
TitanHide – open-source ring0 Windows x64 anti-anti-debug driver - MrBra
http://mrexodia.cf/reversing/2015/02/05/TitanHide/
======
userbinator
Wouldn't VMs be an easy way to defeat these sorts of protections?
Theoretically, the host has ultimate control over anything the VM does, and if
it's configured to look enough like a real machine, there'd be no need to even
modify the guest environment with things like this driver, which would just
become another thing to detect (thus producing an anti-anti-anti-debugging
method...); the host can inspect and modify the guest instead. The only
obstacle then becomes making the VM look "real enough".

~~~
gizmo686
Do any VMs actually attempt to hide the fact that they are a VM. I thought
they advertised this fact so that guest operating systems could offer VM
integration features.

~~~
throwaway2048
Even if they actively attempt to hide the fact they are a VM, there are
various interrupt timing related tricks you can do to detect VMs that are
basically impossible to emulate.

~~~
AlyssaRowan
Grandparent: Yes, but they are specialised ones, not general-use ones.

Parent: Impossible? It's far more nuanced than that. Do you think that's
_real_ time that's passing?

Redpilling and bluepilling (as it's become known since about 1999, thanks to
The Matrix) is an arms race. In a game theoretic sense, bluepilling "wins"
when the environment is within the attackers' control, redpilling "wins" when
essential parts of the target aren't (e.g. on the internet, only an oracle),
but of course back in real life we find ourselves asymptotically approaching
that because usually, neither plays perfectly. Bluepilling wants a more
seamless virtual environment; redpilling wants to find the seams and chisel
away at them.

You could be referring to a number of approaches, but there can be serious
complications. Here are the two big factors, especially as the actors get more
advanced:

1\. False positives. The tweakier you make a anti-debug trap, the more likely
it's going to fire on real hardware. There is really nothing you can do about
that, especially on the PC where there's such a massive variation of real
hardware, each individual piece with its own errata. The question is the
impact that has. False positives are often not a really big deal to those
hiding advanced malware - they'd often prefer to skip those boxes just in
case, no big deal - so they can (and do) use much crazier techniques than say
anti-debugger routines in copy protection, where a user will care about a
false positive because the stuff they bought won't run - and then they call
you to fix it, or when you won't, someone like me to fix it, and then in your
nightmares you're up against:

2\. Simulators: bluepilling's finishing move. Emulators that work at the gate
level, errata and all. Last I heard, one vendor doesn't even do physical draft
tapeouts anymore - they've got a supercomputer, and they use it. You can
simulate a 6502 in your browser in Javascript -
[http://www.visual6502.org/JSSim/](http://www.visual6502.org/JSSim/) \- but
doing it to a big x86 (even an Atom) takes quite a bit more _oomph_. Oh, and
masks. But it's a viable approach, with a few tricks. Which you might not
need, because:

3\. These routines look _really_ distinctive in a way you cannot disguise. You
_expect_ to see them in advanced malware or copy protection; it's sometimes
enough to get a signature all by itself. And of course, they are just code.
They can be deadlisted, rewound, replayed, patched, modified, and everything
else.

It's just another trap: when the attacker can read your mind, make 1+1 equal
0x90, and time flow backwards, nothing is impossible. Just harder.

------
MrBra
Code is at
[https://bitbucket.org/mrexodia/titanhide](https://bitbucket.org/mrexodia/titanhide)
with detailed installing instruction.

------
TheLoneWolfling
It's turtles all the way down.

