ScyllaHide
1 Attachment(s)
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide. ------------------------------------------------------ Debugger Hiding: - PEB - BeingDebugged, NtGlobalFlag, Heap Flags - NtSetInformationThread - ThreadHideFromDebugger - NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation - NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation - NtQueryObject - ObjectTypesInformation, ObjectTypeInformation - NtYieldExecution - NtSetDebugFilterState - NtUserBuildHwndList - NtUserFindWindowEx - NtUserQueryWindow - NtClose - GetTickCount - BlockInput - OutputDebugStringA Protecting and Stealthing DRx (Hardware Breakpoints): - NtGetContextThread - NtSetContextThread - KiUserExceptionDispatcher (only x86) - NtContinue (only x86) ------------------------------------------------------ Usage standalone (debugger-independent): InjectorCLI.exe <process name> <HookLibrary.dll path> For example: InjectorCLI.exe crackme.exe C:\HookLibrary.dll ------------------------------------------------------ Plugins: - for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\ (can be combined with TitanHide which does kernelmode hiding) - for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy - for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy ------------------------------------------------------ ToDo: - x64 compatibility support - x64 Exception Support - Better (stealth) hooks ------------------------------------------------------ NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx Info about NtApiCollection.ini: Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress It will download the PDB file from the Microsoft server to resolve the missing function adresses. Binaries: NtApiTool.rar Source code will be released soon! |
Hi.
I try your plugin with Olly2. Unfortunate the debugger freezes when i have loaded a simple file. This could be due to a incompatibility. I have OllyExt installed also. Do you know any issue? |
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.
Could you tell us what exact OS you are using and maybe also provide the test target? Does it happen for ALL exe you load ? |
@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun ;) . |
1 Attachment(s)
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin. http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide ! Notes on VMP targets: - set olly to break on system bp - set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess (attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! ) @ahmadmansoor thx! |
Quote:
Was just a first time run. RUN=freeze Maybe my fault. I will see. Thank you! |
1 Attachment(s)
- added "Olly title" option to Olly2 plugin
http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png |
1 Attachment(s)
please take this attachment.
(cant edit my own previous post or am I blind ?) |
1 Attachment(s)
Version 0.2
Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin. - Stealth hooks for 32-bit targets to defeat protectors like Themida - Olly Plugin: Change olly caption - Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect |
I am not very sure how to use it correctly?
For example: My OS is Windows 8.1 x64 I am using Ollydbg 1.10 My Target is 32-bit targets (x86) Which version of ScyllaHide should I use? x64 or x86? Also, what is the version of TE? |
Thanks and great work. Is this going to remain private or can you see it going open source in the future?
HR, Ghandi |
Quote:
Olly1&2 only support x86 x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI @Ghandi it will be open-sourced somewhen in the near future |
Thank you.
On my system, it always pops up a messagebox saying: --------------------------- ERROR --------------------------- NT APIs missing section 060200000109_x86_000162F9 file W:\Zenix\OllyScylla\NtApiCollection.ini --------------------------- OK --------------------------- |
Hey ZeNiX,
You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory. Greetings |
mr.exodia
still the same error pops up |
Problem solved.
After downloaded the symbols, we need to use pdb-getprocaddress to get three addresses. In my system, they are... [060200000109_x86_000162F9] NtUserQueryWindow=00009965 NtUserBuildHwndList=0000FBB1 NtUserFindWindowEx=0000804C |
Thanks ZeNiX, I added it here:
https://bitbucket.org/NtQuery/pdb-getprocaddress/commits/8ac27b0c21d3df3b95e775afff24ad993fc492d8 If somebody wants to share his config, please do it :D |
heres mine:
[060200000100_x86_00025FBF] NtUserQueryWindow=00008CC1 NtUserBuildHwndList=00011DC3 NtUserFindWindowEx=00007757 NtUserInternalGetWindowText=0000CC60 NtUserGetClassName=00008CE3 |
Version 0.3
- Fix for Olly plugins caption reset - Fix STARTUPINFO structure, GetStartupInfoA/W - Resume/Suspend all Threads in Thread window - x64 compatibility mode for Olly1 - fix PE-Bugs for Olly1 - fix FPU-Bug for Olly1 - split "Protect DRx" into its options (ini option ProtectDRx now deprecated) - Fix PEB Patch bug, now Themida works on WinXP Binary: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.3.rar Source: https://bitbucket.org/NtQuery/scyllahide/ |
Version 0.4
- Olly v1/v2 Plugins: Apply hooks without restarting - Olly v1 Plugin: Added "Break on TLS" https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.4.rar |
Thank you for the binary release. I've got the source via github and I'm building my own "nightlies" - was this built in VS2008 or VS2010? It isn't native to 2012 or 2013 :)
|
I'm building with VS2010. Since the platform toolset is set to v90, you either need to have VS2008 express installed to get that toolset or you simply change toolset to v100.
We use v90 on purpose to guarantee max compatibility on older systems but for testing, v100 is just fine. |
Version 0.5
- NtCreateThreadEx hook - Prevent Thread creation (special hook for some protectors like Execryptor. Only use this if you know what you do) - Split Hide PEB into 4 options (ini option PEB now deprecated) - Inject DLL option added (2 methods) - Replaced Olly2 dialog - Improved "Break on TLS" Download: you know where |
Version 0.7
- IDA 64bit plugin - IDA 32/64bit remote server - IDA DLL Injection - IDA option to start x64 server automatically |
Version 0.8
- Olly v1 Plugin: option "Skip EP outside of code message" - Fix for NtSetInformationProcess -> ProcessHandleTracing - All plugins: Update-Check - Timing Hooks: GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter - "Remove Debug Privileges" added |
@cypher
Is posible add io hooks support too?, so DeviceIoControlFile. |
@besoeso
How does this work? Antidebug with DeviceIoControlFile? Do you have an example code? |
Congrats mate...
I have tested today with a VMProtect target and to my real surprise it works flawless. :) Offtopic: Just don't forget the Scylla 0.9.6b problem that i have reported of Themida nnpack in tuts4you. See ya! |
x64 need more test
Hi Carbon
I have make some more check on x64 . I keep get ((Warning wrong struct size 504 != 396)) or the HookLibraryx64.dll not been injected . by the way what the useful of : Quote:
|
Quote:
Quote:
|
Hi Carbon :
I think I try both file my compiled and ur release builds .and same result. I note that too when I use IDA it try to inject the dll and it fail too . I have code Plugin for x64_dbg. so when I use Quote:
maybe I do something wrong . |
Your problem is probably the structure alignment. You must adjust the compiler settings to 1 byte structure alignment.
|
it is already : 1 Byte (/Zp1)
but I use vs 2010 v100 not v120 if could be make a problem !! |
@ahmadmansoor
fork the scyllahide repo on bitbucket. then push the plugin as new project in the solution and I'll have a look and fixup the project. Edit: platform toolset isnt a problem. Actually all plugins and the hooklib are built for release with v90 for compatibility reasons but I do use v100 myself for developing. Also I do use V2010 |
Version 0.9
- All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins ! (ini section in ollydbg.ini now deprecated !) - Load/Save ini profiles in Olly1&2 and IDA plugin - RunPE malware unpacker - NtSetInformationProcess Hook in GUI Please post your special Protector Profiles here. |
Hi Carbon (although I'm used to spell another name.)
Your ScyllaHide does not seems to get along with the OdbgScript. As i related before with Phantom and StrongOD is OK to run the script and with ScyllaHide the script just "goes in the ditch". I think i will review my script and i will send you or eXoDia to take a look along with some unpackmes. :) |
structure alignment of x64_dbg will be forced to 1 byte in the next release.
Greetings |
Version 1.0
- added sprintf %s Olly1 bugfix to "Fix Olly bugs" - x64dbg 32/64bit plugins https://bitbucket.org/mrexodia/x64_dbg - fixed alignment bug 64bit The default ini contains settings for this protectors: - VMProtect x86/x64 - Obsidium x86 - Themida x86 - Armadillo x86 Themida/Winlicense x64 will only work with TitanHide |
very nice work! congrats and keep going :)
Generally speaking you are the first who did hte x64 plugin fo rIDA, but I"m starting to test it from x32 as well some minor notes so far: Version 1.0: on Update check http://prntscr.com/3i1484 win xp sp3 eng prof x32 IDA 6.1 x32 2) version.txt inside the archive ScyllaHide_v1.0.rar contains the string "0.9" 3) how to use hte feature "RunPE malware unpacker" |
New Version here.
Version 1.1 - Added "thanks" to About - Added kill anti-attach (for x86 only) - Olly v1 Plugin: Advanced CTRL+G - Olly v1 Plugin: Skip "compressed code" message - Olly v1 Plugin: Ignore bad PE image (WinUPack) - Olly v1 Plugin: Skip "Load DLL" message Thanks to MaRKuS-DJM for OllyAdvanced assembler source code. Check out the new documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.1Doc.pdf |
All times are GMT +8. The time now is 13:07. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX