Thread: ScyllaHide
View Single Post
Old 08-29-2014, 05:58
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Join Date: Jun 2014
Posts: 276
Rept. Given: 190
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 132
Thanks Rcvd at 244 Times in 96 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199

Originally Posted by cypher View Post
I tried that before but its not working because of the way the SDK calls the attach function (forwarder to callui(ui_dbg_attach_process..) = same as entering AttachProcess(pid,-1) in the cmd line), you first need to open a IDB in IDA and then you can attach to any process.
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach
Yeah thats damn wierd , only shows after load of file.

Plugin is shown in start off ida when no file is loaded.

Got attach proccess box up, and ecerything but nothing to attach.

put in pluginfolder

import re
import idaapi
import idc
from idc import *
from idaapi import *
import idautils

class Sculla(idaapi.plugin_t):
	flags = idaapi.PLUGIN_PROC | idaapi.PLUGIN_FIX
	comment = "This is a comment"
	help = "Sculla"
	wanted_name = "Sculla"
	wanted_hotkey = "Alt-F7"

	def init(self):
		idaapi.msg("Sculla located")
		return idaapi.PLUGIN_OK

	def run(self, arg):
		idaapi.msg("run() called with %d!\n" % arg)

	def term(self):
	def run(self, arg = 0):
		import idc	

		idc.LoadDebugger("windbg", 1)

		idc.SetProcessorType('metapc', SETPROC_USER) #force cpu
		idaapi.load_and_run_plugin("windbg_user.plw", 0) #force
		idc.LoadDebugger("wingdbg", 1)
		idc.AttachProcess(-1, idaapi.PROCESS_ATTACH)

    return Sculla()
Now im getting stubern

i did however get it to show pids adding the code to spu processor and load file, so its maybe not save database independent.
its enoufgh with *.d0 and *.d1 (temp database), or the processor_t that tells it to load a file.
So if you can somehow create the temp databse when attaching it should work. Well i think


actuelly they are there but got no names , since i didnt got the pid names.
Got errot that database is only 16 bits, when using plugin.

proberly need GetProcessPid(idx) and GetProcessName(idx)
And tell pluginbits 32 bit.
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."

Last edited by Storm Shadow; 08-29-2014 at 06:28.
Reply With Quote