Exetools - ScyllaHide

Exetools (https://forum.exetools.com/index.php)

- Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)

- - ScyllaHide (https://forum.exetools.com/showthread.php?t=15712)

Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example:

NtQueryInformationProcess

Code:

CPU Disasm

Address   Hex dump          Command                                  Comments

77768D50    B8 19000000     MOV EAX,19                               ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength)

77768D55    E8 04000000     CALL ntdll.77768D5E

77768D5A    0000            ADD BYTE PTR DS:[EAX],AL

77768D5C    70 77           JO SHORT ntdll.77768DD5

77768D5E    5A              POP EDX

77768D5F    807A 03 4B      CMP BYTE PTR DS:[EDX+3],4B

77768D63    75 0A           JNE SHORT ntdll.77768D6F

77768D65    64:FF15 C000000 CALL DWORD PTR FS:[0C0]

77768D6C    C2 1400         RETN 14

NtSetInformationThread

Code:

CPU Disasm

Address   Hex dump          Command                                  Comments

77768C90    B8 0D000000     MOV EAX,0D

77768C95    BA B0D57777     MOV EDX,ntdll.7777D5B0

77768C9A    FFD2            CALL EDX

77768C9C    C2 1000         RETN 10

Call Wow64SystemServiceCall

Code:

CPU Disasm

Address   Hex dump          Command                                  Comments

7777D5B0    64:8B15 3000000 MOV EDX,DWORD PTR FS:[30]

7777D5B7    8B92 54020000   MOV EDX,DWORD PTR DS:[EDX+254]

7777D5BD    F7C2 02000000   TEST EDX,00000002

7777D5C3    74 03           JE SHORT ntdll.7777D5C8

7777D5C5    CD 2E           INT 2E

7777D5C7    C3              RETN

7777D5C8    EA CFD57777 330 JMP FAR 0033:7777D5CF                    ; Far jump or call

7777D5CF    41              INC ECX

7777D5D0    FFA7 F8000000   JMP DWORD PTR DS:[EDI+0F8]

Quote:

Anyone try using ScyllaHide in win 10 ? I try but could not hide from debugger anymore . Now debugging to find the problem.

Is ScyllaHide compatible with Win 10?

Regards,

Quote:

Originally Posted by ragdog (Post 101530)

Is ScyllaHide compatible with Win 10?

Regards,

Nopes. There's a lot of change. First need to fix the remote hook feature.

Win 10 is a nightmare for "stealth" hooking. Probably they wanted to defeat malware.

I think I can work on it this weekend.

Call Wow64SystemServiceCall now is seperate for Ntdll & User32.dll .. maybe other dll too. So need to change the NativeContinue structure to suit this.

Win10 has more surprises to offer:

https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/

I also see some weird behavior of NtQueryInformationProcess. You can query ProcessBasicInformation with different buffer sizes.

size = 24 -> normal behavior, expected size like in all windows editions
size = 32 -> extended information? You can get more information...

@Carbon is there any update on making this working win 10.

Don't ask questions, here is fixed ScyllaHide for Windows 10 x86/x64.
Tested with x64/x32dbg on VMProtect and Obsidium targets.

Quote:

http://rghost.net/69ndDMkDg

This is the version of ScyllaHide that I use personally. It includes the fix provided by mudlord in the previous post (fix made by Colin). I also push this to the 'vs13' branch on the original repository.

Code:
https://github.com/x64dbg/ScyllaHide

Build of the latest version is always available here:
https://ci.appveyor.com/project/mrex...uild/artifacts

Quote:

WRONG!!! Size of IDA_SERVER_EXCHANGE 648 == 645?

Does it need the special update?

Quote:

Originally Posted by Syoma (Post 106762)

Does it need the special update?

I get same error in the newest version.

The error comes from idaserver.cpp:

Code:

int main(int argc, char *argv[])

{

        LogWrap = LogWrapper;

        LogErrorWrap = LogWrapper;



        if (sizeof(IDA_SERVER_EXCHANGE) != IDA_SERVER_EXCHANGE_STRUCT_SIZE)

        {

                printf("WRONG!!! Size of IDA_SERVER_EXCHANGE %d == %d?\n\n", sizeof(IDA_SERVER_EXCHANGE), IDA_SERVER_EXCHANGE_STRUCT_SIZE);

                getchar();

                return 0;

        }

Probably this can be fixed by updating the SDK to the same version as your IDA version...

I guess these days everybody has already switched to the latest public IDA...
six dot eight :)

BTW, anybody seen this kind of warning (error?) in IDA:

---------------------------
Error
---------------------------
Failed to unprotect WOW64 gateway
---------------------------
OK
---------------------------

Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
---------------------------
��
---------------------------

---------------------------
ERROR
---------------------------
Unknown syscall structure!
---------------------------
��
---------------------------