trietptm / uberstealth Goto Github PK

What feature do you suggest?
Implement countermeasures for the anti-debugging technique based on the  
GetStartupInfoA API.

Hidedebugger and uberstealth projects have hardcoded absolute pathes inside

Idea is to base on some environmental variable,
eg: $(OLLY), $(IDA)

Also C++ and Linker sections could reuse these...

fix deprecated used API in drivers:
(from compiler output)

warning C4996: 'MmCreateMdl': was declared deprecated
warning C4996: 'MmMapLockedPages': was declared deprecated
warning C4996: 'ExAllocatePool': was declared deprecated

What steps will reproduce the problem?
1. Select "Hide debugger windows" under "Stealth Options 2"
2.
3.

What is the expected output? What do you see instead?
The OllyDbg Windows should be hidden from the debuggee.

Please provide any additional information below.

What steps will reproduce the problem?
1. Make IDT hook atomic
2.
3.

What is the expected output? What do you see instead?


Please provide any additional information below.

What steps will reproduce the problem?
1. Select "Automatically pass unknown exception to debuggee".

What is the expected output? What do you see instead?
The exceptions are not passed to the debuggee.

What steps will reproduce the problem?
1. Selecting any of the SEH support functions has no effect.

What is the expected output? What do you see instead?
The debugger can not be halted on SEH or after EIP has changed. Logging doesn't 
work as well.

What feature do you suggest?
Implement countermeasures for the anti-debugging techniques based on the 
NtSystemDebugControl API.

What steps will reproduce the problem?
1. Select any SEH monitoring option.

What is the expected output? What do you see instead?
The debugger can not be halted on SEH or after EIP has changed. Logging also 
doesn't work.

What feature do you suggest?
Dll injection upon process startup could be realized via APC injection.

Please provide any additional information below.
One advantage of APC injection is that it is more robust in the presence of 
non-standard PE headers. Also, it might be a bit more stealthy since there 
would be no image import descriptor entry in the address space pointing at the 
name/path of the injected dll.

What steps will reproduce the problem?
1. Turn on the checkbox "Automatically hald debugger at new EIP after SEH 
exception"
2.
3.

What is the expected output? What do you see instead?
I see that when having single step tracing (TF=1) plugin puts breakpoint on 
every executed line!

What version of the product are you using? On what operating system?
built manually, taken from latest git trunk

Please provide any additional information below.

What feature do you suggest?
There should be an option to (at least) write a message to the OllyDbg/IDA log 
window whenever the debuggee tries to
1) terminate any process
2) spawn a new process with debugging flags (DEBUG_ONLY_THIS_PROCESS)
3) use WriteProcessMemory on the own address space (e.g. to evade hardware 
breakpoints)
4) possibly other events(?)

Ideally, the debugge should be halted before performing such actions.

What steps will reproduce the problem?
1. Select remote windbg debugger
2. Start the debugger

What is the expected output? What do you see instead?
uberstealth should inject the dll into the remote process. Instead it tries to 
inject into a local process with the same process id.

[deleted issue]

What steps will reproduce the problem?
1. Enable uberstealth in IDA.
2. Start the win32 remote debugger.
3. Start the remote stealth server.

What is the expected output? What do you see instead?
The stealth options should be applied to the remote process. Instead 
uberstealth tries to inject into a process on the local machine.

What steps will reproduce the problem?
1. Select "Improved NtClose".
2. Start the debugger and let the debugge close an invalid handle.

What is the expected output? What do you see instead?
The NtClose API raises an exception but the plugin should prevent this.

Please provide any additional information below.
The issue only appears on 64 bit Windows.