Quote:
However it will break it for those that don't use the same ida version as you. So one would need to do a pull request with a loop for making it work with each new version. Quote:
|
Little update
after crash with ida and after debugging it. it seem to make a x64 hook first in a x86 app and idaserverx86 and some more problems 1 bug) it crashes cause it attempts to make x64 connection in a x86 app fails on Code:
IDAServerx86.exe!DetourCreateRemoteNativeSysWow64(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 356 + 0x5 bytes Code:
IDAServerx86.exe!DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 532 + 0x1a bytes C++ https://github.com/x64dbg/ScyllaHide...k.cpp#L350-354 Not sure why , but i am a python guy. It seems to jump to x86 hook insteed of the x64, but a smart person told me that it should not matter in c++. suggestions: Maybe dev should use Code:
If __EA64__ 2 bug) also i saw port access violation In win 10 even if you have a firewall you bought you have to open ports in the internal win 10 one, even if disabled. in start menu type WF.msc open udp-tcp port 1337. 3 bug) and for fixing the structure error for now untick NTQueryInformationprocess in scyllahide settings result Code:
Listening on port 1337... |
I thought I was doing something wrong, then I found out this thread! Win10 (anniversary update) + x64dbg doesn't crash, but gives:
NT APIs missing section 060200000109_x86_0000A830 file NtApiCollection.ini. I used scyllahide from link on x64dbg page (bitbucket link). Hopefully someone can make win10 a platform for RE. Thanks! |
I did some testing.
https://github.com/x64dbg/ScyllaHide/issues/2 Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link. Quote:
|
It seems last month's Windows Updates for 8.1 (x64) also broke the NtApiCollection.ini PDB resolvers. It was working fine until I ran the updates, rebooted and started x64dbg. When it complained about missing "NTUser* API addresses, Section: 060300000109_x86_000158A0" I ran both PDB resolvers (as admin) and copied over the fresh .ini file, but not all API addresses were resolved properly. Just to be sure I also updated x64dbg to the latest commit, but without success ...
|
There have been massive issues with the Microsoft symbol servers recently... This was collected (took about 10 minutes) on the latest Windows 8.1 x64 https://gist.github.com/mrexodia/8aea202c1177892b4577a32927cef3bf
|
Thanks mr. Exodia. I did notice some symbol-server issues, but after a few retries it 'completed'. As it turns out; I got returned an incorrect version-tag when running PDBReader and the network-issues weren't messing things up after all (except having me to retry it a couple of times):
[060200000109_x86_000158A0] instead of: [060300000109_x86_000158A0] whilst I do have Windows 8.1 x64 (=v6.3). I changed this manually in the .ini file, after which ScyllaHide seems to work perfectly. Not sure if this is an issue with PDBReader or not, but I should provide more info, please let me know ... PS: Kindy silly I didn't notice before ... where's the shame-on-me-smiley when you need it ? |
NT APIs missing
section 060200000109_x64_0000BAB0 file X:\x64dbg\plugins\NtApiCollection.ini |
Everything appears to work fine here. If Microsoft doesn't provide symbols there is not much you can do. What SKiLLa did is not a real solution, for me the problem was solved by running NtApiTool.exe again.
|
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git :)
Which is super cool. |
Quote:
|
1 Attachment(s)
Quote:
Attachment 9084 Also remind that the x64 version is a win32 build but with a different extension name. |
Quote:
Regards, |
Quote:
|
Quote:
|
All times are GMT +8. The time now is 12:12. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX