From Collaborative RCE Tool Library

Jump to: navigation, search

PhantOm

Tool name: PhantOm
Rating: 5.0 (2 votes)
Author: Hellsp@wn & Archer & Olenevod                        
Website: N/A
Current version: 1.54
Last updated: January 7, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: Plugin (with driver) for hiding OllyDbg from following methods of detection:

// driver - extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin - PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput


What's new - 1.30
[*] Captions of main and CPU windows can be manually set (CAPTEXT and PRETEXT in OllyDbg's ini-file). By default, they are named "PhantOm" and "o_O".
[*] Fixed some bugs in "custom handler exceptions" feature
[*] Other minor fixes

What's new - 1.26
[*] Fixed bug with loading driver
[*] Fixed bug with memory breakpoints
(Now, when "custom handler exceptions" option is
checked - memory breapoints on access/write will work,
but break-on-access won't work)
[*] Fixed bug with updating plugin (after previous version)

What's new - 1.25
[*] Now you can manually set names of services (HIDENAME and RDTSCNAME)
[*] Fixed some minor bugs
[*] Fixed bug with memory breakpoints

What's new - 1.20
[*] Added own exception handler (C0000005)
[*] Added option to change caption of main OllyDbg window
[*] Added own exception handler (OUTPUT_DEBUG_STRING_EVENT)
[*] Impoved removing of int 3 breakpoint at EP, when pause is set to "system breakpoint"
[*] Added hook for BlockInput (only for Windows XP)
[*] Added own exception handler (C0000094)
[*] Added hide from GetStartupInfo
[*] Fixed bug with plugin options
[*] Added protection from detecting driver
Related URLs:
Topic about plugin at Cracklab forum (in Russian):
http://cracklab.ru/f/index.php?action=vthread&forum=1&topic=7529


Screenshot:
Screenshot of PhantOm


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!



If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)


Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (19)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (20)
   Needs New Category  (3)