nihilus / scyllahide Goto Github PK

The file in HookLibrary/HookHelper.cpp contains the wrong information for x64dbg.

BadProcessnameList[] - should contain an entry for "x64dbg.exe" and "x32dbg.exe"

BadWindowTextList[] - should contain entries for "x64dbg" and "x32dbg"

As well as a possible needed update for the class list?

Thanks!

Hi
I tried to use ScyllaHide in ida pro 7 but it does not appear in plugin tab.
As I googled, it should be ported to version 7.
Currently I don't have access to my building environment, can any one do that?
The issue is here: https://reverseengineering.stackexchange.com/questions/17708/ida-7-0-not-recognizing-plugins-eg-scyllahide-idastealth

Works great on the same executable when using the ollydbg plugin but when I inject from the CLI and run gdb-server 0.0.0.0:4444 --attach <injected pid> and attach a remote dbg instance, the debugger get's detected and I'm looking at the heavily obfuscated endless loops and self-referrent jumps as without using scylla.

Well. Only recently i noticed some changes in a file. (game) The interesting is that when u select him, and search for the modules, it says that the process was not found. I can post some photos...im high now but yeah it used to be the best tool inda world until i was traped.help master. How i can do is stop the process to make it readable. then i can dump almost of code. A long time ago i did the same thing and wasnt detected. worked like chamz
But now the process looks like be unlinked from mem...deatached.. Im sure that this could tun on scylla more power. Could u understand what kind of trap is this

I work with old version 'cause don't know how to use this newer version with HookLibrary,
It works, says 'Injected', but how can i dump the file using newer version ?

Working normally someday...
and with only once update in one anti-cheat i can't dump this file now
(yes, i'm trying to defeat some anticheat and thanks to scylla
that let me understand the source of it COMPLETELY)!
Well, i was using ScyllaHide 0.9.7c and were working normally.

The first problem looks like the .exe are hiding himself from process list (O.O). Before this function worked so bad. Now is refined.
I need to use ProccessExplorer to pause the proccess and then HOOK IT, and i need to be faster or else it can be some proccess of somekind of API (C++, i doesn't understand) such as InternalProccess or really 'hiding' ??

The second is, when i pause it and hook it, the exe dump, that must be decrypted at this part, keeps as encrypted.
Looking better, i know so less of scylla, but it uses PEB, and well i guess this peb address was hidden.
I tried to check if they hidden the PEB using the attach function in ollydbg, to get live peb ?but here happens :

if process.exe is paused, i can attach with olly, or else ATTACH is detected misses from the proccess list ? i dunno.
Can i bypass it using newer ScyllaHidev1.2/1.3 version ?

When I start a process in x32dbg and try using ScyllaHide, it instantly terminates the process after attempting to hook the process. It happens on all executables, packed or not.

I'm not sure if I'm doing anything wrong here.

Windows 10
Latest x64dbg

using 32 bit debugger (x64dbg), Scyllahide seems to be detected by the old safedisc protection

Hey,

How come you removed support for attaching to processes in ida pro? I am trying to debug a process that gets started by another process so I cant attach-on-start.

Could you please explain the issues you encountered?

Great plugin btw!

Regards.

Themida -> anti-debug

https://github.com/fishstiqz/mitigationview
Route :

1. some code calls GetCurrentProcess.
2. if it returns -1, it calls NtQueryInformationProcess with 0x34 (52u).
3. NtQueryInformationProcess returns 0 (Success).
4. Then it calls GetProcessMitigationPolicy that returns 0.
5. After call OutputDebugStringA , it show me the themida message.
6. Stills receiving error maybe because i don't escaped from SSH

Route 2 :

1. some code calls GetCurrentProcess (at first of file, the first time it's called is from the themida trap).
2. if it returns 0, it calls NtQueryInformationProcess with 0x34 (52u) (changing from -1 to 0 is to avoid UnhandledException).
3. NtQueryInformationProcess returns 0xC0000008. (INVALID_HANDLE_VALUE). Then i change it to 0
4. Then it calls GetProcessMitigationPolicy that returns 1.
5. After all steps, it no more calls OutputDebugStringA.
6. Stills receiving error maybe because i don't escaped from SSH

Notice that in this Themida version the calls of NTDLL . ^^ ntdll.Dialog and ntdll.Defproc. I can't defeat with scylla plugin.

About 0x34 in NtQueryInformationProcess :

"This information class is for kernel-mode use only. If executing for a user-mode request, the function fails, returning STATUS_PRIVILEGE_NOT_HELD."

Is it a type of warning that is show only there is a debugger ?
Well, sending this to olly will crash it

then it's a protection to ring0 debuggs ?

Themida should call outputdebugstring after my edit, but it doesn't call and i believe i've escaped from the trap. but Scylla can away this . but i'm just pointing one more thing.

then i got

https://msdn.microsoft.com/pt-br/library/windows/desktop/hh871471(v=vs.85).aspx

http://pferrie.host22.com/papers/antidebug.pdf

I don't know why i have done this, and i don't know if i've escaped from the trap 'cause im falling into 0xC0000142 about my file edition;
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/set.htm

https://github.com/rrbranco/blackhat2012/blob/master/Csrc/fcall_examples/fcall_examples/fcall_examples.cpp

The program it happens on is Frontline System's Solver Excel add-in. Likely some anti-anti-anti debugging technique causes program to exit after hooking.