Thread: ScyllaHide
View Single Post
  #30  
Old 05-07-2014, 00:39
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .
Did you compile it yourself? This is some alginment check, this should not be a problem in the release builds.


Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
This is from the POISON source and to be honest I don't understand it completly but it works very well. It is something against Heap flag artifacts. Themida/WL looks for special artifacts on the process heaps and this little trick prevents the creation of these artifacts. I think other hide plugin use the same trick. I don't know who invented it originally, but it is a very clever way to solve this problem, so the author is probably some genius.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote