Blogs

Finally, IDAStealth is able to successfully hide the IDA debugger from Themida. The previous version of IDAStealth failed to provide "enough stealth" because Themida creates private mappings of various system dlls, particularly of ntdll.

I placed 3rd in the Hex-Rays plugin contest, thanks to the Hex-Rays people :)

There are still some issues with the IDAStealth plugin, though. I hope to be able to fix them asap, but I'm currently writing my diploma thesis, so I've not very much spare time at the moment, but I'm working on it.

However, if you find bugs, please report them to me so I can improve the plugin. Thanks :)

IDAStealth

First of all, the new IDAStealth v1.1 supports remote debugging, has a new WTL based GUI and supports profiles.
As requested by some people, the source now builds out of the box, given you have the required libraries in your include path (see readme for instructions). Some minor bugfixes also made it into the new version.

What's new?

It's been some time since the last update, so here it is.
Finally, a driver to emulate the return value of the RDTSC instruction has been added, errors in the debug register handling were fixed and the stealthiness of the GetTickCount hook has been improved.

RDTSC emulation

Well, RDTSC emulation is actually rather widely used, so I wanted to include this technique, before releasing a final version.

Optimizing for speed

Today's compilers do a decent job in optimizing high level code to gain speed in execution time. As compilers are getting more and more complex over time, so does their emitted code. This tutorial will focus on a specific arithmetic optimization done by an optimizing compiler to avoid costly instructions such as div resp. idiv by transforming the calculations to fixed point arithmetic.
Actually, I just wanted to write some random stuff to test the new DruTeX plugin ;-)

This is a minor update: some crashes were fixed and the GUI of the console window now also has the EC theme - no nasty dos box anymore! Besides, the setup will allow you to keep your settings upon uninstall. That's all :)
Details and download on the Evil Client page.

Some minor fixes made it into the new version. First of all, the --reconnect command line switch now uses a possibly specified reconnect delay, so the EC is better suited for scripting. Other than that, the setup is now multi user aware, which means that it detects if the current user has Administrator rights. If that's the case, an option appears to install the shortcuts for all users, otherwise only shortcuts for the current user are created.

It appeared to be dead, but the Evil Client strikes back again ;)
The new version comes with a bunch of new features, still has the drop-dead gorgeous GUI, occupies very few resources and keeps your VPN connection up 24/7. Besides, I added some documentation, which contains some usage instructions and explains the new features. Everything else on the Evil Client site. Cheers!

There will be a new Evil Client version out, soon. Since a considerable amount of code has been rewritten or added, i'm looking for some people who are willing to test the new version.
If you can think of a feature you definitely want to see in the new release (and which hasn't already been mentioned in the forum), or you want to test the new version, please drop me a line.

IDA Stealth v1.0 Beta 3

This time there aren't as many changes as there were when Beta 2 was released. The new version primarily increases the stealthiness of some techniques. For example the NtQueryObject hook mistakenly assumed that all object names are zero terminated strings, which means that it could miss the DebugObject chunk and consequently would fail to zero out the object and handle count.