There will be a new Evil Client version out, soon. Since a considerable amount of code has been rewritten or added, i'm looking for some people who are willing to test the new version.
If you can think of a feature you definitely want to see in the new release (and which hasn't already been mentioned in the forum), or you want to test the new version, please drop me a line.

IDA Stealth v1.0 Beta 3

This time there aren't as many changes as there were when Beta 2 was released. The new version primarily increases the stealthiness of some techniques. For example the NtQueryObject hook mistakenly assumed that all object names are zero terminated strings, which means that it could miss the DebugObject chunk and consequently would fail to zero out the object and handle count.

Finally, I added another IDA plugin which was written some months ago while doing the DRM analysis. N-Coverage was used to spot relevant code in the DRM system, although it actually turned out to be of minor use in that special case (due to all the anti reverse engineering techniques).
However, it was referenced in the DEFCON paper, so here it is. Don't expect too much of it, though. Needless to say, it comes with full source code.

We had a DB crash and although we had backups, rebuilding the content and tracking down the error took some time. It seems that the crash was due to some problem of Drupal handling trigger actions whenever a comment is posted. Comments are now available again, but i'm not immediately notified via email anymore.
Anyway, most of the stuff has already been restored and should work as expected. Some parts such as the forum still need to be fixed, though. If something isn't working as expected please contact me. Thx!

Bugs...and more bugs

A new version of IDA Stealth - namely v1.0 Beta 2 - is now available.
Thanks to Peter Ferrie, a lot of bugs have been fixed, which could ultimately be used to unveil the presence of an attached debugger, even if the plugin was running and the appropriate stealth technique was activated.

Defcon 16 is over and it literally kicked ass! Check out slides and paper to see what you've missed.
Thx to everyone for the great feedback and cya @ Defcon 17 ;-)

Cheers
Jan

Stealth for IDA!

I've always wanted a plugin for IDA which hides the debugger from anti-debugging tricks employed by most packers/protectors. There are several plugins for OllyDbg which provide such stealthiness, but to my knowledge none for IDA, so i thought i'd just write the plugin myself (the only thing i found was a rather limited plugin by Ilfak himself).

API Hooking

API hooking is a well known technique which allows us to modify and extend existing program or operating system logic. By using inline patching mechanisms APIs can be hooked in order to modify results, stop certain functions from being executed at all or to replace existing functionality by a custom implementation. Especially in the case of OS APIs, the only possibility to change program logic is to employ some kind of hooking mechanism in order to redirect control flow to a custom function.
Other techniques like IAT patching don't work if the library in question is loaded dynamically or if you want to hook a function which isn't exported from the dll at all.
A very reliable solution is then to use inline patching techniques in order to redirect the flow of execution to a custom hook function.

Why inject a DLL?

Dll Injection is a well known technique and is most often used to perform some kind of API hooking. As soon as the dll has been injected into a remote process, hooking APIs or patching existing functionality is easy because everything happens inside one address space.
Apart from hooking APIs to change existing program logic, there are several other reasons why one would want to inject a dll into another process, especially in the field of Reverse Engineering.

I got many requests from people asking how to get a new IP on the next reconnect, so I wrote a small script for the Evil Client to add this functionality.
In order to get a new IP you have to click on the profile you are currently connected to and the script will make sure that you get a different IP upon the next connection. Note that Windows Scripting Host (WSH) is needed for the script to work.
More information along with the download link can be found on the FAQ site.