EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2014, 04:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ScyllaHide

ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy

------------------------------------------------------

ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar

Source code will be released soon!
Attached Files
File Type: rar NtApiTool.rar (1.10 MB, 175 views)
__________________
My blog: https://ntquery.wordpress.com

Last edited by Carbon; 05-03-2015 at 00:09.
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (04-11-2014), MarcElBichon (04-10-2014), niculaita (04-11-2014), ontryit (04-19-2014), quygia128 (04-11-2014), winndy (04-11-2014), Zipdecode (04-10-2014)
  #2  
Old 04-10-2014, 20:43
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,619
Rept. Given: 795
Rept. Rcvd 1,261 Times in 549 Posts
Thanks Given: 184
Thanks Rcvd at 325 Times in 100 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Hi.
I try your plugin with Olly2.
Unfortunate the debugger freezes when i have loaded a simple file.
This could be due to a incompatibility.
I have OllyExt installed also.
Do you know any issue?
Reply With Quote
  #3  
Old 04-10-2014, 22:11
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?
Reply With Quote
  #4  
Old 04-11-2014, 05:22
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 955
Rept. Given: 442
Rept. Rcvd 341 Times in 124 Posts
Thanks Given: 82
Thanks Rcvd at 34 Times in 19 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #5  
Old 04-11-2014, 06:17
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin.

http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png

Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide !

Notes on VMP targets:

- set olly to break on system bp
- set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess

(attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! )

@ahmadmansoor thx!
Attached Files
File Type: rar ScyllaHide_v0.1b.rar (23.7 KB, 30 views)
Reply With Quote
The Following User Gave Reputation+1 to cypher For This Useful Post:
giv (04-11-2014)
  #6  
Old 04-11-2014, 17:34
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,619
Rept. Given: 795
Rept. Rcvd 1,261 Times in 549 Posts
Thanks Given: 184
Thanks Rcvd at 325 Times in 100 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Quote:
Originally Posted by cypher View Post
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?
I must do further tests.
Was just a first time run.
RUN=freeze
Maybe my fault.
I will see.

Thank you!
Reply With Quote
  #7  
Old 04-11-2014, 21:57
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
- added "Olly title" option to Olly2 plugin

http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png
Attached Files
File Type: rar ScyllaHide_Olly2_v0.1a.rar (23.6 KB, 10 views)
Reply With Quote
  #8  
Old 04-11-2014, 22:33
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
please take this attachment.

(cant edit my own previous post or am I blind ?)
Attached Files
File Type: rar ScyllaHide_Olly2_v0.1a.rar (23.6 KB, 24 views)
Reply With Quote
  #9  
Old 04-13-2014, 23:47
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.2

Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin.

- Stealth hooks for 32-bit targets to defeat protectors like Themida
- Olly Plugin: Change olly caption
- Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect
Attached Files
File Type: rar ScyllaHide_v0.2.rar (314.2 KB, 74 views)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
alekine322 (04-15-2014), ali56s (04-14-2014), besoeso (04-14-2014), quygia128 (04-14-2014), zeuscane (04-14-2014)
  #10  
Old 04-14-2014, 10:05
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 691
Rept. Given: 172
Rept. Rcvd 765 Times in 252 Posts
Thanks Given: 119
Thanks Rcvd at 370 Times in 100 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?
Reply With Quote
The Following User Gave Reputation+1 to ZeNiX For This Useful Post:
Kla$ (04-14-2014)
  #11  
Old 04-14-2014, 19:51
Ghandi2006 Ghandi2006 is offline
VIP
 
Join Date: Jan 2006
Posts: 109
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 2 Posts
Ghandi2006 Reputation: 39
Thanks and great work. Is this going to remain private or can you see it going open source in the future?

HR,
Ghandi
Reply With Quote
  #12  
Old 04-14-2014, 20:36
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
Quote:
Originally Posted by ZeNiX View Post
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?
You need HookLibraryx86.dll and ScyllaHideOlly1.dll
Olly1&2 only support x86

x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI

@Ghandi it will be open-sourced somewhen in the near future

Last edited by cypher; 04-14-2014 at 20:41. Reason: forgot sth
Reply With Quote
  #13  
Old 04-15-2014, 09:58
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 691
Rept. Given: 172
Rept. Rcvd 765 Times in 252 Posts
Thanks Given: 119
Thanks Rcvd at 370 Times in 100 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Thank you.
On my system, it always pops up a messagebox saying:

---------------------------
ERROR
---------------------------
NT APIs missing

section

060200000109_x86_000162F9

file

W:\Zenix\OllyScylla\NtApiCollection.ini
---------------------------
OK
---------------------------
Reply With Quote
The Following User Gave Reputation+1 to ZeNiX For This Useful Post:
Kla$ (04-15-2014)
  #14  
Old 04-15-2014, 15:57
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 820
Rept. Given: 475
Rept. Rcvd 1,153 Times in 308 Posts
Thanks Given: 73
Thanks Rcvd at 425 Times in 168 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hey ZeNiX,

You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory.

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #15  
Old 04-15-2014, 16:06
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 107
Rept. Given: 87
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 33
Thanks Rcvd at 16 Times in 9 Posts
Kla$ Reputation: 76
mr.exodia
still the same error pops up
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 07:53.


ICP05004977
vBulletin Security provided by vBSecurity v2.2.0 (Lite) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX