Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   ScyllaHide (https://forum.exetools.com/showthread.php?t=15712)

Carbon 04-10-2014 04:17

ScyllaHide
 
1 Attachment(s)
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy

------------------------------------------------------

ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar

Source code will be released soon!

giv 04-10-2014 20:43

Hi.
I try your plugin with Olly2.
Unfortunate the debugger freezes when i have loaded a simple file.
This could be due to a incompatibility.
I have OllyExt installed also.
Do you know any issue?

cypher 04-10-2014 22:11

I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?

ahmadmansoor 04-11-2014 05:22

@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun ;) .

cypher 04-11-2014 06:17

1 Attachment(s)
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin.

http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png

Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide !

Notes on VMP targets:

- set olly to break on system bp
- set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess

(attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! )

@ahmadmansoor thx!

giv 04-11-2014 17:34

Quote:

Originally Posted by cypher (Post 90769)
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?

I must do further tests.
Was just a first time run.
RUN=freeze
Maybe my fault.
I will see.

Thank you!

cypher 04-11-2014 21:57

1 Attachment(s)
- added "Olly title" option to Olly2 plugin

http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png

cypher 04-11-2014 22:33

1 Attachment(s)
please take this attachment.

(cant edit my own previous post or am I blind ?)

Carbon 04-13-2014 23:47

1 Attachment(s)
Version 0.2

Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin.

- Stealth hooks for 32-bit targets to defeat protectors like Themida
- Olly Plugin: Change olly caption
- Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect

ZeNiX 04-14-2014 10:05

I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?

Ghandi2006 04-14-2014 19:51

Thanks and great work. Is this going to remain private or can you see it going open source in the future?

HR,
Ghandi

cypher 04-14-2014 20:36

Quote:

Originally Posted by ZeNiX (Post 90808)
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?

You need HookLibraryx86.dll and ScyllaHideOlly1.dll
Olly1&2 only support x86

x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI

@Ghandi it will be open-sourced somewhen in the near future

ZeNiX 04-15-2014 09:58

Thank you.
On my system, it always pops up a messagebox saying:

---------------------------
ERROR
---------------------------
NT APIs missing

section

060200000109_x86_000162F9

file

W:\Zenix\OllyScylla\NtApiCollection.ini
---------------------------
OK
---------------------------

mr.exodia 04-15-2014 15:57

Hey ZeNiX,

You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory.

Greetings

Kla$ 04-15-2014 16:06

mr.exodia
still the same error pops up


All times are GMT +8. The time now is 19:00.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX