|
|
|
|
#1
10-18-2017, 18:59
|
||||
|
||||
|
you have to handle this by sure :
KERNELBASE.dll NtSetInformationProcess KERNELBASE.dll NtQueryInformationProcess KERNELBASE.dll NtClose that should work .... windows 10 suck  , handle API not that easy .try on windows 8.1 or 7 SP2
__________________
Ur Best Friend Ahmadmansoor  Always My Best Friend: Aaron & JMI & ZeNiX 
|
| The Following User Says Thank You to ahmadmansoor For This Useful Post: | ||
niculaita (10-18-2017) | ||
|
#2
10-18-2017, 19:39
|
|||
|
|||
|
the problem is that it didn't run on Windows 7. msvcr80.dll crash.
Those Api should be handled by ScyllaHide. I tested it with ScyllaTest and it's ok. Do you think that themida is doing kernel hook as well ?
|
|
#3
10-19-2017, 02:49
|
|||
|
|||
|
Quote:
So we need to come up with newer methods to hook and hide our debugging efforts. Or just keep using the older versions of Windows ...
|
|
#4
10-19-2017, 15:00
|
|||
|
|||
|
Jeez, that's crap... What you do when you have no choice on the platform for reversing ?
So I was able to see the ring3 hooks with PC_Hunter, it's only ntdll.DbgUiRemoteBreakin. There is no ring0 hook (oreans driver not loaded). When I restore the ring3 hooks and then attach my debugger it's working. But when starting a "secure" function, then debugee does nothing. Last edited by dummys; 10-19-2017 at 17:02.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
