Problem solved.
After downloaded the symbols, we need to use pdb-getprocaddress to get three addresses.

In my system, they are...

[060200000109_x86_000162F9]
NtUserQueryWindow=00009965
NtUserBuildHwndList=0000FBB1
NtUserFindWindowEx=0000804C

Thanks ZeNiX, I added it here:
https://bitbucket.org/NtQuery/pdb-getprocaddress/commits/8ac27b0c21d3df3b95e775afff24ad993fc492d8

If somebody wants to share his config, please do it :D

heres mine:
[060200000100_x86_00025FBF]
NtUserQueryWindow=00008CC1
NtUserBuildHwndList=00011DC3
NtUserFindWindowEx=00007757
NtUserInternalGetWindowText=0000CC60
NtUserGetClassName=00008CE3

Version 0.3

- Fix for Olly plugins caption reset
- Fix STARTUPINFO structure, GetStartupInfoA/W
- Resume/Suspend all Threads in Thread window
- x64 compatibility mode for Olly1
- fix PE-Bugs for Olly1
- fix FPU-Bug for Olly1
- split "Protect DRx" into its options (ini option ProtectDRx now deprecated)
- Fix PEB Patch bug, now Themida works on WinXP

Binary: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.3.rar
Source: https://bitbucket.org/NtQuery/scyllahide/

Version 0.4

- Olly v1/v2 Plugins: Apply hooks without restarting
- Olly v1 Plugin: Added "Break on TLS"


https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.4.rar

Thank you for the binary release. I've got the source via github and I'm building my own "nightlies" - was this built in VS2008 or VS2010? It isn't native to 2012 or 2013 :)

I'm building with VS2010. Since the platform toolset is set to v90, you either need to have VS2008 express installed to get that toolset or you simply change toolset to v100.
We use v90 on purpose to guarantee max compatibility on older systems but for testing, v100 is just fine.

Version 0.5

- NtCreateThreadEx hook
- Prevent Thread creation
(special hook for some protectors like Execryptor. Only use this if you know what you do)
- Split Hide PEB into 4 options (ini option PEB now deprecated)
- Inject DLL option added (2 methods)
- Replaced Olly2 dialog
- Improved "Break on TLS"

Download: you know where

Version 0.7

- IDA 64bit plugin
- IDA 32/64bit remote server
- IDA DLL Injection
- IDA option to start x64 server automatically

Version 0.8

- Olly v1 Plugin: option "Skip EP outside of code message"
- Fix for NtSetInformationProcess -> ProcessHandleTracing
- All plugins: Update-Check
- Timing Hooks: GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter
- "Remove Debug Privileges" added

@cypher

Is posible add io hooks support too?, so DeviceIoControlFile.

@besoeso
How does this work? Antidebug with DeviceIoControlFile? Do you have an example code?

Congrats mate...
I have tested today with a VMProtect target and to my real surprise it works flawless.
:)

Offtopic:
Just don't forget the Scylla 0.9.6b problem that i have reported of Themida nnpack in tuts4you.

See ya!

x64 need more test
 

Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .

by the way what the useful of :
it work as opposite of each other !!

Did you compile it yourself? This is some alginment check, this should not be a problem in the release builds.


This is from the POISON source and to be honest I don't understand it completly but it works very well. It is something against Heap flag artifacts. Themida/WL looks for special artifacts on the process heaps and this little trick prevents the creation of these artifacts. I think other hide plugin use the same trick. I don't know who invented it originally, but it is a very clever way to solve this problem, so the author is probably some genius.