Does it support any version of IDA or specific version ?
|
ScyllaHide is tested with IDA Pro 6.1, 6.3 and 6.5.
|
Plugin is running like a charm, and hiding very well.
Would it be possible to add the very nice pdf , as tooltips to the combo box explaining each item in future versions. Im using the ida version. Regards |
@Storm Shadow
I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase @ALL There is a mistake in the provided Themida configuration!!! You must enable all NtUser* hooks for Themida! This is missing in the standard configuration. NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 The Olly v1 plugin was updated with a little olly bugfix. https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHideOllyv1_v1.2.rar And doc update: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf (e.g. more info about RunPE) |
1 Attachment(s)
Quote:
Check in attach... By the way maybe someone can help to fill all the tips. There is only one problem, you've made a separate checkBox'es and labels in dialog template, but need to use only checkBox (Set Caption and Left Text = True). |
1 Attachment(s)
In attach normalized resources... i removed all unused STATIC controls.
|
Quote:
|
Check out the awesome new attach dialog for all debugger plugins! Drag'n'Drop the crosshair to your attach target...
dl: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.2.rar new doc https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf Version 1.2 - All Plugins: New attach dialog with crosshair/bullseye window finder. - All Plugins: Tooltips with information (unfinished). Thanks to UniSoft! - Olly v1 Plugin: Fix for faulty handle bug - Olly v1 Plugin: Fix for NT symbol path bug added to "Fix Olly Bugs", thanks to redblkjck |
since we aim to unify and replace good old plugins phantOm, strongOD, ollyAdvanced into one open-source plugin:
Are there any features by them you still miss in ScyllaHide ? Features you really use and dont want to miss |
Very cool feture shooting targets.:)
All work as exepected. You should add flag Code:
PLUGIN_FIX | So sculla show in ida plugin at startup. So we dont have to load a file, and then shoot targets:D. |
Quote:
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach |
Well would be alot of work to bypass to gain maybe 5 seconds of file loading.by the way have you seen in the sdk, how to execute commands via the windbg console in scripts / plugins
I searched the idapython api, no result.would be great creating memory dumpers, or writing unpackers scripts.. Maybe there is somwthing in the c ++ end. |
Quote:
Maybe place StrongOD :) you need to make future "More Dump Windows"(StrongOD have 5 windows, would like if we have more dump windows to work with memory) greets, quygia128 |
Quote:
we tested this of course and for us its working well Yes I also like and use the multiple memory dump windows but imho that is alot of work to realize |
Quote:
Plugin is shown in start off ida when no file is loaded. Got attach proccess box up, and ecerything but nothing to attach. :D put in pluginfolder Zullu.py Code:
import re i did however get it to show pids adding the code to spu processor and load file, so its maybe not save database independent. its enoufgh with *.d0 and *.d1 (temp database), or the processor_t that tells it to load a file. So if you can somehow create the temp databse when attaching it should work. Well i think :rolleyes: EDIT! actuelly they are there but got no names , since i didnt got the pid names. Got errot that database is only 16 bits, when using plugin. proberly need GetProcessPid(idx) and GetProcessName(idx) And tell pluginbits 32 bit. |
This is an update for olly v1 only right now.
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3_Olly1.rar Olly v1: - custom toolbar for dump and cpu window - del und insert shortcut - don't consume exceptions Olly v1 works now perfectly with EXECryptor, Obsidium and Themida... See documentation -> 1.1.19 Raise Exception, 1.3.13 Exception Problem https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.3Doc.pdf |
Oops, you've found a dead link. 1st please reupload ScyllaHide_v1.3_Olly1.rar
|
Quote:
you can view all downloads available directly at https://bitbucket.org/NtQuery/scyllahide/downloads |
today was used scyllahide, was say this:
Quote:
when run ntapi from https://bitbucket.org/NtQuery/scyllahide/downloads was show as there if wana add: Quote:
|
Anyone try using ScyllaHide in win 10 ? I try but could not hide from debugger anymore :(. Now debugging to find the problem.
|
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example: NtQueryInformationProcess Code:
CPU Disasm Code:
CPU Disasm Code:
CPU Disasm |
Quote:
Regards, |
Quote:
|
Win 10 is a nightmare for "stealth" hooking. Probably they wanted to defeat malware.
I think I can work on it this weekend. |
Call Wow64SystemServiceCall now is seperate for Ntdll & User32.dll .. maybe other dll too. So need to change the NativeContinue structure to suit this.
|
Win10 has more surprises to offer:
https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/ I also see some weird behavior of NtQueryInformationProcess. You can query ProcessBasicInformation with different buffer sizes. size = 24 -> normal behavior, expected size like in all windows editions size = 32 -> extended information? You can get more information... |
@Carbon is there any update on making this working win 10.
|
Don't ask questions, here is fixed ScyllaHide for Windows 10 x86/x64.
Tested with x64/x32dbg on VMProtect and Obsidium targets. Quote:
|
This is the version of ScyllaHide that I use personally. It includes the fix provided by mudlord in the previous post (fix made by Colin). I also push this to the 'vs13' branch on the original repository.
Code: https://github.com/x64dbg/ScyllaHide Build of the latest version is always available here: https://ci.appveyor.com/project/mrex...uild/artifacts |
Quote:
|
Quote:
|
The error comes from idaserver.cpp:
Code:
int main(int argc, char *argv[]) |
Probably this can be fixed by updating the SDK to the same version as your IDA version...
|
I guess these days everybody has already switched to the latest public IDA...
six dot eight :) BTW, anybody seen this kind of warning (error?) in IDA: --------------------------- Error --------------------------- Failed to unprotect WOW64 gateway --------------------------- OK --------------------------- |
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance --------------------------- Error --------------------------- Windows 10 SysWowSpecialJmpAddress was not found! --------------------------- §°§¬ --------------------------- --------------------------- ERROR --------------------------- Unknown syscall structure! --------------------------- §°§¬ --------------------------- |
Quote:
However it will break it for those that don't use the same ida version as you. So one would need to do a pull request with a loop for making it work with each new version. Quote:
|
Little update
after crash with ida and after debugging it. it seem to make a x64 hook first in a x86 app and idaserverx86 and some more problems 1 bug) it crashes cause it attempts to make x64 connection in a x86 app fails on Code:
IDAServerx86.exe!DetourCreateRemoteNativeSysWow64(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 356 + 0x5 bytes Code:
IDAServerx86.exe!DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 532 + 0x1a bytes C++ https://github.com/x64dbg/ScyllaHide...k.cpp#L350-354 Not sure why , but i am a python guy. It seems to jump to x86 hook insteed of the x64, but a smart person told me that it should not matter in c++. suggestions: Maybe dev should use Code:
If __EA64__ 2 bug) also i saw port access violation In win 10 even if you have a firewall you bought you have to open ports in the internal win 10 one, even if disabled. in start menu type WF.msc open udp-tcp port 1337. 3 bug) and for fixing the structure error for now untick NTQueryInformationprocess in scyllahide settings result Code:
Listening on port 1337... |
I thought I was doing something wrong, then I found out this thread! Win10 (anniversary update) + x64dbg doesn't crash, but gives:
NT APIs missing section 060200000109_x86_0000A830 file NtApiCollection.ini. I used scyllahide from link on x64dbg page (bitbucket link). Hopefully someone can make win10 a platform for RE. Thanks! |
I did some testing.
https://github.com/x64dbg/ScyllaHide/issues/2 Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link. Quote:
|
It seems last month's Windows Updates for 8.1 (x64) also broke the NtApiCollection.ini PDB resolvers. It was working fine until I ran the updates, rebooted and started x64dbg. When it complained about missing "NTUser* API addresses, Section: 060300000109_x86_000158A0" I ran both PDB resolvers (as admin) and copied over the fresh .ini file, but not all API addresses were resolved properly. Just to be sure I also updated x64dbg to the latest commit, but without success ...
|
All times are GMT +8. The time now is 12:11. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX