nihilus / scyllahide Goto Github PK
View Code? Open in Web Editor NEWHome Page: http://scyllahide.tk/
License: GNU General Public License v3.0
Home Page: http://scyllahide.tk/
License: GNU General Public License v3.0
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide. ScyllaHide is tested to work with VMProtect, Themida, Armadillo, Execryptor, Obsidium If you find any protector that still detects debugger, please tell us. Source code license: GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html ------------------------------------------------------ Debugger Hiding: - PEB - BeingDebugged, NtGlobalFlag, Heap Flags - NtSetInformationThread - ThreadHideFromDebugger - NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation - NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing - NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing - NtQueryObject - ObjectTypesInformation, ObjectTypeInformation - NtYieldExecution - NtSetDebugFilterState - NtUserBuildHwndList - EnumWindows - NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W - NtUserQueryWindow - NtClose - NtCreateThreadEx - BlockInput - Remove Debug Privileges - OutputDebugStringA - OutputDebugStringW Timing Hooks: - GetTickCount - GetTickCount64 - GetLocalTime - GetSystemTime - NtQuerySystemTimeHook - NtQueryPerformanceCounter Special functions: - Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing ! - Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware - Kill Anti-Attach Protecting and Stealthing DRx (Hardware Breakpoints): - NtGetContextThread - NtSetContextThread - KiUserExceptionDispatcher (only x86) - NtContinue (only x86) Hooks: - Stealth hooks for 32-bit targets (Tested against Themida/VMProtect) Plugin specific: - Update-Check IDA: - DLL injection (stealth / normal) - IDA 64bit plugin - IDA 32/64bit remote server Olly1&2: - Change Olly title - Resume/Suspend all Threads in Thread window - DLL injection (stealth / normal) Olly1: - Fix PE-Bugs - Fix FPU Bug - x64 compatibility mode - Remove EP-Break - Break on TLS - Skip "EP outside code" message - Advanced CTRL+G - Skip "compressed code" message - Ignore bad PE image (WinUPack) - Skip "Load DLL" message ------------------------------------------------------ Usage standalone (debugger-independent): InjectorCLI.exe <process name> <HookLibrary.dll path> For example: InjectorCLI.exe crackme.exe C:\HookLibrary.dll ------------------------------------------------------ Plugins: - for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\ (can be combined with TitanHide which does kernelmode hiding) - for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directory - for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directory - for IDA v6 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini, ScyllaHideIDASrvx86.exe and ScyllaHideIDA.plw to your plugins directory - for IDA v6 64bit: Copy ScyllaHideIDA.p64, NtApiCollection.ini, ScyllaHideIDASrvx64.exe and HookLibraryx64.dll to your plugins directory - for x64dbg 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp32 to your plugins directory - for x64dbg 64bit: Copy HookLibraryx64.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp64 to your plugins directory ini Note: The default ini contains settings for this protectors: - VMProtect x86/x64 - Obsidium x86 - Themida x86 - Armadillo x86 Feel free to contribute settings for other protectors! IDA Note: - Start ScyllaHideIDASrvx64.exe to debug 64bit applications - Start ScyllaHideIDASrvx86.exe to debug remotely 32bit applications Commandline: ScyllaHideIDASrvxXX.exe <port> ScyllaHideIDASrv Note: - Server needs HookLibraryxXX.dll and NtApiCollection.ini ------------------------------------------------------ Special thanks to: - What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281 - waliedassar for his blog posts http://waleedassar.blogspot.de - Peter Ferrie for his PDFs http://pferrie.host22.com - MaRKuS-DJM for OllyAdvanced assembler source code - MS Spy++ style Window Finder http://www.codeproject.com/Articles/1698/MS-Spy-style-Window-Finder ------------------------------------------------------ ToDo: - x64 Exception Support ------------------------------------------------------ NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx Info about NtApiCollection.ini: Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress It will download the PDB file from the Microsoft server to resolve the missing function adresses. Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar
The file in HookLibrary/HookHelper.cpp contains the wrong information for x64dbg.
BadProcessnameList[] - should contain an entry for "x64dbg.exe" and "x32dbg.exe"
BadWindowTextList[] - should contain entries for "x64dbg" and "x32dbg"
As well as a possible needed update for the class list?
Thanks!
Hi
I tried to use ScyllaHide in ida pro 7 but it does not appear in plugin tab.
As I googled, it should be ported to version 7.
Currently I don't have access to my building environment, can any one do that?
The issue is here: https://reverseengineering.stackexchange.com/questions/17708/ida-7-0-not-recognizing-plugins-eg-scyllahide-idastealth
Works great on the same executable when using the ollydbg plugin but when I inject from the CLI and run gdb-server 0.0.0.0:4444 --attach <injected pid>
and attach a remote dbg instance, the debugger get's detected and I'm looking at the heavily obfuscated endless loops and self-referrent jumps as without using scylla.
Well. Only recently i noticed some changes in a file. (game) The interesting is that when u select him, and search for the modules, it says that the process was not found. I can post some photos...im high now but yeah it used to be the best tool inda world until i was traped.help master. How i can do is stop the process to make it readable. then i can dump almost of code. A long time ago i did the same thing and wasnt detected. worked like chamz
But now the process looks like be unlinked from mem...deatached.. Im sure that this could tun on scylla more power. Could u understand what kind of trap is this
I work with old version 'cause don't know how to use this newer version with HookLibrary,
It works, says 'Injected', but how can i dump the file using newer version ?
Working normally someday...
and with only once update in one anti-cheat i can't dump this file now
(yes, i'm trying to defeat some anticheat and thanks to scylla
that let me understand the source of it COMPLETELY)!
Well, i was using ScyllaHide 0.9.7c and were working normally.
The first problem looks like the .exe are hiding himself from process list (O.O). Before this function worked so bad. Now is refined.
I need to use ProccessExplorer to pause the proccess and then HOOK IT, and i need to be faster or else it can be some proccess of somekind of API (C++, i doesn't understand) such as InternalProccess or really 'hiding' ??
The second is, when i pause it and hook it, the exe dump, that must be decrypted at this part, keeps as encrypted.
Looking better, i know so less of scylla, but it uses PEB, and well i guess this peb address was hidden.
I tried to check if they hidden the PEB using the attach function in ollydbg, to get live peb ?but here happens :
if process.exe is paused, i can attach with olly, or else ATTACH is detected misses from the proccess list ? i dunno.
Can i bypass it using newer ScyllaHidev1.2/1.3 version ?
using 32 bit debugger (x64dbg), Scyllahide seems to be detected by the old safedisc protection
Hey,
How come you removed support for attaching to processes in ida pro? I am trying to debug a process that gets started by another process so I cant attach-on-start.
Could you please explain the issues you encountered?
Great plugin btw!
Regards.
Themida -> anti-debug
https://github.com/fishstiqz/mitigationview
Route :
Route 2 :
Notice that in this Themida version the calls of NTDLL . ^^ ntdll.Dialog and ntdll.Defproc. I can't defeat with scylla plugin.
About 0x34 in NtQueryInformationProcess :
"This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD."
Is it a type of warning that is show only there is a debugger ?
Well, sending this to olly will crash it
then it's a protection to ring0 debuggs ?
Themida should call outputdebugstring after my edit, but it doesn't call and i believe i've escaped from the trap. but Scylla can away this . but i'm just pointing one more thing.
then i got
https://msdn.microsoft.com/pt-br/library/windows/desktop/hh871471(v=vs.85).aspx
http://pferrie.host22.com/papers/antidebug.pdf
I don't know why i have done this, and i don't know if i've escaped from the trap 'cause im falling into 0xC0000142 about my file edition;
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/set.htm
The program it happens on is Frontline System's Solver Excel add-in. Likely some anti-anti-anti debugging technique causes program to exit after hooking.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.