EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 09-04-2015, 11:58
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 65
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Computer_Angel Reputation: 37
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example:

NtQueryInformationProcess
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768D50    B8 19000000     MOV EAX,19                               ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength)
77768D55    E8 04000000     CALL ntdll.77768D5E
77768D5A    0000            ADD BYTE PTR DS:[EAX],AL
77768D5C    70 77           JO SHORT ntdll.77768DD5
77768D5E    5A              POP EDX
77768D5F    807A 03 4B      CMP BYTE PTR DS:[EDX+3],4B
77768D63    75 0A           JNE SHORT ntdll.77768D6F
77768D65    64:FF15 C000000 CALL DWORD PTR FS:[0C0]
77768D6C    C2 1400         RETN 14
NtSetInformationThread
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768C90    B8 0D000000     MOV EAX,0D
77768C95    BA B0D57777     MOV EDX,ntdll.7777D5B0
77768C9A    FFD2            CALL EDX
77768C9C    C2 1000         RETN 10
Call Wow64SystemServiceCall
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
7777D5B0    64:8B15 3000000 MOV EDX,DWORD PTR FS:[30]
7777D5B7    8B92 54020000   MOV EDX,DWORD PTR DS:[EDX+254]
7777D5BD    F7C2 02000000   TEST EDX,00000002
7777D5C3    74 03           JE SHORT ntdll.7777D5C8
7777D5C5    CD 2E           INT 2E
7777D5C7    C3              RETN
7777D5C8    EA CFD57777 330 JMP FAR 0033:7777D5CF                    ; Far jump or call
7777D5CF    41              INC ECX
7777D5D0    FFA7 F8000000   JMP DWORD PTR DS:[EDI+0F8]
__________________
Welcome to my place http://www.reaonline.net

Last edited by Computer_Angel; 09-04-2015 at 12:45.
Reply With Quote
  #62  
Old 09-04-2015, 15:56
ragdog ragdog is offline
Friend
 
Join Date: Feb 2011
Posts: 50
Rept. Given: 2
Rept. Rcvd 25 Times in 7 Posts
Thanks Given: 4
Thanks Rcvd at 1 Time in 1 Post
ragdog Reputation: 25
Quote:
Anyone try using ScyllaHide in win 10 ? I try but could not hide from debugger anymore . Now debugging to find the problem.
Is ScyllaHide compatible with Win 10?

Regards,
Reply With Quote
  #63  
Old 09-04-2015, 16:05
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 65
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Computer_Angel Reputation: 37
Quote:
Originally Posted by ragdog View Post
Is ScyllaHide compatible with Win 10?

Regards,
Nopes. There's a lot of change. First need to fix the remote hook feature.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #64  
Old 09-05-2015, 00:19
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Win 10 is a nightmare for "stealth" hooking. Probably they wanted to defeat malware.

I think I can work on it this weekend.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 4 Users Say Thank You to Carbon For This Useful Post:
Computer_Angel (09-07-2015), RedBlkJck (09-07-2015), TechLord (09-05-2015), ZeNiX (09-06-2015)
  #65  
Old 09-07-2015, 13:15
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 65
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 7
Thanks Rcvd at 0 Times in 0 Posts
Computer_Angel Reputation: 37
Call Wow64SystemServiceCall now is seperate for Ntdll & User32.dll .. maybe other dll too. So need to change the NativeContinue structure to suit this.
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
  #66  
Old 09-08-2015, 02:09
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 51 Times in 15 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Win10 has more surprises to offer:

https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/

I also see some weird behavior of NtQueryInformationProcess. You can query ProcessBasicInformation with different buffer sizes.

size = 24 -> normal behavior, expected size like in all windows editions
size = 32 -> extended information? You can get more information...
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following User Gave Reputation+1 to Carbon For This Useful Post:
Loki (09-08-2015)
The Following 4 Users Say Thank You to Carbon For This Useful Post:
besoeso (09-08-2015), elephant (11-15-2015), Loki (09-08-2015), Storm Shadow (12-11-2015)
  #67  
Old 12-11-2015, 03:05
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 121
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
@Carbon is there any update on making this working win 10.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #68  
Old 04-21-2016, 10:41
mudlord's Avatar
mudlord mudlord is offline
Family
 
Join Date: Aug 2015
Posts: 83
Rept. Given: 11
Rept. Rcvd 69 Times in 25 Posts
Thanks Given: 37
Thanks Rcvd at 164 Times in 45 Posts
mudlord Reputation: 69
Don't ask questions, here is fixed ScyllaHide for Windows 10 x86/x64.
Tested with x64/x32dbg on VMProtect and Obsidium targets.

Quote:
http://rghost.net/69ndDMkDg

Last edited by mudlord; 04-21-2016 at 10:50.
Reply With Quote
The Following User Gave Reputation+1 to mudlord For This Useful Post:
niculaita (04-22-2016)
The Following 6 Users Say Thank You to mudlord For This Useful Post:
besoeso (04-21-2016), Hypnz (04-22-2016), niculaita (04-22-2016), nikkapedd (04-23-2016), tonyweb (08-08-2016), VodoleY (04-21-2016)
  #69  
Old 04-22-2016, 09:46
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 822
Rept. Given: 476
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 73
Thanks Rcvd at 435 Times in 170 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
This is the version of ScyllaHide that I use personally. It includes the fix provided by mudlord in the previous post (fix made by Colin). I also push this to the 'vs13' branch on the original repository.

Code:
https://github.com/x64dbg/ScyllaHide

Build of the latest version is always available here:
https://ci.appveyor.com/project/mrex...uild/artifacts
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following 5 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (04-26-2016), Kjacky (04-22-2016), Newbie_Cracker (04-25-2016), Storm Shadow (04-22-2016), TechLord (04-23-2016)
The Following 8 Users Say Thank You to mr.exodia For This Useful Post:
ahmadmansoor (04-26-2016), bolzano_1989 (04-23-2016), Kjacky (04-22-2016), Newbie_Cracker (04-25-2016), nikkapedd (04-23-2016), Storm Shadow (04-22-2016), TechLord (04-23-2016), ZeNiX (04-27-2016)
  #70  
Old 08-26-2016, 19:30
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 323
Rept. Given: 33
Rept. Rcvd 76 Times in 49 Posts
Thanks Given: 13
Thanks Rcvd at 44 Times in 24 Posts
Syoma Reputation: 76
Quote:
WRONG!!! Size of IDA_SERVER_EXCHANGE 648 == 645?
Does it need the special update?
Reply With Quote
  #71  
Old 08-26-2016, 20:23
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 269
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 121
Thanks Rcvd at 190 Times in 65 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Quote:
Originally Posted by Syoma View Post
Does it need the special update?
I get same error in the newest version.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm."

Today I whispered in the devils ear, "I am the storm."
Reply With Quote
  #72  
Old 08-27-2016, 06:01
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 620
Rept. Given: 321
Rept. Rcvd 212 Times in 106 Posts
Thanks Given: 71
Thanks Rcvd at 105 Times in 46 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
The error comes from idaserver.cpp:
Code:
int main(int argc, char *argv[])
{
	LogWrap = LogWrapper;
	LogErrorWrap = LogWrapper;

	if (sizeof(IDA_SERVER_EXCHANGE) != IDA_SERVER_EXCHANGE_STRUCT_SIZE)
	{
		printf("WRONG!!! Size of IDA_SERVER_EXCHANGE %d == %d?\n\n", sizeof(IDA_SERVER_EXCHANGE), IDA_SERVER_EXCHANGE_STRUCT_SIZE);
		getchar();
		return 0;
	}
Reply With Quote
  #73  
Old 08-28-2016, 19:19
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 822
Rept. Given: 476
Rept. Rcvd 1,154 Times in 308 Posts
Thanks Given: 73
Thanks Rcvd at 435 Times in 170 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Probably this can be fixed by updating the SDK to the same version as your IDA version...
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #74  
Old 08-29-2016, 04:57
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 620
Rept. Given: 321
Rept. Rcvd 212 Times in 106 Posts
Thanks Given: 71
Thanks Rcvd at 105 Times in 46 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
I guess these days everybody has already switched to the latest public IDA...
six dot eight

BTW, anybody seen this kind of warning (error?) in IDA:

---------------------------
Error
---------------------------
Failed to unprotect WOW64 gateway
---------------------------
OK
---------------------------

Last edited by sendersu; 08-29-2016 at 05:02.
Reply With Quote
  #75  
Old 08-29-2016, 21:56
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 107
Rept. Given: 87
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 33
Thanks Rcvd at 16 Times in 9 Posts
Kla$ Reputation: 76
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance

---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
---------------------------

---------------------------

---------------------------
ERROR
---------------------------
Unknown syscall structure!
---------------------------

---------------------------
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 12:49.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX