Logo

Hyde v1.01

Hyde is a plugin for OllyDbg v2.xx, it's purpose is to hide ollyDbg from detection by the debugee. This is done by patching memory and apis, and the options (or patch sets) can be saved to file, for easy reloading.

For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file "ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.

The plugin support is still in alpha so I have not included the source, but full source will be included when OllyDbg plugin support is final.

Features

  • All patched apis should work "normally" - They should only hide OllyDbg, but work for other windows/processes etc.
  • All patches/hooks are selectable from the menu for quick access, or from options dialog.
  • Optional Jmp variations (Push/Ret or Jmp[xxxxxxxx] or fake SysCall) for hooks.
  • If possible to hot-patch api then will do this, if syscall then uses fake syscall, else uses selected jmp style.
  • Load/Save patch sets. Patch Sets are simply INI files, so can also be edited in notepad.
  • Remote allocated memory is seperated into code and data with appropriate access so should be no problems with DEP.
  • If you right-click a patch in Options dialog, the code window view will jump to that Api.

Patches and Hooks

  • PEB.IsDebugged
  • PEB.NtGlobalFlag
  • PEB.HeapFlag
  • NtQueryInformationProcess
  • NtSetInformationThread
  • FindWindowA
  • FindWindowW
  • FindWindowExA
  • FindWindowExW
  • EnumWindows
  • Process32NextW
  • OutputDebugString
  • NtQueryObject
  • GetTickCount
  • NtOpenProcess
  • BlockInput
  • NtClose
  • GetStartupInfo
  • NtQuerySystemInformation
  • NtYieldExecution
  • GetForegroundWindow
  • EnumDesktopWindows
  • GetWindowThreadProcessId