORT highOffset; 26 | } IDT_ENTRY, *PIDT_ENTRY; 27 | 28 | VOID hookInterrupt(PVOID newHandler, ULONG number, PUINT_PTR oldHandler) 29 | { 30 | IDT_INFO info; 31 | __asm sidt info; 32 | PIDT_ENTRY idt = (PIDT_ENTRY)MAKELONG(info.lowBase, info.highBase); 33 | 34 | // save EFLAGS, then disable interrupts 35 | __asm pushfd 36 | __asm cli 37 | 38 | UINT_PTR origHandler = (ULONG)(idt[number].highOffset) << 16 | idt[number].lowOffset; 39 | 40 | // TODO(jan.newger@newgre.net): MAKE ATOMIC!!!!!!!!!!!!!!!!! 41 | idt[number].lowOffset = (USHORT)newHandler; 42 | idt[number].highOffset = (USHORT)((ULONG)newHandler >> 16); 43 | if (oldHandler) *oldHandler = origHandler; 44 | 45 | // CLI just clears the IF in EFLAGS so we don't need to execute STI here 46 | // by popping the previously pushed EFLAGS we revert to the original state 47 | __asm popfd 48 | } 49 | 50 | VOID switchToCPU(CCHAR cpu) 51 | { 52 | KeSetAffinityThread(KeGetCurrentThread(), 1 << cpu); 53 | } -------------------------------------------------------------------------------- /uberstealth/UberstealthPage2.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "WTLCommon.h" 4 | #include 5 | #include "UberstealthPropertyPage.h" 6 | #include 7 | #include "resource.h" 8 | 9 | namespace uberstealth { 10 | 11 | class UberstealthPage2 : public UberstealthPropertyPage 12 | { 13 | public: 14 | UberstealthPage2(ConfigProvider* configProvider) : 15 | UberstealthPropertyPage(configProvider) {} 16 | 17 | void loadProfile(const uberstealth::HideDebuggerProfile& profile); 18 | void flushProfile(uberstealth::HideDebuggerProfile& profile); 19 | bool isProfileDirty(); 20 | 21 | protected: 22 | void enableControls(bool enabled); 23 | 24 | private: 25 | BEGIN_DDX_MAP(UberstealthPage2) 26 | DDX_CHECK(IDC_BLOCKINPUT, blockInput_) 27 | DDX_CHECK(IDC_SUSPENDTHREAD, suspThread_) 28 | DDX_CHECK(IDC_TERMINATE, ntTerminate_) 29 | DDX_CHECK(IDC_PARENTPROCESS, parentProcess_) 30 | DDX_CHECK(IDC_HIDEDEBUGGERPROCESS, hideIDAProcess_) 31 | DDX_CHECK(IDC_HIDEDEBUGGERWND, hideIDAWnd_) 32 | DDX_CHECK(IDC_DBGPRNTEXCEPT, dbgPrintExcp_) 33 | DDX_CHECK(IDC_OPENPROCESS, openProcess_) 34 | DDX_CHECK(IDC_SWITCH, switch_) 35 | DDX_CHECK(IDC_ANTIATTACH, antiAttach_) 36 | DDX_CHECK(IDC_NTYIELD, ntYield_) 37 | DDX_CHECK(IDC_OUTDBGSTR, outputDbgStr_) 38 | DDX_CHECK(IDC_NTSIT, ntSetInfoThread_) 39 | END_DDX_MAP() 40 | 41 | bool blockInput_; 42 | bool suspThread_; 43 | bool ntTerminate_; 44 | bool parentProcess_; 45 | bool hideIDAProcess_; 46 | bool hideIDAWnd_; 47 | bool dbgPrintExcp_; 48 | bool openProcess_; 49 | bool switch_; 50 | bool antiAttach_; 51 | bool ntYield_; 52 | bool outputDbgStr_; 53 | bool ntSetInfoThread_; 54 | }; 55 | 56 | } -------------------------------------------------------------------------------- /HideDebugger/HookHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "ntdll.h" 5 | 6 | void dbgPrint(const char* message, ...); 7 | DWORD handleToProcessID(HANDLE hProcess); 8 | DWORD handleToThreadID(HANDLE hThread); 9 | std::wstring getProcessName(); 10 | void restoreNTHeaders(); 11 | bool isHandleValid(HANDLE handle); 12 | void initSystemAPIs(); 13 | 14 | enum SystemApi { ZwRaiseExcept, RtlDispatchExcept, RtlRaiseExcept, 15 | NtQueryInfoProcess, NtQueryInfoThread, NtContinue, MaxSystemApi }; 16 | 17 | // Original function pointers. 18 | extern NtQueryInformationProcessFPtr origNtQueryInformationProcess; 19 | extern NtSetInformationThreadFPtr origNtSetInformationThread; 20 | extern NtQueryObjectFPtr origNtQueryObject; 21 | extern NtQuerySystemInformationFPtr origNtQuerySystemInformation; 22 | extern OutputDebugStringAFPtr origOutputDebugStringA; 23 | extern OutputDebugStringWFPtr origOutputDebugStringW; 24 | extern OpenProcessFPtr origOpenProcess; 25 | extern KiUserExceptionDispatcherFPtr origKiUserExceptDisp; 26 | extern NtSetContextThreadFPtr origSetThreadContext; 27 | extern NtGetContextThreadFPtr origGetThreadContext; 28 | extern NtYieldExecutionFPtr origNtYieldExecution; 29 | extern FindWindowAFPtr origFindWindowA; 30 | extern FindWindowWFPtr origFindWindowW; 31 | extern FindWindowExAFPtr origFindWindowExA; 32 | extern FindWindowExWFPtr origFindWindowExW; 33 | extern EnumWindowsFPtr origEnumWindows; 34 | extern NtTherminateProcessFPtr origNtTerminateProcess; 35 | extern KiRaiseUEDHookFPtr origKiRaiseUED; 36 | 37 | extern const char* NTDLL; 38 | extern const char* K32DLL; 39 | extern const char* U32DLL; 40 | 41 | extern NCodeHookIA32 nCodeHook; 42 | 43 | extern void* sysAPIs[]; 44 | 45 | #ifdef _DEBUG 46 | #define DBG_PRINT(x) dbgPrint(x) 47 | #else 48 | #define DBG_PRINT(x) 49 | #endif -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/distorm.c: -------------------------------------------------------------------------------- 1 | /* 2 | distorm.c 3 | 4 | :[diStorm64}: C Library Interface 5 | The ultimate disassembler library (80x86, AMD64) 6 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 7 | This library is licensed under the BSD license. See the file COPYING. 8 | */ 9 | 10 | #include "../config.h" 11 | #include "decoder.h" 12 | #include "x86defs.h" 13 | 14 | /* C LIBRARY EXPORTS */ 15 | #ifdef SUPPORT_64BIT_OFFSET 16 | _DLLEXPORT_ _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount) 17 | #else 18 | _DLLEXPORT_ _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount) 19 | #endif 20 | { 21 | *usedInstructionsCount = 0; 22 | 23 | /* I use codeLen as a signed variable in order to ease detection of underflow... and besides - */ 24 | if (codeLen < 0) { 25 | return DECRES_INPUTERR; 26 | } 27 | 28 | if ((dt != Decode16Bits) && (dt != Decode32Bits) && (dt != Decode64Bits)) { 29 | return DECRES_INPUTERR; 30 | } 31 | 32 | if (code == NULL || result == NULL) { 33 | return DECRES_INPUTERR; 34 | } 35 | 36 | /* Assume length=0 is success. */ 37 | if (codeLen == 0) { 38 | return DECRES_SUCCESS; 39 | } 40 | 41 | /* We need to supply at least 15 entries so the internal_decoder could return anything possible. */ 42 | if (maxInstructions < INST_MAXIMUM_SIZE) { 43 | return DECRES_MEMORYERR; 44 | } 45 | 46 | return internal_decode(codeOffset, code, codeLen, dt, result, maxInstructions, usedInstructionsCount); 47 | } 48 | 49 | _DLLEXPORT_ unsigned int distorm_version() 50 | { 51 | return DISTORM_VER; 52 | } 53 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/prefix.h: -------------------------------------------------------------------------------- 1 | /* 2 | prefix.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef PREFIX_H 10 | #define PREFIX_H 11 | 12 | #include "../config.h" 13 | 14 | #include "decoder.h" 15 | #include "wstring.h" 16 | 17 | /* 18 | * This holds the prefixes state for the current instruction we decode. 19 | * totalPrefixes includes all specific prefixes that the instruction got. 20 | * start is a pointer to the first prefix to take into account. 21 | * last is a pointer to the last byte we scanned. 22 | * Other pointers are used to keep track of prefixes positions and help us know if they appeared already and where. 23 | */ 24 | typedef struct { 25 | unsigned int unusedCount, specialPrefixesSize, isREXPrefixValid; 26 | _iflags totalPrefixes, usedPrefixes; 27 | const uint8_t *lokrepPos, *segovrdPos, *opsizePos, *addrsizePos, *rexpos, *start, *last; 28 | } _PrefixState; 29 | 30 | /* Describe the type of the prefix and which one it was in a flag manner. */ 31 | typedef enum {PRE_NONE = -1, PRE_LOKREP, PRE_SEGOVRD, PRE_OPSIZE, PRE_ADDRSIZE, PRE_REX} _PrefixType; 32 | 33 | typedef struct { 34 | _iflags flag; 35 | _PrefixType type; 36 | } _PrefixInfo; 37 | 38 | /* 39 | * Intel supports 4 types of prefixes, whereas AMD supports 5 types (lock is seperated from rep/nz). 40 | * REX is the fifth prefix type, this time I'm based on AMD64. 41 | */ 42 | #define MAX_PREFIXES (5) 43 | 44 | int is_prefix(unsigned int ch, _DecodeType dt); 45 | void decode_prefixes(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt); 46 | void get_unused_prefixes_list(uint8_t unusedList[MAX_PREFIXES], _PrefixState* ps); 47 | 48 | void str_seg_text(_WString* s, _PrefixState* ps, _DecodeType dt); 49 | 50 | #endif /* PREFIX_H */ 51 | -------------------------------------------------------------------------------- /uberstealth/RemoteStealthSession.h: -------------------------------------------------------------------------------- 1 | // RemoteStealthSession represents the stealth session in IDA when the remote debugger is used. 2 | // It is used instead of LocalStealthSession and will contact the remote server to perform 3 | // the corresponding actions. 4 | 5 | #pragma once 6 | 7 | #include "IDAEngine.h" 8 | #include "ResourceItem.h" 9 | #include "CommonStealthSession.h" 10 | #include 11 | #include 12 | 13 | namespace uberstealth { 14 | 15 | class RemoteStealthSession : public StealthSession 16 | { 17 | public: 18 | RemoteStealthSession(const boost::filesystem::path& profilePath) : 19 | resolver_(boost::asio::ip::tcp::resolver(ioService_)), 20 | currentProfile_(HideDebuggerProfile::readProfileFromFile(profilePath)) {} 21 | 22 | virtual void handleDebuggerStart(unsigned int processId, uintptr_t baseAddress); 23 | virtual void handleDebuggerAttach(unsigned int processId); 24 | virtual void handleDebuggerExit(); 25 | 26 | // The remote stealth server doesn't have access to the debugging engine of IDA so these methods are implemented on the server side. 27 | void handleBreakpoint(unsigned int /*threadID*/, uintptr_t /*address*/) {} 28 | void handleException(unsigned int /*exceptionCode*/) {} 29 | 30 | private: 31 | virtual ResourceItem getRDTSCDriverResource(); 32 | virtual ResourceItem getStealthDriverResource(); 33 | virtual std::string getStealthDllPath(); 34 | std::string readConfigFile(const std::string& fileName) const; 35 | void sendRemoteCommand(const uberstealth::RSProtocolItem& item); 36 | void connectToServer(); 37 | 38 | boost::shared_ptr client_; 39 | boost::asio::io_service ioService_; 40 | boost::asio::ip::tcp::resolver resolver_; 41 | IDALogger logger_; 42 | HideDebuggerProfile currentProfile_; 43 | }; 44 | 45 | } -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthProtocol.h: -------------------------------------------------------------------------------- 1 | // Defines the protocol which is used by the plugin and the remote server to communicate. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #pragma warning(disable : 4512) 8 | #include 9 | #include 10 | #pragma warning(default : 4512) 11 | #include 12 | 13 | namespace uberstealth { 14 | enum ProcessEvent { ProcessStart, ProcessAttach, ProcessExit }; 15 | 16 | struct RSProtocolItem { 17 | RSProtocolItem(unsigned int pID, uintptr_t base, ProcessEvent pEvent, 18 | const std::string& configStr, const std::string currentProfile) : 19 | processID(pID), 20 | baseAddress(base), 21 | procEvent(pEvent), 22 | serializedConfigFile(configStr), 23 | profile(currentProfile) {} 24 | 25 | RSProtocolItem() : 26 | processID(0), 27 | baseAddress(0), 28 | procEvent(ProcessStart), 29 | remoteEventPort(0) {} 30 | 31 | unsigned int processID; 32 | uintptr_t baseAddress; 33 | ProcessEvent procEvent; 34 | std::string serializedConfigFile; 35 | std::string profile; 36 | std::string remoteEventIP; 37 | int remoteEventPort; 38 | 39 | template 40 | void serialize(Archive& ar, const unsigned int) { 41 | ar & processID; 42 | ar & baseAddress; 43 | ar & procEvent; 44 | ar & serializedConfigFile; 45 | ar & profile; 46 | } 47 | }; 48 | 49 | // Response sent from the remote side to indicate success / error of an operation. 50 | struct RSProtocolResponse { 51 | RSProtocolResponse(bool succ, const std::string& err) : 52 | success(succ), 53 | error(err) {} 54 | RSProtocolResponse() : success(false) {} 55 | 56 | template 57 | void serialize(Archive& ar, const unsigned int) { 58 | ar & success; 59 | ar & error; 60 | } 61 | 62 | bool success; 63 | std::string error; 64 | }; 65 | } -------------------------------------------------------------------------------- /uberstealth/version.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define UBERSTEALTH_MAJOR 1 4 | #define UBERSTEALTH_MINOR 0 5 | #define UBERSTEALTH_PATCH 0 6 | #define UBERSTEALTH_PRODUCT_NAME L"uberstealth" 7 | #define REMOTESTEALTH_PRODUCT_NAME L"uberstealth remote server" 8 | 9 | #ifdef _DEBUG 10 | #define UBERSTEALTH_BUILD L" debug build" 11 | #else 12 | #define UBERSTEALTH_BUILD L"" 13 | #endif 14 | #define UBERSTEALTH_SPECIAL_BUILD L"ALPHA 2" 15 | 16 | #define UBERSTEALTH_COPYRIGHT L"Copyright (C) 2011-2012 Jan Newger" 17 | 18 | #define VSTRING(s) L#s 19 | #define VERSION_STRING(a,b,c) VSTRING(a) L"." VSTRING(b) L"." VSTRING(c) 20 | #define FILE_VERSION_STRING(a,b,c,d) VSTRING(a) L"," VSTRING(b) L"," VSTRING(c) L"," VSTRING(d) 21 | 22 | #define UBERSTEALTH_PRODUCT_VERSION_STRING L"v" VERSION_STRING(UBERSTEALTH_MAJOR,UBERSTEALTH_MINOR,UBERSTEALTH_PATCH) 23 | #define UBERSTEALTH_FILE_VERSION_STRING FILE_VERSION_STRING(UBERSTEALTH_MAJOR,UBERSTEALTH_MINOR,UBERSTEALTH_PATCH,0) 24 | #define ILDASTEALTH_FILE_VERSION_NUM UBERSTEALTH_MAJOR,UBERSTEALTH_MINOR,UBERSTEALTH_PATCH,0 25 | 26 | #ifdef UBERSTEALTH_SPECIAL_BUILD 27 | #define UBERSTEALTH_NAME UBERSTEALTH_PRODUCT_NAME L" " UBERSTEALTH_PRODUCT_VERSION_STRING L" (" UBERSTEALTH_SPECIAL_BUILD L")" 28 | #define REMOTESTEALTH_NAME REMOTESTEALTH_PRODUCT_NAME L" " UBERSTEALTH_PRODUCT_VERSION_STRING L" (" UBERSTEALTH_SPECIAL_BUILD L")" 29 | #define UBERSTEALTH_INFO_STRING UBERSTEALTH_NAME UBERSTEALTH_BUILD L", " UBERSTEALTH_COPYRIGHT 30 | #define REMOTESTEALTH_INFO_STRING REMOTESTEALTH_NAME UBERSTEALTH_BUILD L"\n" UBERSTEALTH_COPYRIGHT 31 | #else 32 | #define UBERSTEALTH_NAME UBERSTEALTH_PRODUCT_NAME L" " UBERSTEALTH_PRODUCT_VERSION_STRING 33 | #define REMOTESTEALTH_NAME REMOTESTEALTH_PRODUCT_NAME L" " UBERSTEALTH_PRODUCT_VERSION_STRING 34 | #define UBERSTEALTH_INFO_STRING UBERSTEALTH_NAME UBERSTEALTH_BUILD L", " UBERSTEALTH_COPYRIGHT 35 | #define REMOTESTEALTH_INFO_STRING REMOTESTEALTH_NAME UBERSTEALTH_BUILD L"\n" UBERSTEALTH_COPYRIGHT 36 | #endif 37 | -------------------------------------------------------------------------------- /uberstealthRemote/IDAStealthRemote.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "afxres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (U.S.) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | #ifdef _WIN32 20 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 21 | #pragma code_page(1252) 22 | #endif //_WIN32 23 | 24 | #ifdef APSTUDIO_INVOKED 25 | ///////////////////////////////////////////////////////////////////////////// 26 | // 27 | // TEXTINCLUDE 28 | // 29 | 30 | 1 TEXTINCLUDE 31 | BEGIN 32 | "resource.h\0" 33 | END 34 | 35 | 2 TEXTINCLUDE 36 | BEGIN 37 | "#include ""afxres.h""\r\n" 38 | "\0" 39 | END 40 | 41 | 3 TEXTINCLUDE 42 | BEGIN 43 | "\r\n" 44 | "\0" 45 | END 46 | 47 | #endif // APSTUDIO_INVOKED 48 | 49 | 50 | ///////////////////////////////////////////////////////////////////////////// 51 | // 52 | // DRV 53 | // 54 | 55 | IDR_RDTSC DRV "..\\RDTSCEmu\\driver\\objfre_wxp_x86\\i386\\RDTSCEmu.sys" 56 | IDR_STEALTH DRV "..\\StealthDriver\\StealthDriver\\objfre_wxp_x86\\i386\\StealthDriver.sys" 57 | #endif // English (U.S.) resources 58 | ///////////////////////////////////////////////////////////////////////////// 59 | 60 | 61 | 62 | #ifndef APSTUDIO_INVOKED 63 | ///////////////////////////////////////////////////////////////////////////// 64 | // 65 | // Generated from the TEXTINCLUDE 3 resource. 66 | // 67 | 68 | 69 | ///////////////////////////////////////////////////////////////////////////// 70 | #endif // not APSTUDIO_INVOKED 71 | 72 | -------------------------------------------------------------------------------- /uberstealth/IPCConfigExchangeWriter.cpp: -------------------------------------------------------------------------------- 1 | #include "IPCConfigExchangeWriter.h" 2 | 3 | uberstealth::IPCConfigExchangeWriter::IPCConfigExchangeWriter(unsigned int processId) : 4 | processID_(processId) { 5 | std::string name = getSegmentName(processId); 6 | try { 7 | boost::interprocess::shared_memory_object::remove(name.c_str()); 8 | segment_ = boost::interprocess::managed_shared_memory(boost::interprocess::create_only, name.c_str(), SegmentSize); 9 | segment_.construct(ConfigFileDataStr)[ConfigDataSegmentSize](0); 10 | segment_.construct(IDAProcessIDStr)[1](0); 11 | segment_.construct(PEHeaderDataStr)[1](); 12 | segment_.construct(PERestoreRequiredStr)[1](false); 13 | } catch (const std::exception&) { 14 | boost::interprocess::shared_memory_object::remove(name.c_str()); 15 | throw; 16 | } 17 | } 18 | 19 | uberstealth::IPCConfigExchangeWriter::~IPCConfigExchangeWriter() { 20 | boost::interprocess::shared_memory_object::remove(getSegmentName(processID_).c_str()); 21 | } 22 | 23 | void uberstealth::IPCConfigExchangeWriter::setProfileFile(const std::string& configFile) { 24 | std::pair segmentData = segment_.find(ConfigFileDataStr); 25 | strcpy_s(segmentData.first, segmentData.second, configFile.c_str()); 26 | } 27 | 28 | void uberstealth::IPCConfigExchangeWriter::setIDAProcessID(unsigned int processId) { 29 | std::pair segmentData = segment_.find(IDAProcessIDStr); 30 | *(segmentData.first) = processId; 31 | } 32 | 33 | void uberstealth::IPCConfigExchangeWriter::setIPCPEHeaderData(const IPCPEHeaderData& headerData) { 34 | std::pair segmentData = segment_.find(PEHeaderDataStr); 35 | *segmentData.first = headerData; 36 | } 37 | 38 | void uberstealth::IPCConfigExchangeWriter::setPERestoreRequired(bool required) { 39 | std::pair segmentData = segment_.find(PERestoreRequiredStr); 40 | *(segmentData.first) = required; 41 | } -------------------------------------------------------------------------------- /RDTSCEmu/driver/RDTSCEmu.WLH.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {fb460a60-409f-4900-a970-47d6c343e39b} 6 | cpp;c;cxx;def;asm;mc 7 | 8 | 9 | {1b774626-f48d-4533-8d87-cb317940ad71} 10 | h;hpp;hxx 11 | 12 | 13 | {1201496f-a038-4678-8b40-08ea14463d40} 14 | rc;mc;ico;cur;bmp;dlg;rc2 15 | 16 | 17 | {d411b50d-7eb2-4443-b72d-8e8c3b1a8c93} 18 | * 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | Source Files 27 | 28 | 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Resource Files 49 | 50 | 51 | 52 | 53 | Special Files 54 | 55 | 56 | Special Files 57 | 58 | 59 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/textdefs.h: -------------------------------------------------------------------------------- 1 | /* 2 | textdefs.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef TEXTDEFS_H 10 | #define TEXTDEFS_H 11 | 12 | #include "../config.h" 13 | 14 | #include "wstring.h" 15 | 16 | #define PLUS_DISP_CHR '+' 17 | #define MINUS_DISP_CHR '-' 18 | /* CHR0 is used for FPU, ST(i) register */ 19 | #define OPEN_CHR0 '(' 20 | #define CLOSE_CHR0 ')' 21 | #define OPEN_CHR '[' 22 | #define CLOSE_CHR ']' 23 | extern int8_t SEP_STR[3]; 24 | #define SEP_CHR ',' 25 | #define SP_CHR ' ' 26 | #define SEG_OFF_CHR ':' 27 | 28 | /* 29 | Naming Convention: 30 | 31 | * get - returns a pointer to a string. 32 | * str - concatenates to string. 33 | 34 | * hex - means the function is used for hex dump (number is padded to required size) - Little Endian output. 35 | * code - means the function is used for disassembled instruction - Big Endian output. 36 | * off - means the function is used for 64bit offset - Big Endian output. 37 | 38 | * sp - space character in front of the string. 39 | * h - '0x' in front of the string. 40 | 41 | * b - byte 42 | * w - word 43 | * dw - double word 44 | * qw - quad word 45 | 46 | * all numbers are in HEX. 47 | */ 48 | 49 | extern int8_t TextBTable[256][4]; 50 | 51 | _INLINE_ int8_t* get_hex_b(unsigned int x) 52 | { 53 | return &TextBTable[x & 255][1]; /* Skip space character. */ 54 | } 55 | 56 | void _FASTCALL_ str_hex_b(_WString* s, unsigned int x); 57 | void _FASTCALL_ str_code_hb(_WString* s, unsigned int x); 58 | 59 | void _FASTCALL_ str_hex_sp_b(_WString* s, unsigned int x); 60 | void _FASTCALL_ str_code_sp_hb(_WString* s, unsigned int x); 61 | 62 | void _FASTCALL_ str_hex_sp_w(_WString* s, unsigned int x); 63 | void _FASTCALL_ str_code_hw(_WString* s, unsigned int x); 64 | 65 | void _FASTCALL_ str_hex_sp_dw(_WString* s, uint32_t x); 66 | void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x); 67 | 68 | void _FASTCALL_ str_hex_sp_qw(_WString* s, uint8_t src[8]); 69 | void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]); 70 | 71 | #ifdef SUPPORT_64BIT_OFFSET 72 | void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x); 73 | #endif 74 | 75 | #endif /* TEXTDEFS_H */ 76 | -------------------------------------------------------------------------------- /uberstealth/WTLWrapper.h: -------------------------------------------------------------------------------- 1 | // Global wrapper to encapsulate all WTL boiler plate code and to initialize the GUI. 2 | // This class is implemented in terms of a singleton. 3 | 4 | #include "WTLCommon.h" 5 | #include 6 | #include 7 | #include 8 | #include "UberstealthOptionsDialog.h" 9 | #include "version.h" 10 | 11 | #if defined _M_IX86 12 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"") 13 | #elif defined _M_IA64 14 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='ia64' publicKeyToken='6595b64144ccf1df' language='*'\"") 15 | #elif defined _M_X64 16 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"") 17 | #else 18 | #pragma comment(linker, "/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"") 19 | #endif 20 | 21 | namespace uberstealth { 22 | 23 | class WTLWrapper : public boost::noncopyable { 24 | public: 25 | static WTLWrapper& getInstance() { 26 | static WTLWrapper instance_; 27 | return instance_; 28 | } 29 | 30 | ~WTLWrapper() { 31 | module_.Term(); 32 | ::CoUninitialize(); 33 | } 34 | 35 | void showGUI(HWND hWndParent) { 36 | try { 37 | UberstealthOptionsDialog dlg(UBERSTEALTH_NAME); 38 | dlg.DoModal(hWndParent); 39 | } catch (const std::exception& e) { 40 | std::string err = "Error in options dialog: " + std::string(e.what()); 41 | ::MessageBox(hWndParent, StringToUnicode(err), L"uberstealth", MB_ICONERROR); 42 | } 43 | } 44 | 45 | private: 46 | WTLWrapper() { 47 | HRESULT hRes = ::CoInitialize(NULL); 48 | ATLASSERT(SUCCEEDED(hRes)); 49 | AtlInitCommonControls(ICC_BAR_CLASSES | ICC_LINK_CLASS); 50 | hRes = module_.Init(NULL, GetModuleHandle(NULL)); 51 | ATLASSERT(SUCCEEDED(hRes)); 52 | } 53 | 54 | CAppModule module_; 55 | }; 56 | 57 | } -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | // --------------------------------------------------------------------------- 21 | // Several defines have to be given before including this file. These are: 22 | // --------------------------------------------------------------------------- 23 | #define TEXT_AUTHOR Jan Newger // author (optional value) 24 | #define PRD_MAJVER 1 // major product version 25 | #define PRD_MINVER 3 // minor product version 26 | #define PRD_BUILD 1 // build number for product 27 | #define FILE_MAJVER 1 // major file version 28 | #define FILE_MINVER 3 // minor file version 29 | #define FILE_BUILD 1 // build file number 30 | #define DRV_YEAR 2009-2010 // current year or timespan (e.g. 2003-2007) 31 | #define TEXT_WEBSITE http:/##/newgre.net // website 32 | #define TEXT_PRODUCTNAME StealthDriver // product's name 33 | #define TEXT_FILEDESC StealthDriver // component description 34 | #define TEXT_COMPANY // company 35 | #define TEXT_MODULE StealthDriver // module name 36 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 37 | // #define TEXT_SPECIALBUILD // optional comment for special builds 38 | #define TEXT_INTERNALNAME StealthDriver.sys // copyright information 39 | // #define TEXT_COMMENTS // optional comments 40 | // --------------------------------------------------------------------------- 41 | // ... well, that's it. Pretty self-explanatory ;) 42 | // --------------------------------------------------------------------------- 43 | 44 | #endif // __DRVVERSION_H_VERSION__ 45 | -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/drvversion.rc: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// The version information resource. Depends on "drvversion.h" header file. 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #include 13 | #include 14 | 15 | #ifdef RC_INVOKED 16 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 17 | #include "drvcommon.h" 18 | #include "drvversion.h" 19 | 20 | #ifdef DBG 21 | #define ACTUAL_FILEFLAGS VS_FF_DEBUG 22 | #else 23 | #define ACTUAL_FILEFLAGS 0 24 | #endif 25 | 26 | VS_VERSION_INFO VERSIONINFO 27 | FILEVERSION CREATE_XVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD) 28 | PRODUCTVERSION CREATE_XVER(PRD_MAJVER, PRD_MINVER, 0) 29 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 30 | FILEFLAGS ACTUAL_FILEFLAGS 31 | FILEOS VOS_NT 32 | FILETYPE VFT_DRV 33 | FILESUBTYPE VFT2_DRV_SYSTEM 34 | BEGIN 35 | BLOCK "StringFileInfo" 36 | BEGIN 37 | BLOCK "000004b0" 38 | BEGIN 39 | #ifdef TEXT_AUTHOR 40 | VALUE "Author", ANSISTRING(TEXT_AUTHOR) 41 | #endif 42 | #ifdef TEXT_COMMENTS 43 | VALUE "Comments", ANSISTRING(TEXT_COMMENTS) 44 | #endif 45 | VALUE "CompanyName", ANSISTRING(TEXT_COMPANY) 46 | VALUE "FileDescription", ANSISTRING(TEXT_FILEDESC) 47 | VALUE "FileVersion", ANSISTRING(CREATE_FVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD)) 48 | VALUE "InternalName", ANSISTRING(TEXT_INTERNALNAME) 49 | VALUE "LegalCopyright", ANSISTRING(TEXT_COPYRIGHT) 50 | VALUE "OriginalFilename", ANSISTRING(TEXT_MODULE) 51 | VALUE "ProductName", ANSISTRING(TEXT_PRODUCTNAME) 52 | VALUE "ProductVersion", ANSISTRING(CREATE_PVER(PRD_MAJVER, PRD_MINVER, PRD_BUILD)) 53 | #ifdef TEXT_SPECIALBUILD 54 | VALUE "SpecialBuild", ANSISTRING(TEXT_SPECIALBUILD) 55 | #endif 56 | VALUE "Website", ANSISTRING(TEXT_WEBSITE) 57 | END 58 | END 59 | BLOCK "VarFileInfo" 60 | BEGIN 61 | VALUE "Translation", 0x0, 1200 62 | END 63 | END 64 | 65 | #endif // RC_INVOKED 66 | -------------------------------------------------------------------------------- /uberstealth/ConfigProvider.h: -------------------------------------------------------------------------------- 1 | // The uberstealth configuration dialog implements this interface so the individual 2 | // property sheets can listen to events and also trigger actions on their behalf. 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | #include 9 | #include "ProfileEventConsumer.h" 10 | 11 | namespace uberstealth { 12 | 13 | class ConfigProvider { 14 | public: 15 | ConfigProvider() { 16 | currentProfile_ = HideDebuggerProfile::readProfileFromFile(getCurrentProfileFile()); 17 | } 18 | 19 | void addListener(uberstealth::ProfileEventConsumer* consumer) { 20 | consumers_.push_back(consumer); 21 | } 22 | 23 | // Send loadProfile event to all listeners. 24 | void triggerLoadEvent() { 25 | BOOST_FOREACH(uberstealth::ProfileEventConsumer* consumer, consumers_) { 26 | consumer->loadProfile(currentProfile_); 27 | } 28 | } 29 | 30 | // Send flushProfile event to all listeners. 31 | void triggerFlushProfileEvent() { 32 | BOOST_FOREACH(uberstealth::ProfileEventConsumer* consumer, consumers_) { 33 | consumer->flushProfile(currentProfile_); 34 | } 35 | } 36 | 37 | // Send global enable state changed event to all listeners. 38 | void triggerChangeGlobalEnableState(bool globalEnable) { 39 | BOOST_FOREACH(uberstealth::ProfileEventConsumer* consumer, consumers_) { 40 | consumer->changeGlobalEnableState(globalEnable); 41 | } 42 | } 43 | 44 | // Switch profile and trigger loadProfile event. 45 | void triggerSwitchProfile(const std::string& profileName) { 46 | currentProfile_ = uberstealth::HideDebuggerProfile::readProfileByName(profileName); 47 | triggerLoadEvent(); 48 | } 49 | 50 | // Query all consumers to determine if the current profile has unchanged modifications. 51 | bool isProfileModified() const { 52 | bool modified = false; 53 | BOOST_FOREACH(uberstealth::ProfileEventConsumer* consumer, consumers_) { 54 | modified |= consumer->isProfileDirty(); 55 | } 56 | return modified; 57 | } 58 | 59 | const uberstealth::HideDebuggerProfile& getCurrentProfile() const { return currentProfile_; } 60 | 61 | private: 62 | std::vector consumers_; 63 | uberstealth::HideDebuggerProfile currentProfile_; 64 | }; 65 | 66 | } -------------------------------------------------------------------------------- /RDTSCEmu/driver/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Author: ddkwizard.assarbad.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | // --------------------------------------------------------------------------- 21 | // Several defines have to be given before including this file. These are: 22 | // --------------------------------------------------------------------------- 23 | #define TEXT_AUTHOR // author (optional value) 24 | #define PRD_MAJVER 1 // major product version 25 | #define PRD_MINVER 0 // minor product version 26 | #define PRD_BUILD 0 // build number for product 27 | #define FILE_MAJVER 1 // major file version 28 | #define FILE_MINVER 0 // minor file version 29 | #define FILE_BUILD 0 // build file number 30 | #define DRV_YEAR 2009 // current year or timespan (e.g. 2003-2007) 31 | #define TEXT_WEBSITE http:/##/www.newgre.net // website 32 | #define TEXT_PRODUCTNAME Supercool driver-based tool // product's name 33 | #define TEXT_FILEDESC The driver for the supercool driver-based tool // component description 34 | #define TEXT_COMPANY // company 35 | #define TEXT_MODULE RDTSCEmu // module name 36 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 37 | // #define TEXT_SPECIALBUILD // optional comment for special builds 38 | #define TEXT_INTERNALNAME RDTSCEmu.sys // copyright information 39 | // #define TEXT_COMMENTS // optional comments 40 | // --------------------------------------------------------------------------- 41 | // ... well, that's it. Pretty self-explanatory ;) 42 | // --------------------------------------------------------------------------- 43 | 44 | #endif // __DRVVERSION_H_VERSION__ 45 | -------------------------------------------------------------------------------- /uberstealth/UberstealthDriversPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "WTLCommon.h" 5 | #include "UberstealthPropertyPage.h" 6 | #include 7 | #include "ProfileEventConsumer.h" 8 | #include "resource.h" 9 | 10 | namespace uberstealth { 11 | 12 | class UberstealthDriversPage : public UberstealthPropertyPage 13 | { 14 | public: 15 | UberstealthDriversPage(ConfigProvider* configProvider) : 16 | UberstealthPropertyPage(configProvider) {} 17 | 18 | void loadProfile(const uberstealth::HideDebuggerProfile& profile); 19 | void flushProfile(uberstealth::HideDebuggerProfile& profile); 20 | bool isProfileDirty(); 21 | 22 | protected: 23 | void enableControls(bool enabled); 24 | 25 | private: 26 | int uberstealth::UberstealthDriversPage::getRDTSCMode() const; 27 | int uberstealth::UberstealthDriversPage::getRDTSCDelta() const; 28 | WTL::CString uberstealth::UberstealthDriversPage::getRDTSCName() const; 29 | WTL::CString uberstealth::UberstealthDriversPage::getStealthName() const; 30 | 31 | typedef UberstealthPropertyPage BasePropertyPage; 32 | 33 | BEGIN_MSG_MAP(UberstealthDriversPage) 34 | COMMAND_HANDLER(IDC_RDTSC, BN_CLICKED, OnRDTSCClick) 35 | CHAIN_MSG_MAP(CPropertyPageImpl) 36 | CHAIN_MSG_MAP(BasePropertyPage) 37 | END_MSG_MAP() 38 | 39 | BEGIN_DDX_MAP(UberstealthDriversPage) 40 | DDX_CHECK(IDC_RDTSC, useRDTSC_) 41 | DDX_RADIO(IDC_RDTSC_ZERO, rdbIndex_) 42 | DDX_CHECK(IDC_UNLOAD_DRIVER, unloadRDTSCDrv_) 43 | DDX_CHECK(IDC_USE_RDTSC_NAME, useRDTSCName_) 44 | DDX_CHECK(IDC_USE_STEALTH_NAME, useStealthName_) 45 | DDX_INT(IDC_RDTSC_DELTA, rdtscDelta_) 46 | DDX_CHECK(IDC_UNLOAD_STEALTH_DRV, unloadStealthDrv_) 47 | DDX_CHECK(IDC_NTSIT_DRV, ntSITDrv_) 48 | DDX_CHECK(IDC_NTQIP_DRV, ntQIPDrv_) 49 | DDX_TEXT(IDC_RDTSC_NAME, rdtscName_) 50 | DDX_TEXT(IDC_STEALTH_NAME, stealthName_) 51 | END_DDX_MAP() 52 | 53 | void updateRDBs(HWND hWndCheckBox); 54 | LRESULT OnRDTSCClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 55 | 56 | bool useRDTSC_; 57 | bool unloadRDTSCDrv_; 58 | bool unloadStealthDrv_; 59 | bool ntSITDrv_; 60 | bool ntQIPDrv_; 61 | bool useRDTSCName_; 62 | bool useStealthName_; 63 | WTL::CString rdtscName_; 64 | WTL::CString stealthName_; 65 | int rdtscDelta_; 66 | int rdbIndex_; 67 | }; 68 | 69 | } -------------------------------------------------------------------------------- /RDTSCEmu/driver/RDTSCEmu.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RDTSCEmu.WLH", "RDTSCEmu.WLH.vcxproj", "{8B566A2C-41AC-40FF-B1EF-8AD47A208093}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | WLH checked|Win32 = WLH checked|Win32 9 | WLH free|Win32 = WLH free|Win32 10 | WLH2K checked|Win32 = WLH2K checked|Win32 11 | WLH2K free|Win32 = WLH2K free|Win32 12 | WLHNET checked|Win32 = WLHNET checked|Win32 13 | WLHNET free|Win32 = WLHNET free|Win32 14 | WLHXP checked|Win32 = WLHXP checked|Win32 15 | WLHXP free|Win32 = WLHXP free|Win32 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH checked|Win32.ActiveCfg = WLH checked|Win32 19 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH checked|Win32.Build.0 = WLH checked|Win32 20 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH free|Win32.ActiveCfg = WLH free|Win32 21 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH free|Win32.Build.0 = WLH free|Win32 22 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K checked|Win32.ActiveCfg = WLH2K checked|Win32 23 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K checked|Win32.Build.0 = WLH2K checked|Win32 24 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K free|Win32.ActiveCfg = WLH2K free|Win32 25 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLH2K free|Win32.Build.0 = WLH2K free|Win32 26 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET checked|Win32.ActiveCfg = WLHNET checked|Win32 27 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET checked|Win32.Build.0 = WLHNET checked|Win32 28 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET free|Win32.ActiveCfg = WLHNET free|Win32 29 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHNET free|Win32.Build.0 = WLHNET free|Win32 30 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP checked|Win32.ActiveCfg = WLHXP checked|Win32 31 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP checked|Win32.Build.0 = WLHXP checked|Win32 32 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP free|Win32.ActiveCfg = WLHXP free|Win32 33 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.WLHXP free|Win32.Build.0 = WLHXP free|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | EndGlobal 39 | -------------------------------------------------------------------------------- /uberstealth/IDAEngine.h: -------------------------------------------------------------------------------- 1 | // The IDA specific functions required to implement uberstealth. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include "IDACommon.h" 8 | #include 9 | 10 | // Template specialization needed for boost::unordered_set. 11 | namespace boost { 12 | template<> 13 | struct hash { 14 | size_t operator()(const exception_info_t& exceptionInfo) const { 15 | size_t hash = 0; 16 | boost::hash_combine(hash, exceptionInfo.code); 17 | boost::hash_combine(hash, exceptionInfo.flags); 18 | boost::hash_range(hash, exceptionInfo.name.begin(), exceptionInfo.name.end()); 19 | boost::hash_range(hash, exceptionInfo.desc.begin(), exceptionInfo.desc.end()); 20 | return hash; 21 | } 22 | }; 23 | } 24 | 25 | // Template specialization needed for boost::unordered_set. 26 | namespace std { 27 | template<> 28 | struct equal_to : public std::unary_function { 29 | bool operator()(const exception_info_t& lhs, const exception_info_t& rhs) const { 30 | bool found = lhs.code == rhs.code && 31 | lhs.flags == rhs.flags && 32 | lhs.name == rhs.name && 33 | lhs.desc == rhs.desc; 34 | return found; 35 | } 36 | }; 37 | } 38 | 39 | namespace uberstealth { 40 | 41 | class IDALogger { 42 | public: 43 | IDALogger(); 44 | void logString(const char* str, ...) const; 45 | 46 | private: 47 | HWND hIDAWnd_; 48 | unsigned int idaMainThread_; 49 | }; 50 | 51 | class IDAEngine { 52 | public: 53 | ~IDAEngine(); 54 | bool setBreakpoint(uintptr_t address) const; 55 | bool removeBreakpoint(uintptr_t address) const; 56 | void setExceptionOption(unsigned int exceptionCode, bool ignore); 57 | bool continueProcess() const; 58 | 59 | private: 60 | struct ExceptionFilter { 61 | ExceptionFilter(const boost::unordered_set* addedExceptions) : 62 | addedExceptions_(addedExceptions) {} 63 | 64 | bool operator()(const exception_info_t& exceptionInfo) const { 65 | return addedExceptions_->find(exceptionInfo) != addedExceptions_->end(); 66 | } 67 | const boost::unordered_set* addedExceptions_; 68 | }; 69 | 70 | void showExceptionDialog(bool ignoreException) const; 71 | const exception_info_t* uberstealth::IDAEngine::findException(unsigned int exceptionCode) const; 72 | void restoreExceptions(); 73 | 74 | boost::unordered_set addedExceptions_; 75 | }; 76 | 77 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | /StealthDriver/StealthDriver/objchk_wxp_x86 3 | /StealthDriver/StealthDriver/objfre_wxp_x86 4 | /StealthDriver/StealthDriver/buildfre_wxp_x86.log 5 | /StealthDriver/StealthDriver/buildfre_wxp_x86.wrn 6 | /StealthDriver/StealthDriver/BuildLog.htm 7 | /StealthDriver/StealthDriver/buildchk_wxp_x86.log 8 | /StealthDriver/StealthDriver/buildchk_wxp_x86.wrn 9 | /uberstealth/Debug 10 | /uberstealth/Release 11 | /RDTSCEmu/driver/objchk_wxp_x86 12 | /RDTSCEmu/driver/objfre_wxp_x86 13 | /RDTSCEmu/driver/buildfre_wxp_x86.log 14 | /RDTSCEmu/driver/buildfre_wxp_x86.wrn 15 | /RDTSCEmu/driver/BuildLog.htm 16 | /RDTSCEmu/driver/buildchk_wxp_x86.log 17 | /RDTSCEmu/driver/buildchk_wxp_x86.wrn 18 | /HideDebugger/Debug 19 | /HideDebugger/Release 20 | /HideDebugger/OllyStealth Debug/ 21 | /HideDebugger/OllyStealth Release/ 22 | /uberstealth/OllyStealth Debug/ 23 | /uberstealth/OllyStealth Release/ 24 | /uberstealthRemote/Debug/BuildLog.htm 25 | /uberstealthRemote/Debug/DriverControl.obj 26 | /uberstealthRemote/Debug/GenericInjector.obj 27 | /uberstealthRemote/Debug/HideDebuggerProfile.obj 28 | /uberstealthRemote/Debug/IATModifier.obj 29 | /uberstealthRemote/Debug/IDAStealthRemote.exe.embed.manifest 30 | /uberstealthRemote/Debug/IDAStealthRemote.obj 31 | /uberstealthRemote/Debug/IPCConfigExchangeCommon.obj 32 | /uberstealthRemote/Debug/IPCConfigExchangeWriter.obj 33 | /uberstealthRemote/Debug/InjectLib.obj 34 | /uberstealthRemote/Debug/Process.obj 35 | /uberstealthRemote/Debug/RemoteLibCall.obj 36 | /uberstealthRemote/Debug/ResourceItem.obj 37 | /uberstealthRemote/Debug/vc90.idb 38 | /uberstealthRemote/Debug/vc90.pdb 39 | /uberstealthRemote/IDAStealthRemote.ncb 40 | /uberstealthRemote/IDAStealthRemote.suo 41 | /uberstealthRemote/IDAStealthRemote.vcproj.octon-PC.octon.user 42 | /uberstealthRemote/Debug/IDAStealthRemote.exe 43 | /uberstealthRemote/Debug/IDAStealthRemote.exe.embed.manifest.res 44 | /uberstealthRemote/Debug/IDAStealthRemote.exe.intermediate.manifest 45 | /uberstealthRemote/Debug/IDAStealthRemote.exp 46 | /uberstealthRemote/Debug/IDAStealthRemote.ilk 47 | /uberstealthRemote/Debug/IDAStealthRemote.lib 48 | /uberstealthRemote/Debug/IDAStealthRemote.pdb 49 | /uberstealthRemote/Debug/IDAStealthRemote.res 50 | /uberstealthRemote/Debug/InjectionBeacon.obj 51 | /uberstealthRemote/Debug/RemoteStealthServer.obj 52 | /uberstealthRemote/Debug/RemoteStealthSession.obj 53 | /uberstealthRemote/Debug/StringHelper.obj 54 | /uberstealthRemote/Debug/TemporaryConfigFile.obj 55 | /uberstealthRemote/Debug/mt.dep 56 | /uberstealthRemote/enc_temp_folder/enc1C42.tmp -------------------------------------------------------------------------------- /HideDebugger/ObjectTextSerialization.h: -------------------------------------------------------------------------------- 1 | // Provides text serialization of arbitrary objects to be sent across the network, process boundaries, etc. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include 8 | #pragma warning(disable : 4512) 9 | #include 10 | #include 11 | #pragma warning(default : 4512) 12 | #include 13 | #include 14 | 15 | namespace uberstealth { 16 | const int HeaderLength = 8; 17 | 18 | template 19 | void deserialize(structT& item, recvHandlerT recv) { 20 | // First read header. 21 | char inboundHeader[HeaderLength]; 22 | recv(boost::asio::buffer(inboundHeader)); 23 | 24 | istringstream is(std::string(inboundHeader, HeaderLength)); 25 | size_t inboundDataSize = 0; 26 | if (!(is >> hex >> inboundDataSize)) 27 | throw std::runtime_error("Error while processing inbound data: invalid header received"); 28 | 29 | // Header is correct, so read data. 30 | std::vector inboundData(inboundDataSize); 31 | recv(boost::asio::buffer(inboundData)); 32 | try { 33 | std::string archiveString(&inboundData[0], inboundData.size()); 34 | std::istringstream archiveStream(archiveString); 35 | boost::archive::text_iarchive archive(archiveStream); 36 | archive >> item; 37 | } 38 | catch (const std::exception&) { 39 | throw std::runtime_error("Error while processing inbound data: unable to deserialize protocol buffer"); 40 | } 41 | } 42 | 43 | template 44 | void serialize(const structT& item, typename transportT) { 45 | ostringstream archiveStream; 46 | boost::archive::text_oarchive archive(archiveStream); 47 | archive << item; 48 | std::string outboundData = archiveStream.str(); 49 | 50 | std::ostringstream headerStream; 51 | headerStream << setw(HeaderLength) << hex << outboundData.size(); 52 | if (!headerStream || headerStream.str().size() != HeaderLength) 53 | throw std::runtime_error("Error while processing outbound data: unable to serialize protocol buffer"); 54 | 55 | // Gather buffers and write at once. 56 | std::vector buffers; 57 | std::string headerString = headerStream.str(); 58 | buffers.push_back(boost::asio::buffer(headerString)); 59 | buffers.push_back(boost::asio::buffer(outboundData)); 60 | // write data to socket/whatever 61 | //boost::asio::write(socket_, buffers); 62 | //send(buffers); 63 | } 64 | } -------------------------------------------------------------------------------- /uberstealth/UberstealthOptionsDialog.h: -------------------------------------------------------------------------------- 1 | // Manages the options dialog for the plugin, contains all tab pages and sends events regarding the profiles to the tab pages. 2 | 3 | #pragma once 4 | 5 | #include "WTLCommon.h" 6 | #include 7 | #include 8 | #include 9 | #include "UberstealthPage1.h" 10 | #include "UberstealthPage2.h" 11 | #include "UberstealthDriversPage.h" 12 | #include "UberstealthAboutPage.h" 13 | #include "UberstealthPageMisc.h" 14 | 15 | namespace uberstealth { 16 | 17 | class UberstealthOptionsDialog : public CPropertySheetImpl { 18 | public: 19 | UberstealthOptionsDialog(LPCTSTR title) : 20 | CPropertySheetImpl(title) { 21 | configProvider_ = boost::make_shared(); 22 | page1_ = boost::shared_ptr(new UberstealthPage1(configProvider_.get())); 23 | page2_ = boost::shared_ptr(new UberstealthPage2(configProvider_.get())); 24 | page3_ = boost::shared_ptr(new UberstealthDriversPage(configProvider_.get())); 25 | page4_ = boost::shared_ptr(new UberstealthPageMisc(configProvider_.get())); 26 | pageAbout_ = boost::shared_ptr(new UberstealthAboutPage()); 27 | AddPage(*page1_); 28 | AddPage(*page2_); 29 | AddPage(*page3_); 30 | AddPage(*page4_); 31 | AddPage(*pageAbout_); 32 | m_psh.dwFlags |= PSH_NOAPPLYNOW | PSH_NOCONTEXTHELP; 33 | } 34 | 35 | private: 36 | BEGIN_MSG_MAP(UberstealthOptionsDialog) 37 | MESSAGE_HANDLER(WM_SHOWWINDOW, OnShowWindow) 38 | COMMAND_ID_HANDLER(IDOK, OnOkButton) 39 | CHAIN_MSG_MAP(CPropertySheetImpl) 40 | END_MSG_MAP() 41 | 42 | LRESULT OnShowWindow(UINT /*uMsg*/, WPARAM wParam, LPARAM /*lParam*/, BOOL& bHandled) { 43 | if (wParam == TRUE) CenterWindow(); 44 | bHandled = FALSE; 45 | return 0; 46 | } 47 | 48 | LRESULT OnOkButton(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& bHandled) { 49 | bHandled = FALSE; 50 | configProvider_->triggerFlushProfileEvent(); 51 | HideDebuggerProfile::writeProfileByName(configProvider_->getCurrentProfile(), getCurrentProfileName()); 52 | return 0; 53 | } 54 | 55 | boost::shared_ptr page1_; 56 | boost::shared_ptr page2_; 57 | boost::shared_ptr page3_; 58 | boost::shared_ptr page4_; 59 | boost::shared_ptr pageAbout_; 60 | boost::shared_ptr configProvider_; 61 | }; 62 | 63 | } -------------------------------------------------------------------------------- /DynamicDriverName/DynamicDriverName.cpp: -------------------------------------------------------------------------------- 1 | #include "DynamicDriverName.h" 2 | 3 | UNICODE_STRING DynamicDeviceName = {0, 0, 0}; 4 | UNICODE_STRING DynamicDosDeviceName = {0, 0, 0}; 5 | 6 | PCWSTR devPrefix = L"\\Device\\"; 7 | PCWSTR dosPrefix = L"\\DosDevices\\"; 8 | 9 | bool buildDeviceName(PUNICODE_STRING dest, PCWSTR namePrefix, PCWSTR devName) 10 | { 11 | size_t bufLen = (wcslen(namePrefix) + wcslen(devName) + 1) * sizeof(WCHAR); 12 | PWSTR devNameBuf = (PWSTR)ExAllocatePool(PagedPool, bufLen); 13 | if (!devNameBuf) return false; 14 | if (dest->Buffer) ExFreePool(dest->Buffer); 15 | 16 | RtlStringCbCopyW(devNameBuf, bufLen, namePrefix); 17 | RtlStringCbCatW(devNameBuf, bufLen, devName); 18 | RtlInitUnicodeString(dest, devNameBuf); 19 | return true; 20 | } 21 | 22 | // we get our own name so we can create the device objects based on this 23 | // this allows us to be started with a custom name 24 | PWSTR getNameFromRegistry(PUNICODE_STRING registryPath) 25 | { 26 | UNICODE_STRING registryKey; 27 | UNICODE_STRING valueName; 28 | OBJECT_ATTRIBUTES objAttr; 29 | HANDLE hKey; 30 | 31 | RtlInitUnicodeString(&valueName, L"DisplayName"); 32 | InitializeObjectAttributes(&objAttr, registryPath, OBJ_KERNEL_HANDLE, NULL, NULL); 33 | 34 | PWSTR result = NULL; 35 | 36 | NTSTATUS status = ZwOpenKey(&hKey, KEY_READ, &objAttr); 37 | if (NT_SUCCESS(status)) 38 | { 39 | ULONG size = 0; 40 | status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, NULL, 0, &size); 41 | if (status == STATUS_BUFFER_TOO_SMALL && size > 0) 42 | { 43 | PKEY_VALUE_PARTIAL_INFORMATION vpip = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool, size); 44 | if (vpip) 45 | { 46 | status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, vpip, size, &size); 47 | if (NT_SUCCESS(status)) 48 | { 49 | result = (PWSTR)ExAllocatePool(PagedPool, vpip->DataLength); 50 | RtlStringCbCopyW(result, vpip->DataLength, (PCWSTR)vpip->Data); 51 | ExFreePool(vpip); 52 | } 53 | } 54 | } 55 | ZwClose(hKey); 56 | } 57 | 58 | return result; 59 | } 60 | 61 | // build device driver names by examining the drivers' registry path 62 | bool initDeviceNames(PUNICODE_STRING registryPath) 63 | { 64 | PWSTR customName = getNameFromRegistry(registryPath); 65 | if (!customName) return false; 66 | bool retVal = false; 67 | 68 | if (buildDeviceName(&DynamicDeviceName, devPrefix, customName) 69 | && buildDeviceName(&DynamicDosDeviceName, dosPrefix, customName)) 70 | { 71 | retVal = true; 72 | } 73 | ExFreePool(customName); 74 | return retVal; 75 | } -------------------------------------------------------------------------------- /uberstealth/UberstealthPage1.h: -------------------------------------------------------------------------------- 1 | // Represents the first tab page of the options dialog. 2 | 3 | #pragma once 4 | 5 | #include "WTLCommon.h" 6 | #include 7 | #include "UberstealthPropertyPage.h" 8 | #include 9 | #include "resource.h" 10 | 11 | namespace uberstealth { 12 | 13 | class UberstealthPage1 : public UberstealthPropertyPage 14 | { 15 | public: 16 | enum { IDD = IDD_DIALOG1 }; 17 | 18 | UberstealthPage1(ConfigProvider* configProvider) : 19 | UberstealthPropertyPage(configProvider), 20 | ddxError_(false) {} 21 | 22 | void OnDataExchangeError(UINT nCtrlID, BOOL bSave); 23 | void loadProfile(const uberstealth::HideDebuggerProfile& profile); 24 | void flushProfile(uberstealth::HideDebuggerProfile& profile); 25 | bool isProfileDirty(); 26 | 27 | int OnApply() 28 | { 29 | return ddxError_ ? PSNRET_INVALID_NOCHANGEPAGE : PSNRET_NOERROR; 30 | } 31 | 32 | protected: 33 | void enableControls(bool enabled); 34 | 35 | private: 36 | int getTickCountDelta(); 37 | 38 | // we need a typedef - otherwise macro throws errors 39 | typedef UberstealthPropertyPage BasePropertyPage; 40 | 41 | BEGIN_MSG_MAP(UberstealthPage1) 42 | COMMAND_HANDLER(IDC_DBGSTART, BN_CLICKED, OnDbgEnableClick) 43 | COMMAND_HANDLER(IDC_DBGATTACH, BN_CLICKED, OnDbgEnableClick) 44 | CHAIN_MSG_MAP(CPropertyPageImpl) 45 | CHAIN_MSG_MAP(BasePropertyPage) 46 | END_MSG_MAP() 47 | 48 | BEGIN_DDX_MAP(UberstealthPage1) 49 | DDX_CHECK(IDC_NTQO, ntQueryObj_) 50 | DDX_CHECK(IDC_RTLNTGF, rtlGetFlags_) 51 | DDX_CHECK(IDC_NTQSI, ntQuerySysInfo_) 52 | DDX_CHECK(IDC_NTQIP, ntQueryInfoProc_) 53 | DDX_CHECK(IDC_GETTICKCOUNT, getTickCount_) 54 | DDX_CHECK(IDC_PROTECTDRS, protectDRs_) 55 | DDX_CHECK(IDC_GETVERSION, getVersion_) 56 | DDX_CHECK(IDC_NTCLOSE, ntClose_) 57 | DDX_CHECK(IDC_DBGPRESENT, dbgPresent_) 58 | DDX_CHECK(IDC_NTGF, ntGF_) 59 | DDX_CHECK(IDC_NTHF, ntHF_) 60 | DDX_INT(IDC_TICK_DELTA, tickDelta_) 61 | DDX_CHECK(IDC_DBGATTACH, dbgAttach_) 62 | DDX_CHECK(IDC_DBGSTART, dbgStart_) 63 | END_DDX_MAP() 64 | 65 | LRESULT OnDbgEnableClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/); 66 | 67 | bool ntQueryObj_; 68 | bool rtlGetFlags_; 69 | bool ntQuerySysInfo_; 70 | bool ntQueryInfoProc_; 71 | bool getTickCount_; 72 | bool protectDRs_; 73 | bool getVersion_; 74 | bool ntClose_; 75 | bool dbgPresent_; 76 | bool ntGF_; 77 | bool ntHF_; 78 | int tickDelta_; 79 | bool dbgAttach_; 80 | bool dbgStart_; 81 | bool oldState_; 82 | bool ddxError_; 83 | }; 84 | 85 | } -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthConnection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Provides serialization of arbitrary objects over boost asio sockets 4 | 5 | #include 6 | #include 7 | #pragma warning(disable : 4512) 8 | #include 9 | #include 10 | #pragma warning(default : 4512) 11 | #include 12 | #include 13 | 14 | namespace uberstealth { 15 | 16 | class RemoteStealthConnection { 17 | public: 18 | RemoteStealthConnection(boost::asio::io_service& ioService) : 19 | socket_(ioService) {} 20 | 21 | boost::asio::ip::tcp::socket& socket() { return socket_; } 22 | 23 | template 24 | void syncRead(structT& item) { 25 | char inboundHeader[HeaderLength]; 26 | boost::asio::read(socket_, boost::asio::buffer(inboundHeader)); 27 | std::istringstream is(std::string(inboundHeader, HeaderLength)); 28 | size_t inboundDataSize = 0; 29 | if (!(is >> std::hex >> inboundDataSize)) { 30 | throw std::runtime_error("Error while processing inbound data: received invalid header."); 31 | } 32 | 33 | std::vector inboundData(inboundDataSize); 34 | boost::asio::read(socket_, boost::asio::buffer(inboundData)); 35 | try { 36 | std::string archiveString(&inboundData[0], inboundData.size()); 37 | std::istringstream archiveStream(archiveString); 38 | boost::archive::text_iarchive archive(archiveStream); 39 | archive >> item; 40 | } 41 | catch (const std::exception&) { 42 | throw std::runtime_error("Error while processing inbound data: unable to deserialize protocol buffer."); 43 | } 44 | } 45 | 46 | template 47 | void syncWrite(const structT& item) { 48 | std::ostringstream archiveStream; 49 | boost::archive::text_oarchive archive(archiveStream); 50 | archive << item; 51 | std::string outboundData = archiveStream.str(); 52 | 53 | std::ostringstream headerStream; 54 | headerStream << std::setw(HeaderLength) << std::hex << outboundData.size(); 55 | if (!headerStream || headerStream.str().size() != HeaderLength) { 56 | throw std::runtime_error("Error while processing outbound data: unable to serialize protocol buffer."); 57 | } 58 | 59 | // Gather buffers and write at once. 60 | std::vector buffers; 61 | std::string headerString = headerStream.str(); 62 | buffers.push_back(boost::asio::buffer(headerString)); 63 | buffers.push_back(boost::asio::buffer(outboundData)); 64 | boost::asio::write(socket_, buffers); 65 | } 66 | 67 | private: 68 | boost::asio::ip::tcp::socket socket_; 69 | static const int HeaderLength = 8; 70 | }; 71 | } -------------------------------------------------------------------------------- /HideDebugger/ThreadDebugRegisterState.cpp: -------------------------------------------------------------------------------- 1 | #include "ThreadDebugRegisterState.h" 2 | 3 | /** 4 | * Updates the state of the thread by emulating an immediate modification 5 | * of the thread context by means of the SetThreadContext API. 6 | * Note: this method assumes that the supplied context is writable. 7 | * 8 | * Returns true if the original API should be called with the modified context, false otherwise. 9 | **/ 10 | bool ThreadDebugRegisterState::handleSetContext(LPCONTEXT context) 11 | { 12 | if (context->ContextFlags & CONTEXT_DEBUG_REGISTERS) 13 | { 14 | // Clear debug registers from the context flags while leaving all other flags intact 15 | context->ContextFlags &= ~0x00000010; 16 | 17 | debugRegisters_ = copyFromContext(context); 18 | 19 | // If the context flags include any other parts of the context 20 | // the original API has to be called 21 | return (context->ContextFlags & ~CONTEXT_i386) != 0; 22 | } 23 | 24 | return true; 25 | } 26 | 27 | /** 28 | * Updates the supplied context with the internal state of the thread. 29 | * Note: this method assumes that the supplied context is writable. 30 | **/ 31 | void ThreadDebugRegisterState::handleGetContext(const LPCONTEXT context) const 32 | { 33 | // Simply copy the emulated debug registers state to the context: if the emulation 34 | // was never assigned to, this operation sets all debug registers to zero 35 | if (context->ContextFlags & CONTEXT_DEBUG_REGISTERS) 36 | { 37 | copyToContext(debugRegisters_, context); 38 | } 39 | } 40 | 41 | /** 42 | * Updates the internal state with the original context from the OS before an SEH handler is invoked. 43 | **/ 44 | void ThreadDebugRegisterState::handlePreSEH(LPCONTEXT context) 45 | { 46 | preSehDebugRegisters_ = copyFromContext(context); 47 | copyToContext(debugRegisters_, context); 48 | } 49 | 50 | void ThreadDebugRegisterState::handlePostSEH(LPCONTEXT context) 51 | { 52 | // copy (possibly) modified context to emulation, but copy the actual debug registers to the context 53 | debugRegisters_ = copyFromContext(context); 54 | copyToContext(preSehDebugRegisters_, context); 55 | } 56 | 57 | void ThreadDebugRegisterState::copyToContext(const DebugRegisters& debugRegisters, LPCONTEXT context) const 58 | { 59 | context->Dr0 = debugRegisters.dr0; 60 | context->Dr1 = debugRegisters.dr1; 61 | context->Dr2 = debugRegisters.dr2; 62 | context->Dr3 = debugRegisters.dr3; 63 | context->Dr6 = debugRegisters.dr6; 64 | context->Dr7 = debugRegisters.dr7; 65 | } 66 | 67 | ThreadDebugRegisterState::DebugRegisters ThreadDebugRegisterState::copyFromContext(LPCONTEXT context) const 68 | { 69 | return DebugRegisters(context->Dr0, context->Dr1, context->Dr2, context->Dr3, context->Dr6, context->Dr7); 70 | } -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/StealthDriver.W7.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {180a4fda-8d29-40c3-b510-0cac8831be7c} 6 | cpp;c;cxx;def;asm;mc 7 | 8 | 9 | {ee4ef761-735e-414b-a116-2430180bc36d} 10 | h;hpp;hxx 11 | 12 | 13 | {ad7fdc42-ed2a-4ac8-a5d1-d4fcf9c1c869} 14 | rc;mc;ico;cur;bmp;dlg;rc2 15 | 16 | 17 | {c702abf3-4c97-493d-8b01-1ddefb15b7e2} 18 | * 19 | 20 | 21 | {d82a281b-1749-4ebc-88da-b66f357dc358} 22 | 23 | 24 | 25 | 26 | Source Files 27 | 28 | 29 | Source Files 30 | 31 | 32 | DynamicDriverName 33 | 34 | 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | Header Files 47 | 48 | 49 | Header Files 50 | 51 | 52 | DynamicDriverName 53 | 54 | 55 | 56 | 57 | Resource Files 58 | 59 | 60 | 61 | 62 | Special Files 63 | 64 | 65 | Special Files 66 | 67 | 68 | -------------------------------------------------------------------------------- /uberstealthRemote/RemoteStealthServer.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #pragma warning(disable : 4244 4512) 3 | #include 4 | #pragma warning(default : 4244 4512) 5 | #include 6 | #include 7 | #include "RemoteStealthServer.h" 8 | #include "RemoteStealthSession.h" 9 | #include "TemporaryConfigFile.h" 10 | 11 | uberstealth::RemoteStealthServer::RemoteStealthServer(boost::asio::io_service& ioService, unsigned short port) : 12 | acceptor_(ioService, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)), 13 | ioService_(ioService) {} 14 | 15 | void uberstealth::RemoteStealthServer::run() { 16 | for (;;) { 17 | boost::shared_ptr connection = boost::make_shared(boost::ref(ioService_)); 18 | acceptor_.accept(connection->socket()); 19 | std::cout << "Accepted connection from " << connection->socket().remote_endpoint().address() << std::endl; 20 | boost::thread t(boost::bind(&RemoteStealthServer::session, this, connection)); 21 | } 22 | } 23 | 24 | void uberstealth::RemoteStealthServer::session(boost::shared_ptr connection) { 25 | try { 26 | boost::shared_ptr stealthSession; 27 | boost::shared_ptr configFile; 28 | 29 | for (;;) { 30 | RSProtocolItem item; 31 | connection->syncRead(item); 32 | 33 | try { 34 | switch (item.procEvent) { 35 | case ProcessStart: 36 | std::cout << "process start: process ID = " << item.processID << ", base addr = 0x" << std::hex << item.baseAddress << std::endl; 37 | configFile = boost::make_shared(item.serializedConfigFile); 38 | stealthSession = boost::make_shared(configFile->getFileName()); 39 | stealthSession->handleProcessStart(item.processID, item.baseAddress); 40 | break; 41 | 42 | case ProcessAttach: 43 | configFile = boost::make_shared(item.serializedConfigFile); 44 | stealthSession = boost::make_shared(configFile->getFileName()); 45 | stealthSession->handleDbgAttach(item.processID); 46 | break; 47 | 48 | case ProcessExit: 49 | stealthSession->handleProcessExit(); 50 | break; 51 | } 52 | } 53 | catch (std::exception& e) { 54 | std::cerr << "Error while handling protocol item: " << e.what() << std::endl; 55 | connection->syncWrite(RSProtocolResponse(false, e.what())); 56 | return; 57 | } 58 | connection->syncWrite(RSProtocolResponse(true, "")); 59 | if (item.procEvent == ProcessExit) return; 60 | } 61 | } 62 | catch (const std::exception& e) { 63 | std::cerr << "Error while handling connection: " << e.what() << std::endl; 64 | } 65 | } -------------------------------------------------------------------------------- /uberstealth/RemoteStealthSession.cpp: -------------------------------------------------------------------------------- 1 | #ifdef IDASTEALTH 2 | 3 | #include "HideDebugger/HideDebuggerProfile.h" 4 | #include "IDACommon.h" 5 | #include "uberstealthRemote/RemoteStealthProtocol.h" 6 | #include "RemoteStealthSession.h" 7 | 8 | void uberstealth::RemoteStealthSession::sendRemoteCommand(const uberstealth::RSProtocolItem& item) { 9 | try { 10 | client_->sendData(item); 11 | } catch (const std::exception& e) { 12 | logger_.logString("Error while sending remote command: %s.\n", e.what()); 13 | } 14 | } 15 | 16 | void uberstealth::RemoteStealthSession::connectToServer() { 17 | try { 18 | // Get host for remote debugging. 19 | qstring host; 20 | get_process_options(NULL, NULL, NULL, &host, NULL, NULL); 21 | std::ostringstream oss; 22 | oss << currentProfile_.getRemoteTCPPortValue(); 23 | boost::asio::ip::tcp::resolver::query query(host.c_str(), oss.str()); 24 | boost::asio::ip::tcp::resolver::iterator iterator = resolver_.resolve(query); 25 | client_ = boost::make_shared(boost::ref(ioService_), iterator); 26 | client_->connect(); 27 | } catch (const std::exception& e) { 28 | // TODO(jan.newger@newgre.net): should this really be catched here instead of letting it bubble up the stack? 29 | logger_.logString("Error while connecting: %s.\n", e.what()); 30 | } 31 | } 32 | 33 | std::string uberstealth::RemoteStealthSession::readConfigFile(const std::string& fileName) const { 34 | std::ifstream ifs(fileName.c_str()); 35 | std::ostringstream oss; 36 | oss << ifs.rdbuf(); 37 | return oss.str(); 38 | } 39 | 40 | //void uberstealth::RemoteStealthSession::handleDebuggerAttach(unsigned int processID, const std::string& configFile, const std::string& profile) { 41 | // connectToServer(); 42 | // sendRemoteCommand(uberstealth::RSProtocolItem(processID, 0, uberstealth::ProcessAttach, readConfigFile(configFile), profile)); 43 | //} 44 | 45 | void uberstealth::RemoteStealthSession::handleDebuggerAttach(unsigned int processId) { 46 | throw std::runtime_error("not implemented"); 47 | } 48 | 49 | void uberstealth::RemoteStealthSession::handleDebuggerStart(unsigned int processId, uintptr_t baseAddress) { 50 | throw std::runtime_error("not implemented"); 51 | } 52 | 53 | void uberstealth::RemoteStealthSession::handleDebuggerExit() { 54 | // send event to remote side. 55 | throw std::runtime_error("not implemented"); 56 | } 57 | 58 | uberstealth::ResourceItem uberstealth::RemoteStealthSession::getRDTSCDriverResource() { 59 | throw std::runtime_error("not implemented"); 60 | } 61 | 62 | uberstealth::ResourceItem uberstealth::RemoteStealthSession::getStealthDriverResource() { 63 | throw std::runtime_error("not implemented"); 64 | } 65 | 66 | std::string uberstealth::RemoteStealthSession::getStealthDllPath() { 67 | throw std::runtime_error("not implemented"); 68 | } 69 | 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /uberstealth/UberstealthPageMisc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "WTLCommon.h" 4 | #include "UberstealthPropertyPage.h" 5 | #include 6 | #include "resource.h" 7 | 8 | namespace uberstealth { 9 | 10 | class UberstealthPageMisc : public UberstealthPropertyPage 11 | { 12 | public: 13 | UberstealthPageMisc(ConfigProvider* configProvider) : 14 | UberstealthPropertyPage(configProvider) {} 15 | 16 | void loadProfile(const uberstealth::HideDebuggerProfile& profile); 17 | void flushProfile(uberstealth::HideDebuggerProfile& profile); 18 | bool isProfileDirty(); 19 | 20 | protected: 21 | void enableControls(bool enabled); 22 | 23 | private: 24 | LRESULT OnAddProfileClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 25 | LRESULT OnDelProfileClick(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 26 | 27 | BOOL OnInitDialog(UINT uMsg, WPARAM wParam, LPARAM lParam, BOOL& bHandled); 28 | LRESULT OnProfilesSelChange(WORD wNotifyCode, WORD wID, HWND hWndCtl, BOOL& bHandled); 29 | void switchProfile(); 30 | void initComboBox(); 31 | int getPatchingMethod(); 32 | int getTCPPort(); 33 | 34 | typedef UberstealthPropertyPage BasePropertyPage; 35 | 36 | BEGIN_MSG_MAP(UberstealthPageMisc) 37 | MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog) 38 | COMMAND_HANDLER(IDC_ADD_PROFILE, BN_CLICKED, OnAddProfileClick) 39 | COMMAND_HANDLER(IDC_DEL_PROFILE, BN_CLICKED, OnDelProfileClick) 40 | COMMAND_CODE_HANDLER(CBN_SELCHANGE, OnProfilesSelChange) 41 | CHAIN_MSG_MAP(CPropertyPageImpl) 42 | CHAIN_MSG_MAP(BasePropertyPage) 43 | END_MSG_MAP() 44 | 45 | CComboBox cboProfiles_; 46 | 47 | struct PageMiscGuiData { 48 | int patchingMethod_; 49 | bool passExceptions_; 50 | int tcpPort_; 51 | bool haltInSEH_; 52 | bool haltAfterSEH_; 53 | bool logSEH_; 54 | 55 | bool operator==(const PageMiscGuiData& rhs) const { 56 | return patchingMethod_ == rhs.patchingMethod_ && 57 | passExceptions_ == rhs.passExceptions_ && 58 | tcpPort_ == rhs.tcpPort_ && 59 | haltInSEH_ == rhs.haltInSEH_ && 60 | haltAfterSEH_ == rhs.haltAfterSEH_ && 61 | logSEH_ == rhs.logSEH_; 62 | } 63 | bool operator!=(const PageMiscGuiData& rhs) const { 64 | return !operator==(rhs); 65 | } 66 | }; 67 | 68 | PageMiscGuiData guiData_; 69 | 70 | BEGIN_DDX_MAP(UberstealthPageMisc) 71 | DDX_CONTROL_HANDLE(IDC_PROFILES, cboProfiles_) 72 | DDX_RADIO(IDC_AUTO_SELECTION, guiData_.patchingMethod_) 73 | DDX_CHECK(IDC_PASS_EXCEPTIONS, guiData_.passExceptions_) 74 | DDX_CHECK(IDC_HALT_IN_SEH, guiData_.haltInSEH_) 75 | DDX_CHECK(IDC_HALT_AFTER_SEH, guiData_.haltAfterSEH_) 76 | DDX_CHECK(IDC_LOG_SEH, guiData_.logSEH_) 77 | DDX_INT(IDC_TCP_PORT, guiData_.tcpPort_) 78 | END_DDX_MAP() 79 | }; 80 | 81 | } -------------------------------------------------------------------------------- /uberstealth/UberstealthAboutPage.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "ResourceItem.h" 6 | #include 7 | #include 8 | #include "version.h" 9 | #include "WTLCommon.h" 10 | 11 | namespace uberstealth { 12 | 13 | class UberstealthAboutPage : public CPropertyPageImpl { 14 | public: 15 | enum { IDD = IDD_ABOUT }; 16 | 17 | UberstealthAboutPage() : hGlobal_(NULL) {} 18 | ~UberstealthAboutPage() { 19 | if (hGlobal_) { 20 | GlobalFree(hGlobal_); 21 | } 22 | } 23 | 24 | private: 25 | BEGIN_MSG_MAP(UberstealthPropertyPage) 26 | MSG_WM_INITDIALOG(OnInitDialog) 27 | MESSAGE_HANDLER(WM_PAINT, OnPaint) 28 | NOTIFY_HANDLER_EX(IDC_SYSLINK, NM_CLICK, OnLinkClick) 29 | CHAIN_MSG_MAP(CPropertyPageImpl) 30 | END_MSG_MAP() 31 | 32 | // Draw picture manually, because if we let windows draw it via the picture box 33 | // there are some nasty artifacts in the logo; no idea why. 34 | LRESULT OnPaint(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) { 35 | PAINTSTRUCT ps; 36 | HDC dc = BeginPaint(&ps); 37 | RECT r; 38 | GetWindowRect(&r); 39 | logo_.Draw(dc, ((r.right-r.left) - logo_.GetWidth()) / 2, 15); 40 | EndPaint(&ps); 41 | return 0; 42 | } 43 | 44 | // Nasty trick to get the module handle of our plugin. 45 | static void arbitraryAddress() {} 46 | 47 | BOOL OnInitDialog(HWND /*hwndFocus*/, LPARAM /*lParam*/) { 48 | HMODULE hModule; 49 | GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCWSTR)&arbitraryAddress, &hModule); 50 | ResourceItem ri(hModule, IDR_LOGO, "JPG"); 51 | LPVOID resData = ri.getData(); 52 | DWORD jpegSize = ri.getDataSize(); 53 | 54 | hGlobal_ = GlobalAlloc(GMEM_MOVEABLE, jpegSize); 55 | LPVOID jpegData = GlobalLock(hGlobal_); 56 | memcpy(jpegData, resData, jpegSize); 57 | GlobalUnlock(hGlobal_); 58 | 59 | LPSTREAM jpegStream = NULL; 60 | CreateStreamOnHGlobal(hGlobal_, TRUE, &jpegStream); 61 | logo_.Load(jpegStream); 62 | jpegStream->Release(); 63 | 64 | // Initialize syslink control. 65 | linkCtrl_ = GetDlgItem(IDC_SYSLINK); 66 | LITEM item; 67 | item.mask = LIF_ITEMINDEX | LIF_URL; 68 | item.iLink = 0; 69 | lstrcpyW(item.szUrl, L"http://code.google.com/p/uberstealth/"); 70 | linkCtrl_.SetItem(&item); 71 | 72 | ATL::CString txt; 73 | aboutTxt_ = GetDlgItem(IDC_ABOUT_TXT); 74 | aboutTxt_.GetWindowText(txt); 75 | txt.Append(UBERSTEALTH_NAME L"\n" UBERSTEALTH_COPYRIGHT); 76 | aboutTxt_.SetWindowText(txt); 77 | 78 | return FALSE; 79 | } 80 | 81 | LRESULT OnLinkClick(LPNMHDR pnmh) { 82 | PNMLINK pNMLink = (PNMLINK)pnmh; 83 | ShellExecuteW(m_hWnd, L"open", pNMLink->item.szUrl, NULL, NULL, SW_SHOWNORMAL); 84 | return 0; 85 | } 86 | 87 | CLinkCtrl linkCtrl_; 88 | CImage logo_; 89 | CStatic aboutTxt_; 90 | HGLOBAL hGlobal_; 91 | }; 92 | 93 | } -------------------------------------------------------------------------------- /NInjectLib/Process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | class Process 9 | { 10 | public: 11 | 12 | //Process(HANDLE hProcess); 13 | Process(DWORD processID); 14 | Process::Process(const Process& instance); 15 | Process& Process::operator=(const Process& instance); 16 | ~Process(); 17 | 18 | LPVOID allocMem(DWORD size) const; 19 | LPVOID allocMem(DWORD size, DWORD allocationType) const; 20 | LPVOID allocMem(DWORD size, LPVOID desiredAddress, DWORD allocationType) const; 21 | bool freeMem(LPVOID address) const; 22 | void writeMemory(LPVOID address, LPCVOID data, DWORD size) const; 23 | void readMemory(LPVOID address, LPVOID buffer, DWORD size) const; 24 | MEMORY_BASIC_INFORMATION queryMemory(LPVOID address) const; 25 | DWORD protectMemory(LPVOID address, SIZE_T size, DWORD protect) const; 26 | bool startThread(LPVOID address, LPVOID param); 27 | void waitForThread(); 28 | std::vector Process::getModules() const; 29 | 30 | uintptr_t getImageBase(HANDLE hThread) const; 31 | uintptr_t getImageBase() const; 32 | 33 | private: 34 | 35 | bool duplicateHandle(HANDLE hSrc, HANDLE* hDest); 36 | void throwSysError(const char* msg, DWORD lastError) const; 37 | 38 | HANDLE hProcess_; 39 | HANDLE hThread_; 40 | DWORD processID_; 41 | }; 42 | 43 | // handle error 44 | class ProcessHandleException : public std::runtime_error 45 | { 46 | public: 47 | ProcessHandleException::ProcessHandleException(const std::string& msg) : std::runtime_error(msg) {}; 48 | }; 49 | 50 | // anything with memory 51 | class ProcessMemoryException : public std::runtime_error 52 | { 53 | public: 54 | ProcessMemoryException::ProcessMemoryException(const std::string& msg, LPVOID address) : std::runtime_error(msg), address_(address) {}; 55 | LPVOID getAddress() { return address_; }; 56 | private: 57 | LPVOID address_; 58 | }; 59 | 60 | // access memory 61 | class MemoryAccessException : public std::runtime_error 62 | { 63 | public: 64 | MemoryAccessException::MemoryAccessException(const std::string& msg) : std::runtime_error(msg) {}; 65 | }; 66 | 67 | // allocate 68 | class MemoryAllocationException : public std::runtime_error 69 | { 70 | public: 71 | MemoryAllocationException::MemoryAllocationException(const std::string& msg) : std::runtime_error(msg) {}; 72 | }; 73 | 74 | // query memory 75 | class MemoryQueryException : public std::runtime_error 76 | { 77 | public: 78 | MemoryQueryException::MemoryQueryException(const std::string& msg) : std::runtime_error(msg) {}; 79 | }; 80 | 81 | // protect memory 82 | class MemoryProtectException : public ProcessMemoryException 83 | { 84 | public: 85 | MemoryProtectException::MemoryProtectException(const std::string& msg, LPVOID address) : ProcessMemoryException(msg, address) {}; 86 | }; -------------------------------------------------------------------------------- /HideDebugger/HideDebugger.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | #include "../uberstealth/version.h" 5 | 6 | #define APSTUDIO_READONLY_SYMBOLS 7 | ///////////////////////////////////////////////////////////////////////////// 8 | // 9 | // Generated from the TEXTINCLUDE 2 resource. 10 | // 11 | #include "afxres.h" 12 | 13 | ///////////////////////////////////////////////////////////////////////////// 14 | #undef APSTUDIO_READONLY_SYMBOLS 15 | 16 | ///////////////////////////////////////////////////////////////////////////// 17 | // English (U.S.) resources 18 | 19 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 20 | #ifdef _WIN32 21 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 22 | #pragma code_page(1252) 23 | #endif //_WIN32 24 | 25 | #ifdef APSTUDIO_INVOKED 26 | ///////////////////////////////////////////////////////////////////////////// 27 | // 28 | // TEXTINCLUDE 29 | // 30 | 31 | 1 TEXTINCLUDE 32 | BEGIN 33 | "resource.h\0" 34 | END 35 | 36 | 2 TEXTINCLUDE 37 | BEGIN 38 | "#include ""afxres.h""\r\n" 39 | "\0" 40 | END 41 | 42 | 3 TEXTINCLUDE 43 | BEGIN 44 | "\r\n" 45 | "\0" 46 | END 47 | 48 | #endif // APSTUDIO_INVOKED 49 | 50 | 51 | ///////////////////////////////////////////////////////////////////////////// 52 | // 53 | // Version 54 | // 55 | 56 | VS_VERSION_INFO VERSIONINFO 57 | FILEVERSION ILDASTEALTH_FILE_VERSION_NUM 58 | PRODUCTVERSION ILDASTEALTH_FILE_VERSION_NUM 59 | FILEFLAGSMASK 0x17L 60 | #ifdef _DEBUG 61 | FILEFLAGS 0x1L 62 | #else 63 | FILEFLAGS 0x0L 64 | #endif 65 | FILEOS 0x4L 66 | FILETYPE 0x2L 67 | FILESUBTYPE 0x0L 68 | BEGIN 69 | BLOCK "StringFileInfo" 70 | BEGIN 71 | BLOCK "040904b0" 72 | BEGIN 73 | VALUE "FileDescription", "HideDebugger Dynamic Link Library" 74 | VALUE "FileVersion", UBERSTEALTH_FILE_VERSION_STRING 75 | VALUE "InternalName", "HideDebugger" 76 | VALUE "LegalCopyright", UBERSTEALTH_COPYRIGHT 77 | VALUE "OriginalFilename", "HideDebugger.dll" 78 | VALUE "ProductName", "HideDebugger Dynamic Link Library" 79 | VALUE "ProductVersion", UBERSTEALTH_FILE_VERSION_STRING 80 | END 81 | END 82 | BLOCK "VarFileInfo" 83 | BEGIN 84 | VALUE "Translation", 0x409, 1200 85 | END 86 | END 87 | 88 | #endif // English (U.S.) resources 89 | ///////////////////////////////////////////////////////////////////////////// 90 | 91 | 92 | 93 | #ifndef APSTUDIO_INVOKED 94 | ///////////////////////////////////////////////////////////////////////////// 95 | // 96 | // Generated from the TEXTINCLUDE 3 resource. 97 | // 98 | 99 | 100 | ///////////////////////////////////////////////////////////////////////////// 101 | #endif // not APSTUDIO_INVOKED 102 | 103 | -------------------------------------------------------------------------------- /uberstealth/OllyStealth.cpp: -------------------------------------------------------------------------------- 1 | // The Implementation for OllyStealth. 2 | 3 | #ifdef OLLYSTEALTH 4 | 5 | #include "WTLWrapper.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include "LocalStealthSession.h" 11 | #include "OllyEngine.h" 12 | #pragma warning(disable : 4200) 13 | #include 14 | #pragma warning(default : 4200) 15 | #include "resource.h" 16 | #include "version.h" 17 | 18 | // TODO(jan.newger@newgre.net): NEEDS official import library! 19 | extern "C" __declspec(dllimport) const HWND _hwollymain; 20 | extern "C" __declspec(dllimport) t_run _run; 21 | extern "C" __declspec(dllimport) ulong _processid; 22 | //extern "C" __declspec(dllimport) t_module* Findmainmodule(void); 23 | 24 | namespace 25 | { 26 | typedef uberstealth::LocalStealthSession OllySession; 27 | boost::shared_ptr session_; 28 | uberstealth::ProfileHelper profileHelper_; 29 | } 30 | 31 | int showDialog(t_table* /*pt*/, wchar_t* /*name*/, ulong /*index*/, int mode) 32 | { 33 | if (mode == MENU_VERIFY) return MENU_NORMAL; 34 | else if (mode == MENU_EXECUTE) 35 | { 36 | uberstealth::WTLWrapper& wtlWrapper = uberstealth::WTLWrapper::getInstance(); 37 | wtlWrapper.showGUI(_hwollymain, &profileHelper_); 38 | return MENU_NOREDRAW; 39 | } 40 | return MENU_ABSENT; 41 | } 42 | 43 | extc _export int cdecl ODBG2_Pluginquery(int ollyDbgVersion, wchar_t pluginName[SHORTNAME], wchar_t pluginVersion[SHORTNAME]) 44 | { 45 | if (ollyDbgVersion < 201) return 0; 46 | wcscpy_s(pluginName, SHORTNAME, L"uberstealth"); 47 | wcscpy_s(pluginVersion, SHORTNAME, UBERSTEALTH_PRODUCT_VERSION_STRING); 48 | return PLUGIN_VERSION; 49 | } 50 | 51 | extc _export void cdecl ODBG2_Pluginmainloop(DEBUG_EVENT* debugEvent) 52 | { 53 | if (!debugEvent) return; 54 | 55 | // TODO(jan.newger@newgre.net): wrap the rest of the procedure in try...catch! do the same for IDAStealth.cpp! 56 | switch (debugEvent->dwDebugEventCode) 57 | { 58 | case CREATE_PROCESS_DEBUG_EVENT: 59 | if (_run.status == STAT_LOADING) 60 | { 61 | session_ = boost::make_shared(&profileHelper_); 62 | session_->handleDebuggerStart(_processid, reinterpret_cast(debugEvent->u.CreateProcessInfo.lpBaseOfImage)); 63 | } 64 | else if (_run.status == STAT_ATTACHING) 65 | { 66 | session_ = boost::make_shared(&profileHelper_); 67 | session_->handleDebuggerAttach(_processid); 68 | } 69 | break; 70 | 71 | case EXCEPTION_DEBUG_EVENT: 72 | if (debugEvent->dwDebugEventCode == EXCEPTION_BREAKPOINT) 73 | { 74 | // TODO(jan.newger@newgre.net): do we catch breakpoints set by ollydbg here as well? 75 | session_->handleBreakPoint(debugEvent->dwThreadId, reinterpret_cast(debugEvent->u.Exception.ExceptionRecord.ExceptionAddress)); 76 | } 77 | break; 78 | } 79 | } 80 | 81 | static t_menu uberstealthMenu[] = { 82 | { L"uberstealth", L"Open uberstealth options dialog", K_NONE, showDialog, NULL, 0 }, 83 | { NULL, NULL, K_NONE, NULL, NULL, 0 } 84 | }; 85 | 86 | extc _export t_menu* cdecl ODBG2_Pluginmenu(wchar_t* type) 87 | { 88 | if (wcscmp(type, PWM_MAIN) == 0) return uberstealthMenu; 89 | return NULL; 90 | } 91 | 92 | #endif -------------------------------------------------------------------------------- /StealthDriver/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /uberstealthRemote/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.sln.docstates 8 | 9 | # Build results 10 | [Dd]ebug/ 11 | [Dd]ebugPublic/ 12 | [Rr]elease/ 13 | [Rr]eleases/ 14 | x64/ 15 | x86/ 16 | build/ 17 | bld/ 18 | [Bb]in/ 19 | [Oo]bj/ 20 | 21 | # Roslyn cache directories 22 | *.ide/ 23 | 24 | # MSTest test Results 25 | [Tt]est[Rr]esult*/ 26 | [Bb]uild[Ll]og.* 27 | 28 | #NUNIT 29 | *.VisualState.xml 30 | TestResult.xml 31 | 32 | # Build Results of an ATL Project 33 | [Dd]ebugPS/ 34 | [Rr]eleasePS/ 35 | dlldata.c 36 | 37 | *_i.c 38 | *_p.c 39 | *_i.h 40 | *.ilk 41 | *.meta 42 | *.obj 43 | *.pch 44 | *.pdb 45 | *.pgc 46 | *.pgd 47 | *.rsp 48 | *.sbr 49 | *.tlb 50 | *.tli 51 | *.tlh 52 | *.tmp 53 | *.tmp_proj 54 | *.log 55 | *.vspscc 56 | *.vssscc 57 | .builds 58 | *.pidb 59 | *.svclog 60 | *.scc 61 | 62 | # Chutzpah Test files 63 | _Chutzpah* 64 | 65 | # Visual C++ cache files 66 | ipch/ 67 | *.aps 68 | *.ncb 69 | *.opensdf 70 | *.sdf 71 | *.cachefile 72 | 73 | # Visual Studio profiler 74 | *.psess 75 | *.vsp 76 | *.vspx 77 | 78 | # TFS 2012 Local Workspace 79 | $tf/ 80 | 81 | # Guidance Automation Toolkit 82 | *.gpState 83 | 84 | # ReSharper is a .NET coding add-in 85 | _ReSharper*/ 86 | *.[Rr]e[Ss]harper 87 | *.DotSettings.user 88 | 89 | # JustCode is a .NET coding addin-in 90 | .JustCode 91 | 92 | # TeamCity is a build add-in 93 | _TeamCity* 94 | 95 | # DotCover is a Code Coverage Tool 96 | *.dotCover 97 | 98 | # NCrunch 99 | _NCrunch_* 100 | .*crunch*.local.xml 101 | 102 | # MightyMoose 103 | *.mm.* 104 | AutoTest.Net/ 105 | 106 | # Web workbench (sass) 107 | .sass-cache/ 108 | 109 | # Installshield output folder 110 | [Ee]xpress/ 111 | 112 | # DocProject is a documentation generator add-in 113 | DocProject/buildhelp/ 114 | DocProject/Help/*.HxT 115 | DocProject/Help/*.HxC 116 | DocProject/Help/*.hhc 117 | DocProject/Help/*.hhk 118 | DocProject/Help/*.hhp 119 | DocProject/Help/Html2 120 | DocProject/Help/html 121 | 122 | # Click-Once directory 123 | publish/ 124 | 125 | # Publish Web Output 126 | *.[Pp]ublish.xml 127 | *.azurePubxml 128 | # TODO: Comment the next line if you want to checkin your web deploy settings 129 | # but database connection strings (with potential passwords) will be unencrypted 130 | *.pubxml 131 | *.publishproj 132 | 133 | # NuGet Packages 134 | *.nupkg 135 | # The packages folder can be ignored because of Package Restore 136 | **/packages/* 137 | # except build/, which is used as an MSBuild target. 138 | !**/packages/build/ 139 | # If using the old MSBuild-Integrated Package Restore, uncomment this: 140 | #!**/packages/repositories.config 141 | 142 | # Windows Azure Build Output 143 | csx/ 144 | *.build.csdef 145 | 146 | # Windows Store app package directory 147 | AppPackages/ 148 | 149 | # Others 150 | sql/ 151 | *.Cache 152 | ClientBin/ 153 | [Ss]tyle[Cc]op.* 154 | ~$* 155 | *~ 156 | *.dbmdl 157 | *.dbproj.schemaview 158 | *.pfx 159 | *.publishsettings 160 | node_modules/ 161 | 162 | # RIA/Silverlight projects 163 | Generated_Code/ 164 | 165 | # Backup & report files from converting an old project file 166 | # to a newer Visual Studio version. Backup files are not needed, 167 | # because we have git ;-) 168 | _UpgradeReport_Files/ 169 | Backup*/ 170 | UpgradeLog*.XML 171 | UpgradeLog*.htm 172 | 173 | # SQL Server files 174 | *.mdf 175 | *.ldf 176 | 177 | # Business Intelligence projects 178 | *.rdl.data 179 | *.bim.layout 180 | *.bim_*.settings 181 | 182 | # Microsoft Fakes 183 | FakesAssemblies/ 184 | -------------------------------------------------------------------------------- /uberstealth/IDAEngine.cpp: -------------------------------------------------------------------------------- 1 | #ifdef IDASTEALTH 2 | 3 | #include 4 | #include 5 | #include 6 | #include "IDACommon.h" 7 | #include "IDAEngine.h" 8 | #include 9 | 10 | namespace { 11 | const int TimerIntervall = 66; 12 | std::vector messages_; 13 | boost::mutex mutex_; 14 | 15 | void CALLBACK timerCallbackProc(HWND hwnd, UINT, UINT idTimer, DWORD) { 16 | KillTimer(hwnd, idTimer); 17 | mutex_.lock(); 18 | BOOST_FOREACH(const std::string& str, messages_) { 19 | msg(str.c_str()); 20 | } 21 | messages_.clear(); 22 | mutex_.unlock(); 23 | } 24 | } 25 | 26 | uberstealth::IDAEngine::~IDAEngine() { 27 | restoreExceptions(); 28 | } 29 | 30 | bool uberstealth::IDAEngine::setBreakpoint(uintptr_t address) const { 31 | if (exist_bpt(address)) return true; 32 | else return add_bpt(address); 33 | } 34 | 35 | bool uberstealth::IDAEngine::removeBreakpoint(uintptr_t address) const { 36 | if (exist_bpt(address)) return true; 37 | return del_bpt(address); 38 | } 39 | 40 | void uberstealth::IDAEngine::showExceptionDialog(bool showDialog) const { 41 | uint oldSettings = set_debugger_options(0) & ~(EXCDLG_ALWAYS | EXCDLG_UNKNOWN); 42 | uint newSettings = showDialog ? oldSettings | EXCDLG_ALWAYS : oldSettings | EXCDLG_NEVER; 43 | set_debugger_options(newSettings); 44 | } 45 | 46 | // Delete exceptions which were added by us during the debugging session. 47 | void uberstealth::IDAEngine::restoreExceptions() { 48 | excvec_t* exceptions = retrieve_exceptions(); 49 | exceptions->erase(std::remove_if(exceptions->begin(), exceptions->end(), ExceptionFilter(&addedExceptions_)), exceptions->end()); 50 | store_exceptions(); 51 | } 52 | 53 | const exception_info_t* uberstealth::IDAEngine::findException(unsigned int exceptionCode) const { 54 | BOOST_FOREACH(const exception_info_t& exInfo, *retrieve_exceptions()) { 55 | if (exceptionCode == exInfo.code) { 56 | return &exInfo; 57 | } 58 | } 59 | return NULL; 60 | } 61 | 62 | void uberstealth::IDAEngine::setExceptionOption(unsigned int exceptionCode, bool ignore) { 63 | // Due to the design of the IDA API we need to (globally) tell IDA whether to display the exception dialog or not. 64 | // If we encounter a known exception, we show the dialog depending on the setting of the exception. 65 | // If it is an unknown exception, we hide the dialog and pass the exception to the application. 66 | const exception_info_t* existingException = findException(exceptionCode); 67 | if (!existingException && ignore) { 68 | exception_info_t newException(exceptionCode, 0, "added by uberstealth", ""); 69 | retrieve_exceptions()->push_back(newException); 70 | store_exceptions(); 71 | showExceptionDialog(false); 72 | addedExceptions_.insert(newException); 73 | } else if (existingException) { 74 | showExceptionDialog(existingException->break_on()); 75 | } 76 | } 77 | 78 | bool uberstealth::IDAEngine::continueProcess() const { 79 | return continue_process(); 80 | } 81 | 82 | // IDALogger. 83 | 84 | void uberstealth::IDALogger::logString( const char* str, ... ) const { 85 | char buffer[500]; 86 | va_list arglist; 87 | va_start(arglist, str); 88 | vsnprintf_s(buffer, sizeof(buffer), _TRUNCATE, str, arglist); 89 | va_end(arglist); 90 | 91 | if (GetCurrentThreadId() == idaMainThread_) { 92 | msg(buffer); 93 | } else { 94 | mutex_.lock(); 95 | messages_.push_back(std::string(buffer)); 96 | mutex_.unlock(); 97 | UINT_PTR id = SetTimer(0, 0, TimerIntervall, NULL); 98 | SetTimer(hIDAWnd_, id, TimerIntervall, (TIMERPROC)timerCallbackProc); 99 | } 100 | } 101 | 102 | uberstealth::IDALogger::IDALogger() 103 | { 104 | hIDAWnd_ = (HWND)callui(ui_get_hwnd).vptr; 105 | idaMainThread_ = GetWindowThreadProcessId(hIDAWnd_, NULL); 106 | } 107 | 108 | #endif -------------------------------------------------------------------------------- /uberstealth/UberstealthPage2.cpp: -------------------------------------------------------------------------------- 1 | // Represents the second page of the options dialog. 2 | 3 | #include "UberstealthPage2.h" 4 | 5 | void uberstealth::UberstealthPage2::loadProfile(const uberstealth::HideDebuggerProfile& profile) 6 | { 7 | if (m_hWnd) 8 | { 9 | blockInput_ = profile.getBlockInputEnabled(); 10 | suspThread_ = profile.getSuspendThreadEnabled(); 11 | ntTerminate_ = profile.getNtTerminateEnabled(); 12 | parentProcess_ = profile.getFakeParentProcessEnabled(); 13 | hideIDAProcess_ = profile.getHideDebuggerProcessEnabled(); 14 | hideIDAWnd_ = profile.getHideDebuggerWindowsEnabled(); 15 | dbgPrintExcp_ = profile.getDbgPrintExceptionEnabled(); 16 | openProcess_ = profile.getOpenProcessEnabled(); 17 | switch_ = profile.getSwitchDesktopEnabled(); 18 | antiAttach_ = profile.getKillAntiAttachEnabled(); 19 | ntYield_ = profile.getNtYieldExecutionEnabled(); 20 | outputDbgStr_ = profile.getOutputDbgStringEnabled(); 21 | ntSetInfoThread_ = profile.getNtSetInformationThreadEnabled(); 22 | DoDataExchange(FALSE); 23 | } 24 | } 25 | 26 | void uberstealth::UberstealthPage2::flushProfile(uberstealth::HideDebuggerProfile& profile) 27 | { 28 | if (m_hWnd) 29 | { 30 | if (DoDataExchange(TRUE)) 31 | { 32 | profile.setBlockInputEnabled(blockInput_); 33 | profile.setSuspendThreadEnabled(suspThread_); 34 | profile.setNtTerminateEnabled(ntTerminate_); 35 | profile.setFakeParentProcessEnabled(parentProcess_); 36 | profile.setHideDebuggerProcessEnabled(hideIDAProcess_); 37 | profile.setHideDebuggerWindowsEnabled(hideIDAWnd_); 38 | profile.setDbgPrintExceptionEnabled(dbgPrintExcp_); 39 | profile.setOpenProcessEnabled(openProcess_); 40 | profile.setSwitchDesktopEnabled(switch_); 41 | profile.setKillAntiAttachEnabled(antiAttach_); 42 | profile.setNtYieldExecutionEnabled(ntYield_); 43 | profile.setOutputDbgStringEnabled(outputDbgStr_); 44 | profile.setNtSetInformationThreadEnabled(ntSetInfoThread_); 45 | } 46 | } 47 | } 48 | 49 | void uberstealth::UberstealthPage2::enableControls(bool enabled) 50 | { 51 | BOOL state = enabled ? TRUE : FALSE; 52 | ::EnableWindow(GetDlgItem(IDC_BLOCKINPUT), state); 53 | ::EnableWindow(GetDlgItem(IDC_SUSPENDTHREAD), state); 54 | ::EnableWindow(GetDlgItem(IDC_TERMINATE), state); 55 | ::EnableWindow(GetDlgItem(IDC_PARENTPROCESS), state); 56 | ::EnableWindow(GetDlgItem(IDC_HIDEIDAPROCESS), state); 57 | ::EnableWindow(GetDlgItem(IDC_HIDEIDAWND), state); 58 | ::EnableWindow(GetDlgItem(IDC_DBGPRNTEXCEPT), state); 59 | ::EnableWindow(GetDlgItem(IDC_OPENPROCESS), state); 60 | ::EnableWindow(GetDlgItem(IDC_SWITCH), state); 61 | ::EnableWindow(GetDlgItem(IDC_ANTIATTACH), state); 62 | ::EnableWindow(GetDlgItem(IDC_NTYIELD), state); 63 | ::EnableWindow(GetDlgItem(IDC_OUTDBGSTR), state); 64 | ::EnableWindow(GetDlgItem(IDC_NTSIT), state); 65 | } 66 | 67 | bool uberstealth::UberstealthPage2::isProfileDirty() 68 | { 69 | if (m_hWnd) 70 | { 71 | return (IsDlgButtonChecked(IDC_BLOCKINPUT) == BST_CHECKED ? true : false) != blockInput_ || 72 | (IsDlgButtonChecked(IDC_SUSPENDTHREAD) == BST_CHECKED ? true : false) != suspThread_ || 73 | (IsDlgButtonChecked(IDC_TERMINATE) == BST_CHECKED ? true : false) != ntTerminate_ || 74 | (IsDlgButtonChecked(IDC_PARENTPROCESS) == BST_CHECKED ? true : false) != parentProcess_ || 75 | (IsDlgButtonChecked(IDC_HIDEIDAPROCESS) == BST_CHECKED ? true : false) != hideIDAProcess_ || 76 | (IsDlgButtonChecked(IDC_HIDEIDAWND) == BST_CHECKED ? true : false) != hideIDAWnd_ || 77 | (IsDlgButtonChecked(IDC_DBGPRNTEXCEPT) == BST_CHECKED ? true : false) != dbgPrintExcp_ || 78 | (IsDlgButtonChecked(IDC_OPENPROCESS) == BST_CHECKED ? true : false) != openProcess_ || 79 | (IsDlgButtonChecked(IDC_SWITCH) == BST_CHECKED ? true : false) != switch_ || 80 | (IsDlgButtonChecked(IDC_ANTIATTACH) == BST_CHECKED ? true : false) != antiAttach_ || 81 | (IsDlgButtonChecked(IDC_NTYIELD) == BST_CHECKED ? true : false) != ntYield_ || 82 | (IsDlgButtonChecked(IDC_OUTDBGSTR) == BST_CHECKED ? true : false) != outputDbgStr_ || 83 | (IsDlgButtonChecked(IDC_NTSIT) == BST_CHECKED ? true : false) != ntSetInfoThread_ ; 84 | } 85 | return false; 86 | } -------------------------------------------------------------------------------- /StealthDriver/StealthDriver/StealthDriver.cpp: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2009 - 4 | /// 5 | /// Original filename: StealthDriver.cpp 6 | /// Project : StealthDriver 7 | /// Date of creation : 2009-11-27 8 | /// Author(s) : Jan Newger 9 | /// 10 | /// Purpose : 11 | /// 12 | /// Revisions: 13 | /// 0000 [2009-11-27] Initial revision. 14 | /// 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | // $Id$ 18 | 19 | #include "../../DynamicDriverName/DynamicDriverName.h" 20 | #include 21 | #include "StealthDriver.h" 22 | #include "StealthImplementation.h" 23 | #include 24 | 25 | namespace 26 | { 27 | PDRIVER_OBJECT pdoGlobalDrvObj = 0; 28 | } 29 | 30 | NTSTATUS STEALTHDRIVER_DispatchCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) 31 | { 32 | NTSTATUS status = STATUS_SUCCESS; 33 | Irp->IoStatus.Status = status; 34 | Irp->IoStatus.Information = 0; 35 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 36 | return status; 37 | } 38 | 39 | NTSTATUS handleHook(PIRP Irp, PIO_STACK_LOCATION irpSp) 40 | { 41 | __try 42 | { 43 | if (irpSp->Parameters.DeviceIoControl.InputBufferLength == sizeof(int)) 44 | { 45 | StealthHook hookType = *(StealthHook*)Irp->AssociatedIrp.SystemBuffer; 46 | hookSysCall(hookType); 47 | } 48 | } 49 | __except(EXCEPTION_EXECUTE_HANDLER) 50 | { 51 | return STATUS_INVALID_PARAMETER; 52 | } 53 | return STATUS_SUCCESS; 54 | } 55 | 56 | NTSTATUS STEALTHDRIVER_DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) 57 | { 58 | NTSTATUS status = STATUS_SUCCESS; 59 | PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); 60 | 61 | switch(irpSp->Parameters.DeviceIoControl.IoControlCode) 62 | { 63 | case IOCTL_STEALTHDRIVER_ENABLE_HOOKS: 64 | status = handleHook(Irp, irpSp); 65 | break; 66 | 67 | default: 68 | Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; 69 | Irp->IoStatus.Information = 0; 70 | break; 71 | } 72 | 73 | status = Irp->IoStatus.Status; 74 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 75 | return status; 76 | } 77 | 78 | VOID STEALTHDRIVER_DriverUnload(IN PDRIVER_OBJECT DriverObject) 79 | { 80 | PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; 81 | IoDeleteSymbolicLink(&DynamicDosDeviceName); 82 | 83 | // Delete all the device objects 84 | while(pdoNextDeviceObj) 85 | { 86 | PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; 87 | pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; 88 | IoDeleteDevice(pdoThisDeviceObj); 89 | } 90 | 91 | // remove hooks 92 | unhookSysCall(SH_NtSetInformationThread); 93 | unhookSysCall(SH_NtQueryInformationProcess); 94 | } 95 | 96 | #ifdef __cplusplus 97 | extern "C" { 98 | #endif 99 | NTSTATUS DriverEntry(IN OUT PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) 100 | { 101 | PDEVICE_OBJECT pdoDeviceObj = 0; 102 | NTSTATUS status = STATUS_UNSUCCESSFUL; 103 | pdoGlobalDrvObj = DriverObject; 104 | 105 | if (!initDeviceNames(RegistryPath)) return status; 106 | 107 | // Create the device object. 108 | if(!NT_SUCCESS(status = IoCreateDevice(DriverObject, 0, &DynamicDeviceName, 109 | FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pdoDeviceObj))) 110 | { 111 | // Bail out (implicitly forces the driver to unload). 112 | return status; 113 | } 114 | 115 | // Now create the respective symbolic link object 116 | if(!NT_SUCCESS(status = IoCreateSymbolicLink(&DynamicDosDeviceName, &DynamicDeviceName))) 117 | { 118 | IoDeleteDevice(pdoDeviceObj); 119 | return status; 120 | } 121 | 122 | if (!initSysCallHooking()) return STATUS_UNSUCCESSFUL; 123 | 124 | // NOTE: You need not provide your own implementation for any major function that 125 | // you do not want to handle. I have seen code using DDKWizard that left the 126 | // *empty* dispatch routines intact. This is not necessary at all! 127 | DriverObject->MajorFunction[IRP_MJ_CREATE] = 128 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = STEALTHDRIVER_DispatchCreateClose; 129 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = STEALTHDRIVER_DispatchDeviceControl; 130 | DriverObject->DriverUnload = STEALTHDRIVER_DriverUnload; 131 | 132 | return STATUS_SUCCESS; 133 | } 134 | #ifdef __cplusplus 135 | }; // extern "C" 136 | #endif -------------------------------------------------------------------------------- /NCodeHook/NCodeHook.h: -------------------------------------------------------------------------------- 1 | // Contains the different architecture template specializations as well as the main NCodeHook class. 2 | 3 | #pragma once 4 | 5 | #include 6 | #include 7 | #include 8 | #include "NCodeHookItem.h" 9 | #include "distorm.h" 10 | 11 | class ArchitectureCommon { 12 | public: 13 | virtual ~ArchitectureCommon() {}; 14 | 15 | template 16 | int getMinOffset(const unsigned char* codePtr, unsigned int jumpPatchSize) { 17 | const unsigned int MaxInstructions = 20; 18 | _DecodeResult result; 19 | _DecodedInst instructions[MaxInstructions]; 20 | unsigned int instructionCount = 0; 21 | 22 | result = distorm_decode(0, codePtr, 20, ArchT::DisasmType, instructions, MaxInstructions, &instructionCount); 23 | if (result != DECRES_SUCCESS) return -1; 24 | 25 | int offset = 0; 26 | for (unsigned int i = 0; offset < jumpPatchSize && i < instructionCount; ++i) 27 | offset += instructions[i].size; 28 | // If we were unable to disassemble enough instructions we fail. 29 | if (offset < ArchT::NearJumpPatchSize) return -1; 30 | 31 | return offset; 32 | } 33 | 34 | virtual bool requiresAbsJump(uintptr_t from, uintptr_t to) { 35 | uintptr_t jmpDistance = from > to ? from - to : to - from; 36 | return jmpDistance <= 0x7FFF0000 ? false : true; 37 | } 38 | 39 | virtual void writeJump(uintptr_t from, uintptr_t to) { 40 | if (requiresAbsJump(from, to)) writeAbsJump(from, to); 41 | else writeNearJump(from, to); 42 | } 43 | 44 | virtual void writeNearJump(uintptr_t from, uintptr_t to) =0; 45 | virtual void writeAbsJump(uintptr_t from, uintptr_t to) =0; 46 | }; 47 | 48 | class ArchitectureIA32 : public ArchitectureCommon { 49 | public: 50 | static const _DecodeType DisasmType = Decode32Bits; 51 | static const unsigned int NearJumpPatchSize = sizeof(int) + 1; 52 | static const unsigned int AbsJumpPatchSize = sizeof(uintptr_t) * 2 + 2; 53 | // Max trampoline size = longest instruction (6) starting 1 byte before jump patch boundary. 54 | static const unsigned int MaxTrampolineSize = AbsJumpPatchSize - 1 + 6; 55 | 56 | void writeNearJump(uintptr_t from, uintptr_t to) { 57 | unsigned char opcodes[NearJumpPatchSize]; 58 | int offset = (int)(to - from - NearJumpPatchSize); 59 | opcodes[0] = 0xE9; 60 | *((int*)&opcodes[1]) = offset; 61 | memcpy((void*)from, opcodes, NearJumpPatchSize); 62 | } 63 | 64 | void writeAbsJump(uintptr_t from, uintptr_t to) { 65 | unsigned char opcodes[AbsJumpPatchSize]; 66 | opcodes[0] = 0xFF; 67 | opcodes[1] = 0x25; 68 | *((uintptr_t*)&opcodes[2]) = from + 6; 69 | *((uintptr_t*)&opcodes[6]) = to; 70 | memcpy((void*)from, opcodes, AbsJumpPatchSize); 71 | } 72 | }; 73 | 74 | class ArchitectureX64 : public ArchitectureIA32 { 75 | public: 76 | static const _DecodeType DisasmType = Decode64Bits; 77 | static const unsigned int NearJumpPatchSize = sizeof(int) + 1; 78 | static const unsigned int AbsJumpPatchSize = 2 * sizeof(uintptr_t) + 2; 79 | static const unsigned int MaxTrampolineSize = AbsJumpPatchSize - 1 + 6; 80 | 81 | void writeAbsJump(uintptr_t from, uintptr_t to) { 82 | unsigned char opcodes[AbsJumpPatchSize]; 83 | opcodes[0] = 0xFF; 84 | opcodes[1] = 0x25; 85 | *((int*)&opcodes[2]) = 0; 86 | *((uintptr_t*)&opcodes[6]) = to; 87 | memcpy((void*)from, opcodes, AbsJumpPatchSize); 88 | } 89 | }; 90 | 91 | template 92 | class NCodeHook { 93 | public: 94 | NCodeHook(bool cleanOnDestruct=true); 95 | ~NCodeHook(); 96 | 97 | template U createHook(U originalFunc, U hookFunc); 98 | template U createHookByName(const std::string& dll, const std::string& funcName, U newFunc); 99 | template bool removeHook(U address); 100 | 101 | void forceAbsoluteJumps(bool value) { forceAbsJmp_ = value; } 102 | 103 | private: 104 | // Get rid of useless compiler warning C4512 by making operator= private. 105 | NCodeHook& operator=(const NCodeHook&); 106 | 107 | uintptr_t getFreeTrampoline(); 108 | bool removeHook(NCodeHookItem item); 109 | int getMinOffset(const unsigned char* codePtr, unsigned int jumpPatchSize); 110 | bool isBranch(const char* instr); 111 | std::set freeTrampolines_; 112 | std::map hookedFunctions_; 113 | void* trampolineBuffer_; 114 | const unsigned int MaxTotalTrampolineSize; 115 | bool cleanOnDestruct_; 116 | ArchT architecture_; 117 | bool forceAbsJmp_; 118 | }; -------------------------------------------------------------------------------- /uberstealth/uberstealth.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "uberstealth", "uberstealth.vcxproj", "{9295F5F3-F47E-4C50-B526-55AE13AA9457}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HideDebugger", "..\HideDebugger\HideDebugger.vcxproj", "{59339E37-7C43-4CD2-B7B5-DF10D9197655}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealthDriver.W7", "..\StealthDriver\StealthDriver\StealthDriver.W7.vcxproj", "{D42B8C42-9344-44E7-844C-524F13995981}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RDTSCEmu.WLH", "..\RDTSCEmu\driver\RDTSCEmu.WLH.vcxproj", "{8B566A2C-41AC-40FF-B1EF-8AD47A208093}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | IDAStealth Debug|Win32 = IDAStealth Debug|Win32 15 | IDAStealth Release|Win32 = IDAStealth Release|Win32 16 | OllyStealth Debug|Win32 = OllyStealth Debug|Win32 17 | OllyStealth Release|Win32 = OllyStealth Release|Win32 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.IDAStealth Debug|Win32.ActiveCfg = Debug|Win32 21 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.IDAStealth Debug|Win32.Build.0 = Debug|Win32 22 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.IDAStealth Release|Win32.ActiveCfg = Release|Win32 23 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.IDAStealth Release|Win32.Build.0 = Release|Win32 24 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.OllyStealth Debug|Win32.ActiveCfg = OllyStealth Debug|Win32 25 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.OllyStealth Debug|Win32.Build.0 = OllyStealth Debug|Win32 26 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.OllyStealth Release|Win32.ActiveCfg = OllyStealth Release|Win32 27 | {9295F5F3-F47E-4C50-B526-55AE13AA9457}.OllyStealth Release|Win32.Build.0 = OllyStealth Release|Win32 28 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.IDAStealth Debug|Win32.ActiveCfg = Debug|Win32 29 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.IDAStealth Debug|Win32.Build.0 = Debug|Win32 30 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.IDAStealth Release|Win32.ActiveCfg = Release|Win32 31 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.IDAStealth Release|Win32.Build.0 = Release|Win32 32 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Debug|Win32.ActiveCfg = OllyStealth Debug|Win32 33 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Debug|Win32.Build.0 = OllyStealth Debug|Win32 34 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Release|Win32.ActiveCfg = OllyStealth Release|Win32 35 | {59339E37-7C43-4CD2-B7B5-DF10D9197655}.OllyStealth Release|Win32.Build.0 = OllyStealth Release|Win32 36 | {D42B8C42-9344-44E7-844C-524F13995981}.IDAStealth Debug|Win32.ActiveCfg = W7XP checked|Win32 37 | {D42B8C42-9344-44E7-844C-524F13995981}.IDAStealth Debug|Win32.Build.0 = W7XP checked|Win32 38 | {D42B8C42-9344-44E7-844C-524F13995981}.IDAStealth Release|Win32.ActiveCfg = W7XP free|Win32 39 | {D42B8C42-9344-44E7-844C-524F13995981}.IDAStealth Release|Win32.Build.0 = W7XP free|Win32 40 | {D42B8C42-9344-44E7-844C-524F13995981}.OllyStealth Debug|Win32.ActiveCfg = W7XP checked|Win32 41 | {D42B8C42-9344-44E7-844C-524F13995981}.OllyStealth Debug|Win32.Build.0 = W7XP checked|Win32 42 | {D42B8C42-9344-44E7-844C-524F13995981}.OllyStealth Release|Win32.ActiveCfg = W7XP free|Win32 43 | {D42B8C42-9344-44E7-844C-524F13995981}.OllyStealth Release|Win32.Build.0 = W7XP free|Win32 44 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.IDAStealth Debug|Win32.ActiveCfg = WLHXP checked|Win32 45 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.IDAStealth Debug|Win32.Build.0 = WLHXP checked|Win32 46 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.IDAStealth Release|Win32.ActiveCfg = WLHXP free|Win32 47 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.IDAStealth Release|Win32.Build.0 = WLHXP free|Win32 48 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.OllyStealth Debug|Win32.ActiveCfg = WLHXP checked|Win32 49 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.OllyStealth Debug|Win32.Build.0 = WLHXP checked|Win32 50 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.OllyStealth Release|Win32.ActiveCfg = WLHXP free|Win32 51 | {8B566A2C-41AC-40FF-B1EF-8AD47A208093}.OllyStealth Release|Win32.Build.0 = WLHXP free|Win32 52 | EndGlobalSection 53 | GlobalSection(SolutionProperties) = preSolution 54 | HideSolutionNode = FALSE 55 | EndGlobalSection 56 | EndGlobal 57 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | config.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef CONFIG_H 10 | #define CONFIG_H 11 | 12 | /* diStorm version number. */ 13 | #define DISTORM_VER 0x01071e 14 | 15 | #include /* strlen, memset, memcpy - can be easily self implemented for libc independency. */ 16 | 17 | /* 18 | * 64 bit offsets support: 19 | * This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET 20 | * #define SUPPORT_64BIT_OFFSET 21 | * Note: make sure that the caller (library user) defines it too! 22 | */ 23 | 24 | /* 25 | * If you compile diStorm as a .DLL file, make sure you uncomment the next line. 26 | * So the interface functions will be exported, otherwise they are useable only as a library. 27 | * For example, the Python extension module defines this macro in its configuration. 28 | */ 29 | /* #define _DLL */ 30 | 31 | /* 32 | * diStorm now supports little/big endian CPU's. 33 | * It should detect the endianness according to predefined macro's of the compiler. 34 | * If you don't use GCC/MSVC you will have to define it on your own. 35 | */ 36 | 37 | /* These macros are used in order to make the code portable. */ 38 | #ifdef __GNUC__ 39 | 40 | #include 41 | 42 | #define _PACKED_ __attribute__((__packed__)) 43 | #define _DLLEXPORT_ 44 | #define _FASTCALL_ 45 | #define _INLINE_ static __inline__ 46 | /* GCC ignores this directive... */ 47 | /*#define _FASTCALL_ __attribute__((__fastcall__)) */ 48 | 49 | /* Set endianity (supposed to be LE though): */ 50 | #ifdef __BIG_ENDIAN__ 51 | #define BE_SYSTEM 52 | #endif 53 | 54 | /* End of __GCC__ */ 55 | 56 | #elif __WATCOMC__ 57 | 58 | #include 59 | 60 | #define _PACKED_ 61 | #define _DLLEXPORT_ 62 | #define _FASTCALL_ 63 | #define _INLINE_ __inline 64 | 65 | /* End of __WATCOMC__ */ 66 | 67 | #elif __DMC__ 68 | 69 | #include 70 | 71 | #define _PACKED_ 72 | #define _DLLEXPORT_ 73 | #define _FASTCALL_ 74 | #define _INLINE_ static __inline 75 | 76 | /* End of __DMC__ */ 77 | 78 | #elif __TINYC__ 79 | 80 | #include 81 | 82 | #define _PACKED_ 83 | #define _DLLEXPORT_ 84 | #define _FASTCALL_ 85 | #define _INLINE_ static 86 | 87 | /* End of __TINYC__ */ 88 | 89 | #elif _MSC_VER 90 | 91 | /* Since MSVC isn't shipped with stdint.h, we will have our own: */ 92 | typedef signed __int64 int64_t; 93 | typedef unsigned __int64 uint64_t; 94 | typedef signed __int32 int32_t; 95 | typedef unsigned __int32 uint32_t; 96 | typedef signed __int16 int16_t; 97 | typedef unsigned __int16 uint16_t; 98 | typedef signed __int8 int8_t; 99 | typedef unsigned __int8 uint8_t; 100 | 101 | #define _PACKED_ 102 | #define _DLLEXPORT_ __declspec(dllexport) 103 | #define _FASTCALL_ __fastcall 104 | #define _INLINE_ static __inline 105 | 106 | /* Set endianity (supposed to be LE though): */ 107 | #ifndef _M_IX86 108 | #define BE_SYSTEM 109 | #endif 110 | 111 | #endif /* #elif _MSC_VER */ 112 | 113 | /* 32 or 64 bits integer for instruction offset. */ 114 | #ifdef SUPPORT_64BIT_OFFSET 115 | #define OFFSET_INTEGER uint64_t 116 | #else 117 | #define OFFSET_INTEGER uint32_t 118 | #endif 119 | 120 | #ifndef FALSE 121 | #define FALSE 0 122 | #endif 123 | #ifndef TRUE 124 | #define TRUE 1 125 | #endif 126 | 127 | /* If the library isn't compiled as a .DLL don't export functions. */ 128 | #ifndef _DLL 129 | #undef _DLLEXPORT_ 130 | #define _DLLEXPORT_ 131 | #endif 132 | 133 | /* Define stream read functions for big endian systems. */ 134 | #ifdef BE_SYSTEM 135 | /* 136 | * These functions can read from the stream safely! 137 | * Swap endianity of input to little endian. 138 | */ 139 | _INLINE_ int16_t RSHORT(const uint8_t *s) 140 | { 141 | return s[0] | (s[1] << 8); 142 | } 143 | _INLINE_ uint16_t RUSHORT(const uint8_t *s) 144 | { 145 | return s[0] | (s[1] << 8); 146 | } 147 | _INLINE_ int32_t RLONG(const uint8_t *s) 148 | { 149 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 150 | } 151 | _INLINE_ uint32_t RULONG(const uint8_t *s) 152 | { 153 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 154 | } 155 | #else 156 | /* Little endian macro's will just make the cast. */ 157 | #define RSHORT(x) *(int16_t *)x 158 | #define RUSHORT(x) *(uint16_t *)x 159 | #define RLONG(x) *(int32_t *)x 160 | #define RULONG(x) *(uint32_t *)x 161 | #endif 162 | 163 | #endif /* CONFIG_H */ 164 | -------------------------------------------------------------------------------- /NInjectLib/RemoteLibCall.cpp: -------------------------------------------------------------------------------- 1 | #include "RemoteLibCall.h" 2 | #include 3 | 4 | #pragma pack(push, 1) 5 | 6 | // this struct holds all data needed to perform a remote call 7 | struct REMOTELIB_DATA 8 | { 9 | void* getProcAddress; 10 | HMODULE hDll; 11 | int functionNr; 12 | int errorFlag; 13 | char functionName[MaxFuncNameLength]; 14 | }; 15 | 16 | #pragma pack(pop) 17 | 18 | RemoteLibCall::RemoteLibCall(const InjectLibrary& library, const Process& process) 19 | : process_(process) 20 | { 21 | hDll_ = library.getDllHandle(); 22 | if (hDll_ == NULL) throw std::exception("Invalid dll handle"); 23 | } 24 | 25 | RemoteLibCall::~RemoteLibCall() 26 | { 27 | } 28 | 29 | // preform remote call by name 30 | bool RemoteLibCall::remoteCall(const std::string& functionName) 31 | { 32 | if (functionName.length() >= MaxFuncNameLength) throw std::exception("Function name too long!"); 33 | functionName_ = functionName; 34 | functionNumber_ = -1; 35 | return remoteCall(); 36 | } 37 | 38 | // perform remote call by ordinal 39 | bool RemoteLibCall::remoteCall(unsigned int exportNumber) 40 | { 41 | functionNumber_ = exportNumber; 42 | functionName_ = ""; 43 | return remoteCall(); 44 | } 45 | 46 | // create specific data/code payloads and use genericinjector to start the remote code 47 | // returns true if remote call succeeded otherwise false 48 | bool RemoteLibCall::remoteCall() 49 | { 50 | GenericInjector injector(process_); 51 | INJECT_DATAPAYLOAD data = createDataPayload(); 52 | INJECT_CODEPAYLOAD code = createCodePayload(); 53 | bool noError = false; 54 | injector.doInjection(data, code); 55 | unsigned int* errorFlagAddr = (unsigned int*)injector.getAddrOfData(); 56 | errorFlagAddr += 12; 57 | unsigned int errorFlag; 58 | process_.readMemory(errorFlagAddr, &errorFlag, sizeof(unsigned int)); 59 | noError = (errorFlag != 0); 60 | 61 | free(data.data); 62 | free(code.code); 63 | return noError; 64 | } 65 | 66 | INJECT_DATAPAYLOAD RemoteLibCall::createDataPayload() 67 | { 68 | REMOTELIB_DATA* tmpData = (REMOTELIB_DATA*)malloc(sizeof(REMOTELIB_DATA)); 69 | // set functionNr to -1 if we call by name 70 | if (functionNumber_ == -1) 71 | { 72 | strcpy_s(tmpData->functionName, MaxFuncNameLength, functionName_.c_str()); 73 | tmpData->functionNr = -1; 74 | } 75 | else tmpData->functionNr = functionNumber_; 76 | 77 | // the remote process needs the actual address of GetProcAddress and our dll handle 78 | HMODULE hKernel32 = LoadLibrary(_T("kernel32.dll")); 79 | tmpData->getProcAddress = GetProcAddress(hKernel32, "GetProcAddress"); 80 | // save handle of the dll we want to call 81 | tmpData->hDll = hDll_; 82 | 83 | INJECT_DATAPAYLOAD injectData; 84 | injectData.data = tmpData; 85 | injectData.size = sizeof(REMOTELIB_DATA); 86 | return injectData; 87 | } 88 | 89 | #pragma warning(disable : 4731 4740) 90 | 91 | //create code to perform remote call 92 | INJECT_CODEPAYLOAD RemoteLibCall::createCodePayload() 93 | { 94 | size_t s, e; 95 | void* source; 96 | 97 | __asm 98 | { 99 | mov s, offset start 100 | mov e, offset end 101 | mov source, offset start 102 | jmp end // we only want to copy this code - not execute it so jump over it 103 | start: 104 | // create standard stack frame 105 | push ebp 106 | mov ebp, esp 107 | push ebx 108 | push esi 109 | push edi 110 | 111 | mov esi, [ebp+8] // get first param, ESI now points to strcut 112 | mov edi, [esi] // get getprocaddress pointer 113 | mov ebx, [esi+8] // get functionNr 114 | mov ecx, [esi+4] // get module handle 115 | cmp ebx, 0xFFFFFFFF 116 | jnz byOrdinal 117 | lea ebx, [esi+16] // get pointer to function name 118 | 119 | byOrdinal: 120 | push ebx 121 | push ecx 122 | call edi // call getprocaddress 123 | test eax, eax // could we resolve the funtion? 124 | jz error 125 | call eax // call exported function 126 | mov eax, 1 127 | jmp finished 128 | 129 | error: 130 | xor eax, eax 131 | 132 | finished: 133 | mov [esi+12], eax // save error flag 134 | pop edi 135 | pop esi 136 | pop ebx 137 | pop ebp 138 | //pop ebx 139 | //pop esi 140 | //pop edi 141 | //pop ebp 142 | ret 143 | end: 144 | } 145 | 146 | INJECT_CODEPAYLOAD tmpPayload; 147 | tmpPayload.size = e - s; 148 | tmpPayload.code = malloc(tmpPayload.size); 149 | // copying code from code section should always work 150 | memcpy(tmpPayload.code, source, tmpPayload.size); 151 | return tmpPayload; 152 | } 153 | 154 | #pragma warning(default: 4731 4740) -------------------------------------------------------------------------------- /uberstealth/DriverControl.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "DriverControl.h" 3 | #include 4 | #include 5 | #include 6 | 7 | // The driver is NOT unloaded if the class is destroyed because the user might 8 | // want to use it although this controller class has gone out of scope. 9 | uberstealth::DriverControl::DriverControl() : 10 | running_(false) {} 11 | 12 | // start or stop given driver 13 | void uberstealth::DriverControl::controlDriver(const std::string& driverPath, const std::string& driverName, bool load) const { 14 | using uberstealth::StringToUnicode; 15 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 16 | if (hSCManager == NULL) { 17 | std::string msg; 18 | msg = "Error while trying to control driver (" + driverName + ")"; 19 | msg += ": unable to open service manager"; 20 | throwSysError(GetLastError(), msg); 21 | } 22 | 23 | SC_HANDLE hService = CreateService(hSCManager, StringToUnicode(driverName), StringToUnicode(driverName), 24 | SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, StringToUnicode(driverPath), NULL, NULL, NULL, NULL, NULL); 25 | DWORD lastError = 0; 26 | if (!hService) { 27 | lastError = GetLastError(); 28 | if (lastError == ERROR_SERVICE_EXISTS) { 29 | hService = OpenService(hSCManager, StringToUnicode(driverName), SERVICE_ALL_ACCESS); 30 | } else { 31 | CloseServiceHandle(hSCManager); 32 | throwSysError(lastError, "Error while trying to create driver service (" + driverName + ")"); 33 | } 34 | } 35 | 36 | if (load) { 37 | if (!StartService(hService, 0, NULL)) { 38 | lastError = GetLastError(); 39 | if (lastError != ERROR_SERVICE_ALREADY_RUNNING) { 40 | CloseServiceHandle(hSCManager); 41 | CloseServiceHandle(hService); 42 | throwSysError(lastError, "Error while trying to start driver service (" + driverName + ")"); 43 | } 44 | } 45 | } else { 46 | SERVICE_STATUS ss; 47 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 48 | if (!DeleteService(hService)) { 49 | lastError = GetLastError(); 50 | CloseServiceHandle(hSCManager); 51 | CloseServiceHandle(hService); 52 | throwSysError(lastError, "Error while trying to stop driver (" + driverName + ")"); 53 | } 54 | } 55 | 56 | CloseServiceHandle(hSCManager); 57 | CloseServiceHandle(hService); 58 | } 59 | 60 | // extracts the driver file and starts it with the given name 61 | // if no name is given, a random name is generated 62 | void uberstealth::DriverControl::startDriver(const ResourceItem& ri, const std::string& driverName) { 63 | if (running_) { 64 | return; 65 | } 66 | 67 | if (driverName.empty()) { 68 | throw std::runtime_error("Error while trying to start driver: cannot start driver with empty name."); 69 | } 70 | 71 | wchar_t tmpPath[MAX_PATH]; 72 | GetTempPath(MAX_PATH, tmpPath); 73 | boost::filesystem::path p(tmpPath); 74 | p /= driverName + ".sys"; 75 | if (ri.saveDataToFile(p.string())) { 76 | controlDriver(p.string(), driverName, true); 77 | driverName_ = driverName; 78 | driverPath_ = p.string(); 79 | running_ = true; 80 | } 81 | else { 82 | throw std::runtime_error("Error while trying to save driver to file: " + p.string()); 83 | } 84 | } 85 | 86 | void uberstealth::DriverControl::stopDriver() { 87 | if (!running_) { 88 | return; 89 | } 90 | controlDriver(driverPath_, driverName_, false); 91 | boost::filesystem::remove(driverPath_); 92 | running_ = false; 93 | } 94 | 95 | // Send IOCTL command to driver. 96 | void uberstealth::DriverControl::setMode(unsigned int ioctlCode, void* param, size_t paramSize) const { 97 | std::string device = "\\\\.\\" + driverName_; 98 | HANDLE hDevice = CreateFile(uberstealth::StringToUnicode(device), GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 99 | if (hDevice != INVALID_HANDLE_VALUE) { 100 | DWORD bytesReturned; 101 | if (!DeviceIoControl(hDevice, ioctlCode, param, paramSize, NULL, 0, &bytesReturned, NULL)) { 102 | DWORD lastErr = GetLastError(); 103 | CloseHandle(hDevice); 104 | throwSysError(lastErr, "Unable to send IOCTL command to driver (" + driverName_ + ")"); 105 | } 106 | CloseHandle(hDevice); 107 | } else { 108 | DWORD lastErr = GetLastError(); 109 | throwSysError(lastErr, "Unable to open driver object (" + driverName_ + ")"); 110 | } 111 | } 112 | 113 | void uberstealth::DriverControl::throwSysError(unsigned int lastError, const std::string& msg) const { 114 | std::ostringstream oss; 115 | oss << msg << ", system error code was: " << lastError; 116 | throw std::runtime_error(oss.str()); 117 | } -------------------------------------------------------------------------------- /StealthDriver/StealthDriver.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "StealthDriver.W7", "StealthDriver\StealthDriver.W7.vcxproj", "{D42B8C42-9344-44E7-844C-524F13995981}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | W7 checked (PREfast)|Win32 = W7 checked (PREfast)|Win32 9 | W7 checked|Win32 = W7 checked|Win32 10 | W7 free|Win32 = W7 free|Win32 11 | W7LH checked (PREfast)|Win32 = W7LH checked (PREfast)|Win32 12 | W7LH checked|Win32 = W7LH checked|Win32 13 | W7LH free|Win32 = W7LH free|Win32 14 | W7NET checked (PREfast)|Win32 = W7NET checked (PREfast)|Win32 15 | W7NET checked|Win32 = W7NET checked|Win32 16 | W7NET free|Win32 = W7NET free|Win32 17 | W7XP checked (PREfast)|Win32 = W7XP checked (PREfast)|Win32 18 | W7XP checked|Win32 = W7XP checked|Win32 19 | W7XP free|Win32 = W7XP free|Win32 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.ActiveCfg = W7 checked (PREfast)|Win32 23 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.Build.0 = W7 checked (PREfast)|Win32 24 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked (PREfast)|Win32.Deploy.0 = W7 checked (PREfast)|Win32 25 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.ActiveCfg = W7 checked|Win32 26 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.Build.0 = W7 checked|Win32 27 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 checked|Win32.Deploy.0 = W7 checked|Win32 28 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.ActiveCfg = W7 free|Win32 29 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.Build.0 = W7 free|Win32 30 | {D42B8C42-9344-44E7-844C-524F13995981}.W7 free|Win32.Deploy.0 = W7 free|Win32 31 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.ActiveCfg = W7LH checked (PREfast)|Win32 32 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.Build.0 = W7LH checked (PREfast)|Win32 33 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked (PREfast)|Win32.Deploy.0 = W7LH checked (PREfast)|Win32 34 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.ActiveCfg = W7LH checked|Win32 35 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.Build.0 = W7LH checked|Win32 36 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH checked|Win32.Deploy.0 = W7LH checked|Win32 37 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.ActiveCfg = W7LH free|Win32 38 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.Build.0 = W7LH free|Win32 39 | {D42B8C42-9344-44E7-844C-524F13995981}.W7LH free|Win32.Deploy.0 = W7LH free|Win32 40 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.ActiveCfg = W7NET checked (PREfast)|Win32 41 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.Build.0 = W7NET checked (PREfast)|Win32 42 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked (PREfast)|Win32.Deploy.0 = W7NET checked (PREfast)|Win32 43 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.ActiveCfg = W7NET checked|Win32 44 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.Build.0 = W7NET checked|Win32 45 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET checked|Win32.Deploy.0 = W7NET checked|Win32 46 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.ActiveCfg = W7NET free|Win32 47 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.Build.0 = W7NET free|Win32 48 | {D42B8C42-9344-44E7-844C-524F13995981}.W7NET free|Win32.Deploy.0 = W7NET free|Win32 49 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.ActiveCfg = W7XP checked (PREfast)|Win32 50 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.Build.0 = W7XP checked (PREfast)|Win32 51 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked (PREfast)|Win32.Deploy.0 = W7XP checked (PREfast)|Win32 52 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.ActiveCfg = W7XP checked|Win32 53 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.Build.0 = W7XP checked|Win32 54 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP checked|Win32.Deploy.0 = W7XP checked|Win32 55 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.ActiveCfg = W7XP free|Win32 56 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.Build.0 = W7XP free|Win32 57 | {D42B8C42-9344-44E7-844C-524F13995981}.W7XP free|Win32.Deploy.0 = W7XP free|Win32 58 | EndGlobalSection 59 | GlobalSection(SolutionProperties) = preSolution 60 | HideSolutionNode = FALSE 61 | EndGlobalSection 62 | EndGlobal 63 | -------------------------------------------------------------------------------- /HideDebugger/HideDebuggerProfile.cpp: -------------------------------------------------------------------------------- 1 | #include "HideDebuggerProfile.h" 2 | #include 3 | #pragma warning(disable : 4512) 4 | #include 5 | #pragma warning(default : 4512) 6 | 7 | namespace { 8 | 9 | const char* MainConfigFile = "uberstealth.config"; 10 | const char* DefaultProfileFile = "default.xml"; 11 | 12 | std::string currentProfileName_; 13 | 14 | const boost::filesystem::path& getProfilesPath() { 15 | static boost::filesystem::path profilesPath; 16 | if (profilesPath.empty()) { 17 | wchar_t appDataPath[MAX_PATH]; 18 | if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA | CSIDL_FLAG_CREATE, NULL, 0, appDataPath))) { 19 | profilesPath = boost::filesystem::path(appDataPath) / "uberstealth"; 20 | } else { 21 | throw std::runtime_error("Unable to determine application data path."); 22 | } 23 | if (!boost::filesystem::exists(profilesPath)) { 24 | create_directory(profilesPath); 25 | } 26 | //// Create an empty default profile file if it doesn't exist yet. 27 | //boost::filesystem::path defaultFile = profilesPath_ / DefaultProfileFile; 28 | //if (!boost::filesystem::exists(defaultFile)) { 29 | // uberstealth::HideDebuggerProfile::writeProfile(HideDebuggerProfile(), UnicodeToString(defaultFile.wstring())); 30 | //} 31 | } 32 | return profilesPath; 33 | } 34 | 35 | const boost::filesystem::path& getMainConfigFile() { 36 | static boost::filesystem::path mainfConfigFile; 37 | if (mainfConfigFile.empty()) { 38 | mainfConfigFile = getProfilesPath() / MainConfigFile; 39 | } 40 | return mainfConfigFile; 41 | } 42 | 43 | std::string determineCurrentProfile() { 44 | std::ifstream ifs(getMainConfigFile().string().c_str()); 45 | std::string lastProfile; 46 | ifs >> lastProfile; 47 | return lastProfile; 48 | } 49 | 50 | // Get the absolute path for a given profile filename. 51 | boost::filesystem::path getAbsolutePath(const std::string& profileName) { 52 | return (getProfilesPath() / boost::filesystem::path(profileName)).replace_extension(".xml"); 53 | } 54 | 55 | } 56 | 57 | void uberstealth::setCurrentProfileName(const std::string& profileName) { 58 | currentProfileName_ = profileName; 59 | } 60 | 61 | boost::filesystem::path uberstealth::getCurrentProfileFile() { 62 | return getProfilesPath() / getCurrentProfileName(); 63 | } 64 | 65 | std::string uberstealth::getCurrentProfileName() { 66 | if (currentProfileName_.empty()) { 67 | currentProfileName_ = determineCurrentProfile(); 68 | if (currentProfileName_.empty()) { 69 | currentProfileName_ = DefaultProfileFile; 70 | } 71 | } 72 | return currentProfileName_; 73 | } 74 | 75 | std::vector uberstealth::getProfileNames() { 76 | std::vector profiles; 77 | boost::filesystem::directory_iterator end; 78 | for (boost::filesystem::directory_iterator iter(getProfilesPath()); iter!=end ; ++iter) { 79 | const boost::filesystem::path& p = iter->path(); 80 | if (boost::filesystem::is_regular_file(p) && p.extension() == ".xml") { 81 | profiles.push_back(p.filename().string()); 82 | } 83 | } 84 | return profiles; 85 | } 86 | 87 | bool uberstealth::deleteProfileByName(const std::string& profileName) { 88 | return boost::filesystem::remove(getAbsolutePath(profileName)); 89 | } 90 | 91 | void uberstealth::saveCurrentProfileName() { 92 | std::ofstream ofs(getMainConfigFile().c_str()); 93 | ofs << getCurrentProfileName(); 94 | } 95 | 96 | // HideDebuggerProfile static functions. 97 | 98 | uberstealth::HideDebuggerProfile uberstealth::HideDebuggerProfile::readProfileFromFile(const boost::filesystem::path& fileName) { 99 | boost::property_tree::ptree pt; 100 | boost::property_tree::xml_parser::read_xml(fileName.string(), pt, boost::property_tree::xml_parser::trim_whitespace); 101 | return HideDebuggerProfile(pt); 102 | } 103 | 104 | uberstealth::HideDebuggerProfile uberstealth::HideDebuggerProfile::readProfileByName(const std::string& profileName) { 105 | return readProfileFromFile(getAbsolutePath(profileName)); 106 | } 107 | 108 | void uberstealth::HideDebuggerProfile::writeProfileToFile(const HideDebuggerProfile& profile, const boost::filesystem::path& fileName) { 109 | boost::property_tree::xml_parser::write_xml(fileName.string(), 110 | profile.pt_, 111 | std::locale(), 112 | boost::property_tree::xml_writer_settings(' ', 4)); 113 | } 114 | 115 | void uberstealth::HideDebuggerProfile::writeProfileByName(const HideDebuggerProfile& profile, const std::string& profileName) { 116 | boost::property_tree::xml_parser::write_xml(getAbsolutePath(profileName).string(), 117 | profile.pt_, 118 | std::locale(), 119 | boost::property_tree::xml_writer_settings(' ', 4)); 120 | } 121 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/pydistorm.c: -------------------------------------------------------------------------------- 1 | /* 2 | pydistorm.c 3 | 4 | :[diStorm64}: Python Module Extension 5 | The ultimate disassembler library (80x86, AMD64) 6 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 7 | This library is licensed under the BSD license. See the file COPYING. 8 | */ 9 | 10 | 11 | #include "decoder.h" 12 | #include "textdefs.h" 13 | #include "wstring.h" 14 | 15 | #include "pydistorm.h" 16 | 17 | /* PYTHON MODULE EXPORTS */ 18 | _DLLEXPORT_ void initdistorm() 19 | { 20 | PyObject* distormModule = Py_InitModule3("distorm", distormModulebMethods, ":[diStorm64}:"); 21 | PyModule_AddIntConstant(distormModule, "Decode16Bits", Decode16Bits); 22 | PyModule_AddIntConstant(distormModule, "Decode32Bits", Decode32Bits); 23 | PyModule_AddIntConstant(distormModule, "Decode64Bits", Decode64Bits); 24 | PyModule_AddIntConstant(distormModule, "OffsetTypeSize", sizeof(_OffsetType) * 8); 25 | PyModule_AddStringConstant(distormModule, "info", ":[diStorm64 1.7.30}:\r\nCopyright RageStorm (C) 2008, Gil Dabah \r\n\r\ndiStorm is licensed under the BSD license.\r\nhttp://ragestorm.net/distorm/\r\n"); 26 | } 27 | 28 | #define MAX_INSTRUCTIONS 1000 29 | PyObject* distorm_Decode(PyObject* pSelf, PyObject* pArgs) 30 | { 31 | _DecodeType dt; 32 | uint8_t* code; 33 | int codeLen; 34 | _OffsetType codeOffset; 35 | _DecodeResult res = DECRES_NONE; 36 | 37 | _DecodedInst decodedInstructions[MAX_INSTRUCTIONS]; 38 | unsigned int decodedInstructionsCount = 0, i = 0, next = 0; 39 | 40 | uint8_t instructionText[MAX_TEXT_SIZE*2]; 41 | 42 | PyObject *ret = NULL, *pyObj = NULL, *dtObj = NULL; 43 | 44 | pSelf = pSelf; /* UNREFERENCED_PARAMETER */ 45 | 46 | /* Decode(int32/64 offset, string code, int type=Decode32Bits) */ 47 | if (!PyArg_ParseTuple(pArgs, _PY_OFF_INT_SIZE_ "s#|O", &codeOffset, &code, &codeLen, &dtObj)) return NULL; 48 | 49 | if (code == NULL) { 50 | PyErr_SetString(PyExc_IOError, "Error while reading code buffer."); 51 | return NULL; 52 | } 53 | 54 | if (codeLen < 0) { 55 | PyErr_SetString(PyExc_OverflowError, "Code buffer is too long."); 56 | return NULL; 57 | } 58 | 59 | /* Default parameter. */ 60 | if (dtObj == NULL) dt = Decode32Bits; 61 | else if (!PyInt_Check(dtObj)) { 62 | PyErr_SetString(PyExc_IndexError, "Third parameter must be either Decode16Bits, Decode32Bits or Decode64Bits (integer type)."); 63 | return NULL; 64 | } else dt = (_DecodeType)PyInt_AsUnsignedLongMask(dtObj); 65 | 66 | if ((dt != Decode16Bits) && (dt != Decode32Bits) && (dt != Decode64Bits)) { 67 | PyErr_SetString(PyExc_IndexError, "Decoding-type must be either Decode16Bits, Decode32Bits or Decode64Bits."); 68 | return NULL; 69 | } 70 | 71 | /* Construct an empty list, which later will be filled with tuples of (offset, size, mnemonic, hex). */ 72 | ret = PyList_New(0); 73 | if (ret == NULL) { 74 | PyErr_SetString(PyExc_MemoryError, "Not enough memory to initialize a list."); 75 | return NULL; 76 | } 77 | 78 | while (res != DECRES_SUCCESS) { 79 | res = internal_decode(codeOffset, code, codeLen, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount); 80 | 81 | if ((res == DECRES_MEMORYERR) && (decodedInstructionsCount == 0)) break; 82 | 83 | for (i = 0; i < decodedInstructionsCount; i++) { 84 | if (decodedInstructions[i].mnemonic.pos > 0) { 85 | memcpy(instructionText, decodedInstructions[i].mnemonic.p, decodedInstructions[i].mnemonic.pos + 1); /* Include \0. */ 86 | if (decodedInstructions[i].operands.pos > 0) 87 | instructionText[decodedInstructions[i].mnemonic.pos] = SP_CHR; 88 | memcpy(&instructionText[decodedInstructions[i].mnemonic.pos+1], decodedInstructions[i].operands.p, decodedInstructions[i].operands.pos + 1); 89 | } else instructionText[0] = '\0'; 90 | 91 | pyObj = Py_BuildValue("(" _PY_OFF_INT_SIZE_ "bss)", decodedInstructions[i].offset, decodedInstructions[i].size, instructionText, decodedInstructions[i].instructionHex.p); 92 | if (pyObj == NULL) { 93 | Py_DECREF(ret); 94 | PyErr_SetString(PyExc_MemoryError, "Not enough memory to append an item into the list."); 95 | return NULL; 96 | } 97 | if (PyList_Append(ret, pyObj) == -1) { 98 | Py_DECREF(pyObj); 99 | Py_DECREF(ret); 100 | PyErr_SetString(PyExc_MemoryError, "Not enough memory to append an item into the list."); 101 | return NULL; 102 | } 103 | // V 1.7.25 - Memleak fixed, it is necessary to DECREF the object, because PyList_Append INCREFs it on its own. 104 | Py_DECREF(pyObj); 105 | } 106 | 107 | /* Get offset difference. */ 108 | next = (unsigned int)(decodedInstructions[decodedInstructionsCount-1].offset - codeOffset); 109 | next += decodedInstructions[decodedInstructionsCount-1].size; 110 | 111 | /* Advance ptr and recalc offset. */ 112 | code += next; 113 | codeLen -= next; 114 | codeOffset += next; 115 | } 116 | 117 | return ret; 118 | } 119 | 120 | -------------------------------------------------------------------------------- /NCodeHook/distorm.h: -------------------------------------------------------------------------------- 1 | /* diStorm64 1.7.28 */ 2 | 3 | /* 4 | distorm.h 5 | 6 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 7 | This library is licensed under the BSD license. See the file COPYING. 8 | 9 | This file is used in win32proj and linuxproj. 10 | */ 11 | 12 | /* 13 | * 64 bit offsets support: 14 | * If the diStorm library you use was compiled with 64 bits offsets, 15 | * make sure you compile your own code with the following macro set: 16 | * SUPPORT_64BIT_OFFSET 17 | * Otherwise comment it out, or you will get a linker error of an unresolved symbol... 18 | */ 19 | // TINYC has a problem with some 64bits library functions, so pass. 20 | #ifndef __TINYC__ 21 | #define SUPPORT_64BIT_OFFSET 22 | #endif 23 | 24 | /* If your compiler doesn't support stdint.h, define your own 64 bits type. */ 25 | #ifdef SUPPORT_64BIT_OFFSET 26 | #ifdef _MSC_VER 27 | #define OFFSET_INTEGER unsigned __int64 28 | #else 29 | #include 30 | #define OFFSET_INTEGER uint64_t 31 | #endif 32 | #else 33 | /* 32 bit offsets are used. */ 34 | #define OFFSET_INTEGER unsigned long 35 | #endif 36 | 37 | 38 | /* Support C++ compilers */ 39 | #ifdef __cplusplus 40 | extern "C" { 41 | #endif 42 | 43 | /* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */ 44 | typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType; 45 | 46 | typedef OFFSET_INTEGER _OffsetType; 47 | 48 | /* Static size of strings. Do not change this value. */ 49 | #define MAX_TEXT_SIZE (60) 50 | typedef struct { 51 | unsigned int length; 52 | unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */ 53 | } _WString; 54 | 55 | /* This structure holds all information the disassembler generates per instruction. */ 56 | typedef struct { 57 | _WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */ 58 | _WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */ 59 | _WString instructionHex; /* Hex dump - little endian, including prefixes. */ 60 | unsigned int size; /* Size of decoded instruction. */ 61 | _OffsetType offset; /* Start offset of the decoded instruction. */ 62 | } _DecodedInst; 63 | 64 | /* Return code of the decoding function. */ 65 | typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR} _DecodeResult; 66 | 67 | /* distorm_decode 68 | * Input: 69 | * offset - Origin of the given code (virtual address that is), NOT an offset in code. 70 | * code - Pointer to the code buffer to be disassembled. 71 | * length - Amount of bytes that should be decoded from the code buffer. 72 | * dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits). 73 | * result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions. 74 | * maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound. 75 | * usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array. 76 | * Output: usedInstructionsCount will hold the number of entries used in the result array 77 | * and the result array itself will be filled with the disassembled instructions. 78 | * Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...), 79 | * DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount! 80 | * Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the 81 | * array you passed, this function will try to use as much entries as possible! 82 | * Notes: 1)The minimal size of maxInstructions is 15. 83 | * 2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block! 84 | */ 85 | #ifdef SUPPORT_64BIT_OFFSET 86 | _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount); 87 | #define distorm_decode distorm_decode64 88 | #else 89 | _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount); 90 | #define distorm_decode distorm_decode32 91 | #endif 92 | 93 | /* 94 | * distorm_version 95 | * Input: 96 | * none 97 | * 98 | * Output: unsigned int - version of compiler library. 99 | */ 100 | unsigned int distorm_version(); 101 | 102 | #ifdef __cplusplus 103 | } /* End Of Extern */ 104 | #endif 105 | -------------------------------------------------------------------------------- /RDTSCEmu/distorm/src/x86defs.h: -------------------------------------------------------------------------------- 1 | /* 2 | x86defs.h 3 | 4 | Copyright (C) 2003-2008 Gil Dabah, http://ragestorm.net/distorm/ 5 | This library is licensed under the BSD license. See the file COPYING. 6 | */ 7 | 8 | 9 | #ifndef X86DEFS_H 10 | #define X86DEFS_H 11 | 12 | #include "../config.h" 13 | 14 | #include "textdefs.h" 15 | #include "insts.h" 16 | 17 | #define SEG_REGS_MAX (6) 18 | #define CREGS_MAX (9) 19 | #define DREGS_MAX (8) 20 | 21 | /* 22 | * Definitions use this structure for faster copying. 23 | * str_x86def relies on this size, copying aligned dwords. 24 | */ 25 | #define DEF_TEXT_SIZE (8) 26 | typedef struct { 27 | unsigned int size; 28 | int8_t p[DEF_TEXT_SIZE]; 29 | } _DefText; 30 | 31 | extern _DefText _CONDITIONS[16]; 32 | extern _DefText _CONDITIONS_PSEUDO[8]; 33 | extern _DefText _CREGS[CREGS_MAX]; 34 | extern _DefText _DREGS[DREGS_MAX]; 35 | extern _DefText _SREGS[SEG_REGS_MAX]; 36 | extern _DefText _REGS8[16]; 37 | extern _DefText _REGS8_REX[16]; 38 | extern _DefText _REGS16[16]; 39 | extern _DefText _REGS32[16]; 40 | extern _DefText _REGS64[16]; 41 | extern _DefText _REGSMMX[8]; 42 | extern _DefText _REGSSSE[16]; 43 | extern _DefText _MODS16[8]; 44 | extern _DefText _MODS32[16]; 45 | extern _DefText _MODS64[16]; 46 | extern _DefText _BASE32[16]; 47 | extern _DefText _BASE64[16]; 48 | extern _DefText _INDEX32[16]; 49 | extern _DefText _INDEX64[16]; 50 | 51 | extern _DefText _SCALE32[4]; 52 | 53 | extern int8_t FPU_STACK_TEXT[3]; 54 | extern int8_t ONE_CONST_TEXT[4]; 55 | extern int8_t REG_RIP_TEXT[4]; 56 | 57 | extern int8_t BYTE_UNDEFINED[3]; 58 | extern int8_t TEXT_8_BITS[6]; 59 | extern int8_t TEXT_16_BITS[6]; 60 | extern int8_t TEXT_32_BITS[7]; 61 | extern int8_t TEXT_64_BITS[7]; 62 | extern int8_t TEXT_80_BITS[7]; 63 | extern int8_t TEXT_128_BITS[8]; 64 | 65 | extern int8_t PREFIX_LOCK_TEXT[6]; 66 | extern int8_t PREFIX_REP_TEXT[5]; 67 | extern int8_t PREFIX_REPNZ_TEXT[7]; 68 | extern int8_t PREFIX_CS_TEXT[3]; 69 | extern int8_t PREFIX_SS_TEXT[3]; 70 | extern int8_t PREFIX_DS_TEXT[3]; 71 | extern int8_t PREFIX_ES_TEXT[3]; 72 | extern int8_t PREFIX_FS_TEXT[3]; 73 | extern int8_t PREFIX_GS_TEXT[3]; 74 | 75 | extern int8_t SUFFIX_SIZE_BYTE; 76 | extern int8_t SUFFIX_SIZE_WORD; 77 | extern int8_t SUFFIX_SIZE_DWORD; 78 | extern int8_t SUFFIX_SIZE_QWORD; 79 | 80 | extern int8_t SHORT_OPERAND[7]; 81 | extern int8_t SMALL_OPERAND[7]; 82 | extern int8_t LARGE_OPERAND[7]; 83 | 84 | /* Maximum instruction size, including prefixes */ 85 | #define INST_MAXIMUM_SIZE (15) 86 | 87 | /* Maximum range of imm8 (comparison type) of special SSE instructions. */ 88 | #define INST_CMP_MAX_RANGE (8) 89 | 90 | /* Wait instruction byte code */ 91 | #define WAIT_INSTRUCTION_CODE (0x9b) 92 | extern int8_t WAIT_INSTRUCTION_MNEMONIC[5]; 93 | 94 | /* 95 | * Minimal MODR/M value of divided instructions. 96 | * It's 0xc0, two msb bits set, which indicates a general purpose register is used too. 97 | */ 98 | #define INST_DIVIDED_MODRM (0xc0) 99 | 100 | /* This is the escape byte value used for 3DNow! instructions. */ 101 | #define _3DNOW_ESCAPE_BYTE (0x0f) 102 | 103 | #define PREFIX_LOCK (0xf0) 104 | #define PREFIX_REPNZ (0xf2) 105 | #define PREFIX_REP (0xf3) 106 | #define PREFIX_CS (0x2e) 107 | #define PREFIX_SS (0x36) 108 | #define PREFIX_DS (0x3e) 109 | #define PREFIX_ES (0x26) 110 | #define PREFIX_FS (0x64) 111 | #define PREFIX_GS (0x65) 112 | #define PREFIX_OP_SIZE (0x66) 113 | #define PREFIX_ADDR_SIZE (0x67) 114 | 115 | /* REX prefix value range, 64 bits mode decoding only. */ 116 | #define PREFIX_REX_LOW (0x40) 117 | #define PREFIX_REX_HI (0x4f) 118 | /* In otder to use the extended GPR's we have to add 8 to the Modr/M info values. */ 119 | #define REX_GPR_BASE (8) 120 | 121 | /* Mask for REX features: */ 122 | /* Base */ 123 | #define PREFIX_REX_B (1) 124 | /* Index */ 125 | #define PREFIX_REX_X (2) 126 | /* Register */ 127 | #define PREFIX_REX_R (4) 128 | /* Operand Width */ 129 | #define PREFIX_REX_W (8) 130 | 131 | /* 132 | * The locate_inst will return on of these two instructions according to the specified decoding mode. 133 | * ARPL or MOVSXD on 64 bits is one byte instruction at index 0x63. 134 | */ 135 | #define INST_ARPL_INDEX (0x63) 136 | extern _InstInfo II_arpl; 137 | extern _InstInfoEx II_movsxd; 138 | 139 | /* 140 | * The NOP instruction can be prefixed by REX in 64bits, therefore we have to decide in runtime whether it's an XCHG or NOP instruction. 141 | * If 0x90 is prefixed by a useable REX it will become XCHG, otherwise it will become a NOP. 142 | */ 143 | #define INST_NOP_INDEX (0x90) 144 | extern _InstInfo II_nop; 145 | 146 | _INLINE_ void str_x86def(_WString* s, _DefText* d) 147 | { 148 | /* 149 | * Copy 2 aligned dwords to speed up things. 150 | * _WString should have that extra space, most of the times it will simply copy null-termianting characters. 151 | */ 152 | *(int32_t*)&s->p[s->pos] = *(int32_t*)d->p; 153 | *(int32_t*)&s->p[s->pos + sizeof(int32_t)] = *(int32_t*)&d->p[sizeof(int32_t)]; 154 | s->pos += d->size; 155 | } 156 | 157 | #endif /* X86DEFS_H */ 158 | -------------------------------------------------------------------------------- /uberstealth/UberstealthPage1.cpp: -------------------------------------------------------------------------------- 1 | #include "UberstealthPage1.h" 2 | #include "UberstealthOptionsDialog.h" 3 | 4 | LRESULT uberstealth::UberstealthPage1::OnDbgEnableClick(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) 5 | { 6 | bool newState = IsDlgButtonChecked(IDC_DBGSTART) || IsDlgButtonChecked(IDC_DBGATTACH); 7 | if (newState != oldState_) 8 | { 9 | configProvider_->triggerChangeGlobalEnableState(newState); 10 | } 11 | oldState_ = newState; 12 | return 0; 13 | } 14 | 15 | void uberstealth::UberstealthPage1::OnDataExchangeError(UINT nCtrlID, BOOL /*bSave*/) 16 | { 17 | if (nCtrlID == IDC_TICK_DELTA) 18 | { 19 | MessageBox(L"Please enter a valid tick count delta!", L"uberstealth", MB_ICONWARNING); 20 | ::SetFocus(GetDlgItem(IDC_TICK_DELTA)); 21 | } 22 | } 23 | 24 | void uberstealth::UberstealthPage1::enableControls(bool enabled) 25 | { 26 | BOOL state = enabled ? TRUE : FALSE; 27 | ::EnableWindow(GetDlgItem(IDC_NTQO), state); 28 | ::EnableWindow(GetDlgItem(IDC_RTLNTGF), state); 29 | ::EnableWindow(GetDlgItem(IDC_NTQSI), state); 30 | ::EnableWindow(GetDlgItem(IDC_NTQIP), state); 31 | ::EnableWindow(GetDlgItem(IDC_GETTICKCOUNT), state); 32 | ::EnableWindow(GetDlgItem(IDC_PROTECTDRS), state); 33 | ::EnableWindow(GetDlgItem(IDC_GETVERSION), state); 34 | ::EnableWindow(GetDlgItem(IDC_NTCLOSE), state); 35 | ::EnableWindow(GetDlgItem(IDC_DBGPRESENT), state); 36 | ::EnableWindow(GetDlgItem(IDC_NTGF), state); 37 | ::EnableWindow(GetDlgItem(IDC_NTHF), state); 38 | ::EnableWindow(GetDlgItem(IDC_TICK_DELTA), state); 39 | } 40 | 41 | void uberstealth::UberstealthPage1::loadProfile(const uberstealth::HideDebuggerProfile& profile) 42 | { 43 | ntQueryObj_ = profile.getNtQueryObjectEnabled(); 44 | rtlGetFlags_ = profile.getRtlGetNtGlobalFlagsEnabled(); 45 | ntQuerySysInfo_ = profile.getNtQuerySystemInformationEnabled(); 46 | ntQueryInfoProc_ = profile.getNtQueryInformationProcessEnabled(); 47 | getTickCount_ = profile.getGetTickCountEnabled(); 48 | protectDRs_ = profile.getProtectDebugRegistersEnabled(); 49 | getVersion_ = profile.getGetVersionEnabled(); 50 | ntClose_ = profile.getNtCloseEnabled(); 51 | dbgPresent_ = profile.getPEBIsBeingDebuggedEnabled(); 52 | ntGF_ = profile.getNtGlobalFlagEnabled(); 53 | ntHF_ = profile.getHeapFlagsEnabled(); 54 | tickDelta_ = profile.getGetTickCountDeltaValue(); 55 | dbgAttach_ = profile.getEnableDbgAttachEnabled(); 56 | dbgStart_ = profile.getEnableDbgStartEnabled(); 57 | oldState_ = dbgStart_ || dbgAttach_; 58 | DoDataExchange(FALSE); 59 | configProvider_->triggerChangeGlobalEnableState(dbgStart_ || dbgAttach_); 60 | } 61 | 62 | void uberstealth::UberstealthPage1::flushProfile(uberstealth::HideDebuggerProfile& profile) 63 | { 64 | if (DoDataExchange(TRUE)) 65 | { 66 | profile.setNtQueryObjectEnabled(ntQueryObj_); 67 | profile.setRtlGetNtGlobalFlagsEnabled(rtlGetFlags_); 68 | profile.setNtQuerySystemInformationEnabled(ntQuerySysInfo_); 69 | profile.setNtQueryInformationProcessEnabled(ntQueryInfoProc_); 70 | profile.setGetTickCountEnabled(getTickCount_); 71 | profile.setProtectDebugRegistersEnabled(protectDRs_); 72 | profile.setGetVersionEnabled(getVersion_); 73 | profile.setNtCloseEnabled(ntClose_); 74 | profile.setPEBIsBeingDebuggedEnabled(dbgPresent_); 75 | profile.setNtGlobalFlagEnabled(ntGF_); 76 | profile.setHeapFlagsEnabled(ntHF_); 77 | profile.setGetTickCountDeltaValue(tickDelta_); 78 | profile.setEnableDbgAttachEnabled(dbgAttach_); 79 | profile.setEnableDbgStartEnabled(dbgStart_); 80 | ddxError_ = false; 81 | } 82 | else 83 | { 84 | ddxError_ = true; 85 | } 86 | } 87 | 88 | int uberstealth::UberstealthPage1::getTickCountDelta() 89 | { 90 | // TODO(jan.newger@newgre.net): return acutal value from control. 91 | return tickDelta_; 92 | } 93 | 94 | bool uberstealth::UberstealthPage1::isProfileDirty() 95 | { 96 | if (m_hWnd) 97 | { 98 | return (IsDlgButtonChecked(IDC_NTQO) == BST_CHECKED ? true : false) != ntQueryObj_ || 99 | (IsDlgButtonChecked(IDC_RTLNTGF) == BST_CHECKED ? true : false) != rtlGetFlags_ || 100 | (IsDlgButtonChecked(IDC_NTQSI) == BST_CHECKED ? true : false) != ntQuerySysInfo_ || 101 | (IsDlgButtonChecked(IDC_PROTECTDRS) == BST_CHECKED ? true : false) != protectDRs_ || 102 | (IsDlgButtonChecked(IDC_GETVERSION) == BST_CHECKED ? true : false) != getVersion_ || 103 | (IsDlgButtonChecked(IDC_NTCLOSE) == BST_CHECKED ? true : false) != ntClose_ || 104 | (IsDlgButtonChecked(IDC_DBGPRESENT) == BST_CHECKED ? true : false) != dbgPresent_ || 105 | (IsDlgButtonChecked(IDC_NTGF) == BST_CHECKED ? true : false) != ntGF_ || 106 | (IsDlgButtonChecked(IDC_NTHF) == BST_CHECKED ? true : false) != ntHF_ || 107 | (IsDlgButtonChecked(IDC_GETTICKCOUNT) == BST_CHECKED ? true : false) != getTickCount_ || 108 | getTickCountDelta() != tickDelta_ || 109 | (IsDlgButtonChecked(IDC_DBGATTACH) == BST_CHECKED ? true : false) != dbgAttach_ || 110 | (IsDlgButtonChecked(IDC_DBGSTART) == BST_CHECKED ? true : false) != dbgStart_; 111 | } 112 | return false; 113 | } 114 | --------------------------------------------------------------------------------