Datarescue IDA Pro v5.0

[iNvIcTUs oRCuS]

Tachchen...
Beim Surfen durchs Netz bin ich auf die neue Freewareversion des wohl besten, noch weiterentwickelten Dissassemblers gestoßen. Mittlerweile gibbet die kostenpflichtige Version 6.0, was wahrscheinlich die Entwickler dazu bewogen hat die Freeware der 5.0er Version rauszubringen.

Infos/Anleitung/How to use:

Code:

http://www.hex-rays.com/idapro/ida50news.pdf

---

Download:

Code:

http://www.hex-rays.com/idapro/idadownfreeware.htm

---

Für alle die W32DASM kennen, werden mit diesem auch schnell zurechtkommen. Der eingebaute Debugger tut auch sein Ding, ist mir persönlich allerdings zu überladen. Aber hey, wozu hat man Olly

grEEtZ sILeNt heLLsCrEAm

[iNvIcTUs oRCuS]

Tachchen...

Für den oben genannten Allrounder gibts auch nen nettes Plugin, genannt IDA Stealth. Es bedarf eigentlich keiner weiteren Erläuterung was dieses Plugin im Stande ist zu leisten...
Mittlerweile gibts das Plugin in der Version 1.3.3.

...Offizielle Beschreibung (Englisch)...

Zitat:IDAStealth Plugin

IDAStealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll actually implements most of the stealth techniques either by hooking system calls or by patching some flags in the remote process.

...Chenage Log...

Zitat:06/28/2011 - v1.3.3

Bugfix: The plugin GUI could crash on Win7 X64 systems
Bugfix: If any of the SEH debugging support features was used an "internal error 30191" would be raised in IDA as soon as the exception occurred in the debuggee
Bugfix: Injection of the stealth dll failed if the size of the import directory was (intentionally) set to a wrong value
Improved: Added profile for the newest version of VMProtect (v2.09)

09/27/2010 - v1.3.2

Bugfix: SEH monitoring was not working with IDA versions < v5.7
Bugfix: The debug registers could be overwritten by a SEH handler if the respective thread never called SetThreadContext before the SEH handler was invoked

08/23/2010 - v1.3.1

Bugfix: The NtClose hook could cause access violations in some situations
Bugfix: In some cases, consecutive calls to GetThreadContext could reveal the actual values of the debug registers even when advanced hardware breakpoint protection was enabled
Improved: The user can specify custom names for the stealth and RDTSC emulation driver, respectively
Some minor fixes and improvements

07/09/2010 - v1.3

Added: Added support for the ProcessDebugObjectHandle as well as the ProcessDebugFlags parameters to NtQueryInformationProcess hooks (stealth driver and HideDebugger.dll)
Added: The debugger can be automatically halted in the top-level SEH handler, or when a new context has been applied by the OS after returning from a SEH handler
Added: Profile for VMProtect has been added
Some minor fixes and improvements

02/15/2010 - v1.2.1

Bugfix: DoS in SetThreadContext if supplied context was not readable or flags were not writeable
Bugfix: Context emulation always used the id of the current thread no matter what thread handle was actually given
Bugfix: Incorrect handling of ProcessDebugObjectHandle in hook of NtQueryinformationProcess in stealth driver
Bugfix: Possible dead-lock in context emulation
Bugfix: IDAStealth would try to connect to the RemoteStealth server if Windbg was selected and would always try to inject the stealth dll for any win32 application regardless which debugger module was used
Bugfix: 0xC000007B error when starting .NET app which was compiled with /clrure
Bugfix: Inter-process communication could fail if process id was reused between debugger runs ("Error while restoring NT headers...")
Bugfix: Tick-delta of zero would cause an exception in HideDebugger.dll
Improved: Context emulation now hooks the corresponding Nt* APIs instead of the kernel32 functions
Improved: GetTickCount + RDTSC increase internal counter by a random value from specified interval

12/15/2009 - v1.2

Bugfix: RDTSC driver handling; driver service was not deleted in some rare cases
Bugfix: RDTSC driver mode was broken due to recent BSOD fix
Improved: IDAStealth can hide from Themida with ultra anti debugging settings
Added: New stealth driver

11/24/2009 - v1.1.1

Bugfix: Old RDTSC driver version slipped into the last release. The new one is now included
Improved: To increase overall stealth, the NT Headers are restored to their original state after the dll has been injected
Added: Profile for yoda's Protector added

11/14/2009 - v1.1

Bugfix: OpenProcess failed on XP when started from a restricted user account
Bugfix: Bound imports directory is only cleared if necessary
Bugfix: DBG_PRINT DoS due to improper parameter checking
Bugfix: BSOD in RDTSC driver
Added: Remote debugging support
Added: Profiles support
Added: Exceptions with unknown exception code can be automatically passed to the debuggee
Added: Inline hooks can be forced to use absolute jumps
Improved: GUI has been redesigned to be more usable
Improved: AWESOME gfx
Changed: HideDebugger.ini is now located in the user's directory at:
%APPDATA%\IDAStealth\HideDebugger.ini
Improved: Whole project compiles with WL4 and "treat warnings as error"

03/25/2009 - v1.0

Bugfix: API hook of GetThreadContext erroneously returned the complete context even if the flags specified that only the DRs should be returned. This interfered with newer Armadillo versions
Improved: GetTickCount hook now mimics the original API algorithm and allows for controlling the increasing delta
Added: RDTSC emulation driver with optional driver name randomization to increase stealthiness. Read these notes carefully before using this feature

...Screenshots...
Screenshot 1
Screenshot 2
Screenshot 3


...Download (Offizielle Homepage)...
IDA Stealth v1.3.3. Plugin Download


grEEtZ
sILeNt heLLsCrEAm