ScyllaHide

[UniSoft]

In attach normalized resources... i removed all unused STATIC controls.

[cypher]

Quote:

Originally Posted by UniSoft

There is only one problem, you've made a separate checkBox'es and labels in dialog template, but need to use only checkBox (Set Caption and Left Text = True).

I tried single checkbox with text left before but I got problems with nice aligning and layouting. Thats why I used separate controls. But you seem to got it looking nice with single checkbox thanks hehe

[Carbon]

Check out the awesome new attach dialog for all debugger plugins! Drag'n'Drop the crosshair to your attach target...

dl: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.2.rar

new doc https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf

Version 1.2
- All Plugins: New attach dialog with crosshair/bullseye window finder.
- All Plugins: Tooltips with information (unfinished). Thanks to UniSoft!
- Olly v1 Plugin: Fix for faulty handle bug
- Olly v1 Plugin: Fix for NT symbol path bug added to "Fix Olly Bugs", thanks to redblkjck

[cypher]

since we aim to unify and replace good old plugins phantOm, strongOD, ollyAdvanced into one open-source plugin:

Are there any features by them you still miss in ScyllaHide ? Features you really use and dont want to miss

[Storm Shadow]

Very cool feture shooting targets.
All work as exepected.
You should add flag

Code:

PLUGIN_FIX |

when loading plugin.
So sculla show in ida plugin at startup. So we dont have to load a file, and then shoot targets.

[cypher]

Quote:

Originally Posted by Storm Shadow

You should add flag

Code:

PLUGIN_FIX |

when loading plugin.
So sculla show in ida plugin at startup. So we dont have to load a file, and then shoot targets.

I tried that before but its not working because of the way the SDK calls the attach function (forwarder to callui(ui_dbg_attach_process..) = same as entering AttachProcess(pid,-1) in the cmd line), you first need to open a IDB in IDA and then you can attach to any process.
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach

[Storm Shadow]

Well would be alot of work to bypass to gain maybe 5 seconds of file loading.by the way have you seen in the sdk, how to execute commands via the windbg console in scripts / plugins
I searched the idapython api, no result.would be great creating memory dumpers, or writing unpackers scripts..
Maybe there is somwthing in the c ++ end.

[quygia128]

Quote:

Originally Posted by cypher

since we aim to unify and replace good old plugins phantOm, strongOD, ollyAdvanced into one open-source plugin.

Great idea, cypher.

Are there any features by them you still miss in ScyllaHide ? Features you really use and dont want to miss

Your plugin is very good so im really like all futures except "Inject Lib", I haven't success any times with any library.(are you test with Inject lib by StrongOD/WeakOD ?)

Maybe place StrongOD you need to make future "More Dump Windows"(StrongOD have 5 windows, would like if we have more dump windows to work with memory)

greets,
quygia128

[cypher]

Quote:

Originally Posted by quygia128

I haven't success any times with any library

Maybe place StrongOD you need to make future "More Dump Windows"(StrongOD have 5 windows, would like if we have more dump windows to work with memory)

hm strange. did you try both normal and stealth injection and with different targets?
we tested this of course and for us its working well

Yes I also like and use the multiple memory dump windows but imho that is alot of work to realize

[Storm Shadow]

Quote:

Originally Posted by cypher

I tried that before but its not working because of the way the SDK calls the attach function (forwarder to callui(ui_dbg_attach_process..) = same as entering AttachProcess(pid,-1) in the cmd line), you first need to open a IDB in IDA and then you can attach to any process.
Also make sure you select proper debugger engine in that combobox before ! You CANT attach without opened IDB like IDA can Menu->Debugger->Attach

Yeah thats damn wierd , only shows after load of file.

Plugin is shown in start off ida when no file is loaded.

Got attach proccess box up, and ecerything but nothing to attach.


put in pluginfolder

Zullu.py

Code:

import re
import idaapi
import idc
from idc import *
from idaapi import *
import idautils


class Sculla(idaapi.plugin_t):
	flags = idaapi.PLUGIN_PROC | idaapi.PLUGIN_FIX
	comment = "This is a comment"
	help = "Sculla"
	wanted_name = "Sculla"
	wanted_hotkey = "Alt-F7"

	def init(self):
		idaapi.msg("Sculla located")
		return idaapi.PLUGIN_OK

	def run(self, arg):
		idaapi.msg("run() called with %d!\n" % arg)

	def term(self):
		idaapi.msg("")
	
	def run(self, arg = 0):
		import idc	

		idc.LoadDebugger("windbg", 1)

		
		idc.SetProcessorType('metapc', SETPROC_USER) #force cpu
		idaapi.load_and_run_plugin("windbg_user.plw", 0) #force
		idc.LoadDebugger("wingdbg", 1)
		idc.AttachProcess(-1, idaapi.PROCESS_ATTACH)

	
def PLUGIN_ENTRY():
    return Sculla()

Now im getting stubern

i did however get it to show pids adding the code to spu processor and load file, so its maybe not save database independent.
its enoufgh with *.d0 and *.d1 (temp database), or the processor_t that tells it to load a file.
So if you can somehow create the temp databse when attaching it should work. Well i think

EDIT!

actuelly they are there but got no names , since i didnt got the pid names.
Got errot that database is only 16 bits, when using plugin.

proberly need GetProcessPid(idx) and GetProcessName(idx)
And tell pluginbits 32 bit.

[Carbon]

This is an update for olly v1 only right now.

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3_Olly1.rar

Olly v1:
- custom toolbar for dump and cpu window
- del und insert shortcut
- don't consume exceptions

Olly v1 works now perfectly with EXECryptor, Obsidium and Themida... See documentation -> 1.1.19 Raise Exception, 1.3.13 Exception Problem
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.3Doc.pdf

[niculaita]

Oops, you've found a dead link. 1st please reupload ScyllaHide_v1.3_Olly1.rar

[RedBlkJck]

Quote:

Originally Posted by niculaita

Oops, you've found a dead link. 1st please reupload ScyllaHide_v1.3_Olly1.rar

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3fix_Olly1.rar
you can view all downloads available directly at
https://bitbucket.org/NtQuery/scyllahide/downloads

[Apuromafo]

today was used scyllahide, was say this:

Quote:

ERROR
---------------------------
NT APIs missing

section

060200000109_x86_000169B0

file

C:\Users\Pc\Desktop\release\x32\plugins\NtApiCollection.ini
---------------------------
Aceptar
---------------------------

when run ntapi from
https://bitbucket.org/NtQuery/scyllahide/downloads
was show as there if wana add:

Quote:

[060200000109_x86_000169B0]
NtUserQueryWindow=0000B235
NtUserBuildHwndList=0000EA55
NtUserFindWindowEx=0000EBAF
NtUserInternalGetWindowText=00022902
NtUserGetClassName=0000B78D

im runing in w8.1 single language

[Computer_Angel]

Anyone try using ScyllaHide in win 10 ? I try but could not hide from debugger anymore . Now debugging to find the problem.