ScyllaHide

[cypher]

Quote:

Originally Posted by Storm Shadow

You should add flag

Code:

PLUGIN_FIX |

when loading plugin.
So sculla show in ida plugin at startup. So we dont have to load a file, and then shoot targets.

I tried that before but its not working because of the way the SDK calls the attach function (forwarder to callui(ui_dbg_attach_process..) = same as entering AttachProcess(pid,-1) in the cmd line), you first need to open a IDB in IDA and then you can attach to any process.
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach

[Storm Shadow]

Quote:

Originally Posted by cypher

I tried that before but its not working because of the way the SDK calls the attach function (forwarder to callui(ui_dbg_attach_process..) = same as entering AttachProcess(pid,-1) in the cmd line), you first need to open a IDB in IDA and then you can attach to any process.
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach

Yeah thats damn wierd , only shows after load of file.

Plugin is shown in start off ida when no file is loaded.

Got attach proccess box up, and ecerything but nothing to attach.


put in pluginfolder

Zullu.py

Code:

import re
import idaapi
import idc
from idc import *
from idaapi import *
import idautils


class Sculla(idaapi.plugin_t):
	flags = idaapi.PLUGIN_PROC | idaapi.PLUGIN_FIX
	comment = "This is a comment"
	help = "Sculla"
	wanted_name = "Sculla"
	wanted_hotkey = "Alt-F7"

	def init(self):
		idaapi.msg("Sculla located")
		return idaapi.PLUGIN_OK

	def run(self, arg):
		idaapi.msg("run() called with %d!\n" % arg)

	def term(self):
		idaapi.msg("")
	
	def run(self, arg = 0):
		import idc	

		idc.LoadDebugger("windbg", 1)

		
		idc.SetProcessorType('metapc', SETPROC_USER) #force cpu
		idaapi.load_and_run_plugin("windbg_user.plw", 0) #force
		idc.LoadDebugger("wingdbg", 1)
		idc.AttachProcess(-1, idaapi.PROCESS_ATTACH)

	
def PLUGIN_ENTRY():
    return Sculla()

Now im getting stubern

i did however get it to show pids adding the code to spu processor and load file, so its maybe not save database independent.
its enoufgh with *.d0 and *.d1 (temp database), or the processor_t that tells it to load a file.
So if you can somehow create the temp databse when attaching it should work. Well i think

EDIT!

actuelly they are there but got no names , since i didnt got the pid names.
Got errot that database is only 16 bits, when using plugin.

proberly need GetProcessPid(idx) and GetProcessName(idx)
And tell pluginbits 32 bit.

[Carbon]

This is an update for olly v1 only right now.

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3_Olly1.rar

Olly v1:
- custom toolbar for dump and cpu window
- del und insert shortcut
- don't consume exceptions

Olly v1 works now perfectly with EXECryptor, Obsidium and Themida... See documentation -> 1.1.19 Raise Exception, 1.3.13 Exception Problem
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.3Doc.pdf