Summary:
--------
TitanHide is an open-source driver intended to hide debuggers from certain
processes. The driver hooks various Nt* kernel functions (using SSDT table
hooks) and modifies the return values of the original functions. The below
highlights generic ways the driver's design allows debugger detection.
Location:
---------
Hook functions in TitanHide/Hooks.cpp.
Impact:
-------
A hostile binary expecting to be debugged under TitanHide can leverage the
driver's design described below in order to achieve debugger detection.
Details:
--------
- Most hooks are vulnerable to race conditions where the debugged process can
check the return code of the original NT call before TitanHide overwrites it
- The device object (\\Device\\TitanHide by default) and its dos devices link
can be accessed to detect the presence of TitanHide and to unprotect the
current process.
- The hooks check whether the current process (rather than target process) is
registered by TitanHide as hidden. Executing code outside of process (via
process or remote thread creation for instance) can be used to get around
TitanHide's debug detection.
Recommendation:
----------------
- Do not write data back to user mode memory until it has been sanitized.
- While relying on users to rename the device object or link would increase
attack complexity, a more robust approach could be to filter IO calls to
TitanHide device object from monitored processes
- Consider using the target process when filtering NT system calls
