IDAStealth v1.2 - Themida Support

Finally, IDAStealth is able to successfully hide the IDA debugger from Themida. The previous version of IDAStealth failed to provide "enough stealth" because Themida creates private mappings of various system dlls, particularly of ntdll.
This effectively bypasses any user mode hooks so I had to resort to a kernel mode driver which replaces some function pointers in the Service Descriptor Table [1, 2].

The driver actually replaces two functions: NtQueryInformationProcess and NtSetInformationThread.
The former provides a query mechanism for the ProcessDebugPort, ProcessDebugObjectHandle and ProcessDebugFlags flags.
The latter is used by Themida to detach threads from the debugger. As a consequence, the debugger does not receive events for the detached threads anymore. Furthermore, the debugger is unable to stop or suspend the process and you have to kill the debugger itself to stop the process.

Naturally, the source code for the stealth driver is also included in the package.

[1] Rootkits: Subverting the Windows Kernel
[2] Uninformed vol. 8