I haven't looked at the entire source, but isn't using CRC32 to verify functions easy to bypass?
For example, https://www.nayuki.io/page/forcing-a-files-crc-to-any-value
Seems like it would be trivial to change the hooking procedure of ScyllaHide to use code like this to get the correct CRC with only 5 extra bytes of overhead (4 bytes of garbage after the jmp + 0xCC), and the CRC check could be circumvented.
I think it would be better to just do a direct byte comparison of the functions since they are being processing in their entirety to get the length already.
|