EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 05-07-2014, 01:33
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 955
Rept. Given: 442
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 82
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi Carbon :
I think I try both file my compiled and ur release builds .and same result.
I note that too when I use IDA it try to inject the dll and it fail too .
I have code Plugin for x64_dbg.
so when I use
Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
after cbCB_DEBUGEVENT ,so if we use it the debugger will catched .
maybe I do something wrong .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #32  
Old 05-07-2014, 02:03
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Your problem is probably the structure alignment. You must adjust the compiler settings to 1 byte structure alignment.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #33  
Old 05-07-2014, 02:07
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 955
Rept. Given: 442
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 82
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
it is already : 1 Byte (/Zp1)
but I use vs 2010 v100 not v120 if could be make a problem !!
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #34  
Old 05-07-2014, 02:20
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
@ahmadmansoor

fork the scyllahide repo on bitbucket. then push the plugin as new project in the solution and I'll have a look and fixup the project.

Edit: platform toolset isnt a problem. Actually all plugins and the hooklib are built for release with v90 for compatibility reasons but I do use v100 myself for developing. Also I do use V2010

Last edited by cypher; 05-07-2014 at 02:27.
Reply With Quote
  #35  
Old 05-09-2014, 03:55
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.9

- All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins !
(ini section in ollydbg.ini now deprecated !)
- Load/Save ini profiles in Olly1&2 and IDA plugin
- RunPE malware unpacker
- NtSetInformationProcess Hook in GUI


Please post your special Protector Profiles here.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post:
besoeso (05-09-2014), Kla$ (05-10-2014), UniSoft (05-09-2014)
  #36  
Old 05-09-2014, 14:39
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,619
Rept. Given: 795
Rept. Rcvd 1,261 Times in 549 Posts
Thanks Given: 184
Thanks Rcvd at 325 Times in 100 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Hi Carbon (although I'm used to spell another name.)
Your ScyllaHide does not seems to get along with the OdbgScript.
As i related before with Phantom and StrongOD is OK to run the script and with ScyllaHide the script just "goes in the ditch".
I think i will review my script and i will send you or eXoDia to take a look along with some unpackmes.
Reply With Quote
  #37  
Old 05-10-2014, 04:59
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 820
Rept. Given: 475
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 73
Thanks Rcvd at 428 Times in 168 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
structure alignment of x64_dbg will be forced to 1 byte in the next release.

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #38  
Old 05-11-2014, 01:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 1.0

- added sprintf %s Olly1 bugfix to "Fix Olly bugs"
- x64dbg 32/64bit plugins https://bitbucket.org/mrexodia/x64_dbg
- fixed alignment bug 64bit


The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Themida/Winlicense x64 will only work with TitanHide
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 2 Users Gave Reputation+1 to Carbon For This Useful Post:
copyleft (05-11-2014), Kla$ (05-11-2014)
  #39  
Old 05-11-2014, 04:57
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 603
Rept. Given: 321
Rept. Rcvd 211 Times in 105 Posts
Thanks Given: 68
Thanks Rcvd at 98 Times in 41 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
very nice work! congrats and keep going
Generally speaking you are the first who did hte x64 plugin fo rIDA, but I"m starting to test it from x32 as well
some minor notes so far:

Version 1.0: on Update check
http://prntscr.com/3i1484

win xp sp3 eng prof x32
IDA 6.1 x32

2) version.txt inside the archive ScyllaHide_v1.0.rar contains the string "0.9"
3) how to use hte feature "RunPE malware unpacker"
Reply With Quote
  #40  
Old 08-17-2014, 02:00
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
New Version here.

Version 1.1
- Added "thanks" to About
- Added kill anti-attach (for x86 only)
- Olly v1 Plugin: Advanced CTRL+G
- Olly v1 Plugin: Skip "compressed code" message
- Olly v1 Plugin: Ignore bad PE image (WinUPack)
- Olly v1 Plugin: Skip "Load DLL" message

Thanks to MaRKuS-DJM for OllyAdvanced assembler source code.

Check out the new documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.1Doc.pdf
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 11 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-18-2014), besoeso (08-17-2014), emo (08-17-2014), Insid3Code (08-17-2014), kienmanowar (08-19-2014), mr.exodia (08-17-2014), quygia128 (08-18-2014), Storm Shadow (08-17-2014), uranus64 (08-17-2014), xtiaoshi (08-17-2014), Zipdecode (08-17-2014)
  #41  
Old 08-18-2014, 23:35
jump jump is offline
VIP
 
Join Date: Jan 2009
Posts: 274
Rept. Given: 83
Rept. Rcvd 48 Times in 24 Posts
Thanks Given: 9
Thanks Rcvd at 10 Times in 5 Posts
jump Reputation: 49
Does it support any version of IDA or specific version ?
Reply With Quote
  #42  
Old 08-19-2014, 00:38
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ScyllaHide is tested with IDA Pro 6.1, 6.3 and 6.5.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-19-2014), Pan88168 (08-20-2014), sendersu (08-19-2014), xtiaoshi (08-20-2014), [ID]ZE (08-20-2014)
  #43  
Old 08-20-2014, 05:03
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 121
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Plugin is running like a charm, and hiding very well.
Would it be possible to add the very nice pdf , as tooltips to the combo box explaining each item in future versions.
Im using the ida version.

Regards
Reply With Quote
  #44  
Old 08-22-2014, 02:31
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
@Storm Shadow

I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase

@ALL
There is a mistake in the provided Themida configuration!!! You must enable all NtUser* hooks for Themida! This is missing in the standard configuration.

NtUserBuildHwndListHook=1
NtUserFindWindowExHook=1
NtUserQueryWindowHook=1


The Olly v1 plugin was updated with a little olly bugfix.
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHideOllyv1_v1.2.rar

And doc update:
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf
(e.g. more info about RunPE)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-22-2014), nikkapedd (08-25-2014), sendersu (08-22-2014)
  #45  
Old 08-22-2014, 07:32
UniSoft's Avatar
UniSoft UniSoft is offline
Family
 
Join Date: May 2010
Location: Temporary in China
Posts: 62
Rept. Given: 20
Rept. Rcvd 245 Times in 34 Posts
Thanks Given: 12
Thanks Rcvd at 102 Times in 19 Posts
UniSoft Reputation: 200-299 UniSoft Reputation: 200-299 UniSoft Reputation: 200-299
Quote:
Originally Posted by Carbon View Post
I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase
indeed it is not too much work!
Check in attach... By the way maybe someone can help to fill all the tips.
There is only one problem, you've made a separate checkBox'es and labels in dialog template, but need to use only checkBox (Set Caption and Left Text = True).
Attached Files
File Type: txt ToolTips.c.txt (6.7 KB, 14 views)

Last edited by UniSoft; 08-22-2014 at 07:55.
Reply With Quote
The Following User Gave Reputation+1 to UniSoft For This Useful Post:
Storm Shadow (08-22-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 04:56.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX