#76
|
||||
|
||||
Quote:
However it will break it for those that don't use the same ida version as you. So one would need to do a pull request with a loop for making it work with each new version. Quote:
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
#77
|
||||
|
||||
Little update
after crash with ida and after debugging it. it seem to make a x64 hook first in a x86 app and idaserverx86 and some more problems 1 bug) it crashes cause it attempts to make x64 connection in a x86 app fails on Code:
IDAServerx86.exe!DetourCreateRemoteNativeSysWow64(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 356 + 0x5 bytes Code:
IDAServerx86.exe!DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize) Line 532 + 0x1a bytes C++ https://github.com/x64dbg/ScyllaHide...k.cpp#L350-354 Not sure why , but i am a python guy. It seems to jump to x86 hook insteed of the x64, but a smart person told me that it should not matter in c++. suggestions: Maybe dev should use Code:
If __EA64__ call x64 else: call x86 2 bug) also i saw port access violation In win 10 even if you have a firewall you bought you have to open ports in the internal win 10 one, even if disabled. in start menu type WF.msc open udp-tcp port 1337. 3 bug) and for fixing the structure error for now untick NTQueryInformationprocess in scyllahide settings result Code:
Listening on port 1337... Accepted Client 1 [ScyllaHide] Hook Injection successful, Imagebase 001D0000
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." Last edited by Storm Shadow; 08-31-2016 at 02:24. |
The Following User Gave Reputation+1 to Storm Shadow For This Useful Post: | ||
niculaita (08-31-2016) |
The Following User Says Thank You to Storm Shadow For This Useful Post: | ||
niculaita (08-31-2016) |
#78
|
|||
|
|||
I thought I was doing something wrong, then I found out this thread! Win10 (anniversary update) + x64dbg doesn't crash, but gives:
NT APIs missing section 060200000109_x86_0000A830 file NtApiCollection.ini. I used scyllahide from link on x64dbg page (bitbucket link). Hopefully someone can make win10 a platform for RE. Thanks! |
#79
|
||||
|
||||
I did some testing.
https://github.com/x64dbg/ScyllaHide/issues/2 Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link. Quote:
Last edited by mudlord; 10-06-2016 at 05:58. |
#80
|
|||
|
|||
It seems last month's Windows Updates for 8.1 (x64) also broke the NtApiCollection.ini PDB resolvers. It was working fine until I ran the updates, rebooted and started x64dbg. When it complained about missing "NTUser* API addresses, Section: 060300000109_x86_000158A0" I ran both PDB resolvers (as admin) and copied over the fresh .ini file, but not all API addresses were resolved properly. Just to be sure I also updated x64dbg to the latest commit, but without success ...
|
#81
|
|||
|
|||
There have been massive issues with the Microsoft symbol servers recently... This was collected (took about 10 minutes) on the latest Windows 8.1 x64 https://gist.github.com/mrexodia/8aea202c1177892b4577a32927cef3bf
|
The Following User Says Thank You to mr.exodia For This Useful Post: | ||
TechLord (10-21-2016) |
#82
|
|||
|
|||
Thanks mr. Exodia. I did notice some symbol-server issues, but after a few retries it 'completed'. As it turns out; I got returned an incorrect version-tag when running PDBReader and the network-issues weren't messing things up after all (except having me to retry it a couple of times):
[060200000109_x86_000158A0] instead of: [060300000109_x86_000158A0] whilst I do have Windows 8.1 x64 (=v6.3). I changed this manually in the .ini file, after which ScyllaHide seems to work perfectly. Not sure if this is an issue with PDBReader or not, but I should provide more info, please let me know ... PS: Kindy silly I didn't notice before ... where's the shame-on-me-smiley when you need it ? |
The Following User Says Thank You to SKiLLa For This Useful Post: | ||
niculaita (10-29-2016) |
#83
|
|||
|
|||
NT APIs missing
section 060200000109_x64_0000BAB0 file X:\x64dbg\plugins\NtApiCollection.ini |
#84
|
|||
|
|||
Everything appears to work fine here. If Microsoft doesn't provide symbols there is not much you can do. What SKiLLa did is not a real solution, for me the problem was solved by running NtApiTool.exe again.
|
#85
|
||||
|
||||
Seems the Anniversary update problems I documented and reversed are now fixed by another person, and is now in latest Git
Which is super cool. |
#86
|
||||
|
||||
ScyllaHideIDA.p64 is missing?
|
#87
|
||||
|
||||
here
plugins.7z Also remind that the x64 version is a win32 build but with a different extension name.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
The Following User Says Thank You to Storm Shadow For This Useful Post: | ||
kienmanowar (11-16-2016) |
#88
|
||||
|
||||
Quote:
Regards, |
#89
|
||||
|
||||
https://mega.nz/#!rxsjmBhb!OaRLJnutaPGqf9jQUntJKs6ficb9U7m2XZ57JEWrtd0
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
The Following User Says Thank You to Storm Shadow For This Useful Post: | ||
kienmanowar (11-16-2016) |
#90
|
||||
|
||||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ScyllaHide HookLibraryx86.dll | phroyt | General Discussion | 3 | 10-25-2019 09:48 |
ScyllaHide Detector | Lueilwitz | Source Code | 2 | 08-07-2019 06:32 |