Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   ScyllaHide (https://forum.exetools.com/showthread.php?t=15712)

Carbon 04-10-2014 04:17

ScyllaHide
 
1 Attachment(s)
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy

------------------------------------------------------

ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar

Source code will be released soon!

giv 04-10-2014 20:43

Hi.
I try your plugin with Olly2.
Unfortunate the debugger freezes when i have loaded a simple file.
This could be due to a incompatibility.
I have OllyExt installed also.
Do you know any issue?

cypher 04-10-2014 22:11

I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?

ahmadmansoor 04-11-2014 05:22

@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun ;) .

cypher 04-11-2014 06:17

1 Attachment(s)
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin.

http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png

Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide !

Notes on VMP targets:

- set olly to break on system bp
- set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess

(attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! )

@ahmadmansoor thx!

giv 04-11-2014 17:34

Quote:

Originally Posted by cypher (Post 90769)
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?

I must do further tests.
Was just a first time run.
RUN=freeze
Maybe my fault.
I will see.

Thank you!

cypher 04-11-2014 21:57

1 Attachment(s)
- added "Olly title" option to Olly2 plugin

http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png

cypher 04-11-2014 22:33

1 Attachment(s)
please take this attachment.

(cant edit my own previous post or am I blind ?)

Carbon 04-13-2014 23:47

1 Attachment(s)
Version 0.2

Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin.

- Stealth hooks for 32-bit targets to defeat protectors like Themida
- Olly Plugin: Change olly caption
- Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect

ZeNiX 04-14-2014 10:05

I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?

Ghandi2006 04-14-2014 19:51

Thanks and great work. Is this going to remain private or can you see it going open source in the future?

HR,
Ghandi

cypher 04-14-2014 20:36

Quote:

Originally Posted by ZeNiX (Post 90808)
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?

You need HookLibraryx86.dll and ScyllaHideOlly1.dll
Olly1&2 only support x86

x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI

@Ghandi it will be open-sourced somewhen in the near future

ZeNiX 04-15-2014 09:58

Thank you.
On my system, it always pops up a messagebox saying:

---------------------------
ERROR
---------------------------
NT APIs missing

section

060200000109_x86_000162F9

file

W:\Zenix\OllyScylla\NtApiCollection.ini
---------------------------
OK
---------------------------

mr.exodia 04-15-2014 15:57

Hey ZeNiX,

You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory.

Greetings

Kla$ 04-15-2014 16:06

mr.exodia
still the same error pops up

ZeNiX 04-15-2014 17:37

Problem solved.
After downloaded the symbols, we need to use pdb-getprocaddress to get three addresses.

In my system, they are...

[060200000109_x86_000162F9]
NtUserQueryWindow=00009965
NtUserBuildHwndList=0000FBB1
NtUserFindWindowEx=0000804C

Carbon 04-16-2014 03:03

Thanks ZeNiX, I added it here:
https://bitbucket.org/NtQuery/pdb-getprocaddress/commits/8ac27b0c21d3df3b95e775afff24ad993fc492d8

If somebody wants to share his config, please do it :D

DMichael 04-16-2014 05:05

heres mine:
[060200000100_x86_00025FBF]
NtUserQueryWindow=00008CC1
NtUserBuildHwndList=00011DC3
NtUserFindWindowEx=00007757
NtUserInternalGetWindowText=0000CC60
NtUserGetClassName=00008CE3

Carbon 04-17-2014 20:44

Version 0.3

- Fix for Olly plugins caption reset
- Fix STARTUPINFO structure, GetStartupInfoA/W
- Resume/Suspend all Threads in Thread window
- x64 compatibility mode for Olly1
- fix PE-Bugs for Olly1
- fix FPU-Bug for Olly1
- split "Protect DRx" into its options (ini option ProtectDRx now deprecated)
- Fix PEB Patch bug, now Themida works on WinXP

Binary: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.3.rar
Source: https://bitbucket.org/NtQuery/scyllahide/

Carbon 04-21-2014 03:35

Version 0.4

- Olly v1/v2 Plugins: Apply hooks without restarting
- Olly v1 Plugin: Added "Break on TLS"


https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.4.rar

leetone 04-23-2014 13:48

Thank you for the binary release. I've got the source via github and I'm building my own "nightlies" - was this built in VS2008 or VS2010? It isn't native to 2012 or 2013 :)

cypher 04-23-2014 21:55

I'm building with VS2010. Since the platform toolset is set to v90, you either need to have VS2008 express installed to get that toolset or you simply change toolset to v100.
We use v90 on purpose to guarantee max compatibility on older systems but for testing, v100 is just fine.

Carbon 04-24-2014 02:39

Version 0.5

- NtCreateThreadEx hook
- Prevent Thread creation
(special hook for some protectors like Execryptor. Only use this if you know what you do)
- Split Hide PEB into 4 options (ini option PEB now deprecated)
- Inject DLL option added (2 methods)
- Replaced Olly2 dialog
- Improved "Break on TLS"

Download: you know where

cypher 04-29-2014 21:23

Version 0.7

- IDA 64bit plugin
- IDA 32/64bit remote server
- IDA DLL Injection
- IDA option to start x64 server automatically

cypher 05-03-2014 03:53

Version 0.8

- Olly v1 Plugin: option "Skip EP outside of code message"
- Fix for NtSetInformationProcess -> ProcessHandleTracing
- All plugins: Update-Check
- Timing Hooks: GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter
- "Remove Debug Privileges" added

besoeso 05-04-2014 01:15

@cypher

Is posible add io hooks support too?, so DeviceIoControlFile.

Carbon 05-04-2014 02:47

@besoeso
How does this work? Antidebug with DeviceIoControlFile? Do you have an example code?

giv 05-05-2014 14:42

Congrats mate...
I have tested today with a VMProtect target and to my real surprise it works flawless.
:)

Offtopic:
Just don't forget the Scylla 0.9.6b problem that i have reported of Themida nnpack in tuts4you.

See ya!

ahmadmansoor 05-06-2014 19:59

x64 need more test
 
Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .

by the way what the useful of :
Quote:

if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
it work as opposite of each other !!

Carbon 05-07-2014 00:39

Quote:

Originally Posted by ahmadmansoor (Post 91263)
Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .

Did you compile it yourself? This is some alginment check, this should not be a problem in the release builds.


Quote:

if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
This is from the POISON source and to be honest I don't understand it completly but it works very well. It is something against Heap flag artifacts. Themida/WL looks for special artifacts on the process heaps and this little trick prevents the creation of these artifacts. I think other hide plugin use the same trick. I don't know who invented it originally, but it is a very clever way to solve this problem, so the author is probably some genius.

ahmadmansoor 05-07-2014 01:33

Hi Carbon :
I think I try both file my compiled and ur release builds .and same result.
I note that too when I use IDA it try to inject the dll and it fail too .
I have code Plugin for x64_dbg.
so when I use
Quote:

if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
after cbCB_DEBUGEVENT ,so if we use it the debugger will catched .
maybe I do something wrong .

Carbon 05-07-2014 02:03

Your problem is probably the structure alignment. You must adjust the compiler settings to 1 byte structure alignment.

ahmadmansoor 05-07-2014 02:07

it is already : 1 Byte (/Zp1)
but I use vs 2010 v100 not v120 if could be make a problem !!

cypher 05-07-2014 02:20

@ahmadmansoor

fork the scyllahide repo on bitbucket. then push the plugin as new project in the solution and I'll have a look and fixup the project.

Edit: platform toolset isnt a problem. Actually all plugins and the hooklib are built for release with v90 for compatibility reasons but I do use v100 myself for developing. Also I do use V2010

Carbon 05-09-2014 03:55

Version 0.9

- All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins !
(ini section in ollydbg.ini now deprecated !)
- Load/Save ini profiles in Olly1&2 and IDA plugin
- RunPE malware unpacker
- NtSetInformationProcess Hook in GUI


Please post your special Protector Profiles here.

giv 05-09-2014 14:39

Hi Carbon (although I'm used to spell another name.)
Your ScyllaHide does not seems to get along with the OdbgScript.
As i related before with Phantom and StrongOD is OK to run the script and with ScyllaHide the script just "goes in the ditch".
I think i will review my script and i will send you or eXoDia to take a look along with some unpackmes.
:)

mr.exodia 05-10-2014 04:59

structure alignment of x64_dbg will be forced to 1 byte in the next release.

Greetings

Carbon 05-11-2014 01:17

Version 1.0

- added sprintf %s Olly1 bugfix to "Fix Olly bugs"
- x64dbg 32/64bit plugins https://bitbucket.org/mrexodia/x64_dbg
- fixed alignment bug 64bit


The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Themida/Winlicense x64 will only work with TitanHide

sendersu 05-11-2014 04:57

very nice work! congrats and keep going :)
Generally speaking you are the first who did hte x64 plugin fo rIDA, but I"m starting to test it from x32 as well
some minor notes so far:

Version 1.0: on Update check
http://prntscr.com/3i1484

win xp sp3 eng prof x32
IDA 6.1 x32

2) version.txt inside the archive ScyllaHide_v1.0.rar contains the string "0.9"
3) how to use hte feature "RunPE malware unpacker"

Carbon 08-17-2014 02:00

New Version here.

Version 1.1
- Added "thanks" to About
- Added kill anti-attach (for x86 only)
- Olly v1 Plugin: Advanced CTRL+G
- Olly v1 Plugin: Skip "compressed code" message
- Olly v1 Plugin: Ignore bad PE image (WinUPack)
- Olly v1 Plugin: Skip "Load DLL" message

Thanks to MaRKuS-DJM for OllyAdvanced assembler source code.

Check out the new documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.1Doc.pdf


All times are GMT +8. The time now is 13:07.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX