#1
|
|||
|
|||
ScyllaHide
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide. ------------------------------------------------------ Debugger Hiding: - PEB - BeingDebugged, NtGlobalFlag, Heap Flags - NtSetInformationThread - ThreadHideFromDebugger - NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation - NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation - NtQueryObject - ObjectTypesInformation, ObjectTypeInformation - NtYieldExecution - NtSetDebugFilterState - NtUserBuildHwndList - NtUserFindWindowEx - NtUserQueryWindow - NtClose - GetTickCount - BlockInput - OutputDebugStringA Protecting and Stealthing DRx (Hardware Breakpoints): - NtGetContextThread - NtSetContextThread - KiUserExceptionDispatcher (only x86) - NtContinue (only x86) ------------------------------------------------------ Usage standalone (debugger-independent): InjectorCLI.exe <process name> <HookLibrary.dll path> For example: InjectorCLI.exe crackme.exe C:\HookLibrary.dll ------------------------------------------------------ Plugins: - for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\ (can be combined with TitanHide which does kernelmode hiding) - for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy - for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy ------------------------------------------------------ ToDo: - x64 compatibility support - x64 Exception Support - Better (stealth) hooks ------------------------------------------------------ NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx Info about NtApiCollection.ini: Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress It will download the PDB file from the Microsoft server to resolve the missing function adresses. Binaries: NtApiTool.rar Source code will be released soon!
__________________
My blog: https://ntquery.wordpress.com Last edited by Carbon; 05-03-2015 at 00:09. |
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (04-11-2014), MarcElBichon (04-10-2014), niculaita (04-11-2014), ontryit (04-19-2014), quygia128 (04-11-2014), winndy (04-11-2014), Zipdecode (04-10-2014) |
The Following User Says Thank You to Carbon For This Useful Post: | ||
user1 (09-26-2018) |
#2
|
||||
|
||||
Hi.
I try your plugin with Olly2. Unfortunate the debugger freezes when i have loaded a simple file. This could be due to a incompatibility. I have OllyExt installed also. Do you know any issue? |
#3
|
|||
|
|||
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.
Could you tell us what exact OS you are using and maybe also provide the test target? Does it happen for ALL exe you load ? |
#4
|
||||
|
||||
@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#5
|
|||
|
|||
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin. http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide ! Notes on VMP targets: - set olly to break on system bp - set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess (attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! ) @ahmadmansoor thx! |
The Following User Gave Reputation+1 to cypher For This Useful Post: | ||
giv (04-11-2014) |
#6
|
||||
|
||||
Quote:
Was just a first time run. RUN=freeze Maybe my fault. I will see. Thank you! |
#7
|
|||
|
|||
- added "Olly title" option to Olly2 plugin
http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png |
#8
|
|||
|
|||
please take this attachment.
(cant edit my own previous post or am I blind ?) |
#9
|
|||
|
|||
Version 0.2
Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin. - Stealth hooks for 32-bit targets to defeat protectors like Themida - Olly Plugin: Change olly caption - Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect
__________________
My blog: https://ntquery.wordpress.com |
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
alekine322 (04-15-2014), ali56s (04-14-2014), besoeso (04-14-2014), quygia128 (04-14-2014), zeuscane (04-14-2014) |
#10
|
||||
|
||||
I am not very sure how to use it correctly?
For example: My OS is Windows 8.1 x64 I am using Ollydbg 1.10 My Target is 32-bit targets (x86) Which version of ScyllaHide should I use? x64 or x86? Also, what is the version of TE? |
The Following User Gave Reputation+1 to ZeNiX For This Useful Post: | ||
Kla$ (04-14-2014) |
#11
|
|||
|
|||
Thanks and great work. Is this going to remain private or can you see it going open source in the future?
HR, Ghandi |
#12
|
|||
|
|||
Quote:
Olly1&2 only support x86 x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI @Ghandi it will be open-sourced somewhen in the near future Last edited by cypher; 04-14-2014 at 20:41. Reason: forgot sth |
#13
|
||||
|
||||
Thank you.
On my system, it always pops up a messagebox saying: --------------------------- ERROR --------------------------- NT APIs missing section 060200000109_x86_000162F9 file W:\Zenix\OllyScylla\NtApiCollection.ini --------------------------- OK --------------------------- |
The Following User Gave Reputation+1 to ZeNiX For This Useful Post: | ||
Kla$ (04-15-2014) |
#14
|
|||
|
|||
Hey ZeNiX,
You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory. Greetings |
#15
|
|||
|
|||
mr.exodia
still the same error pops up |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ScyllaHide HookLibraryx86.dll | phroyt | General Discussion | 3 | 10-25-2019 09:48 |
ScyllaHide Detector | Lueilwitz | Source Code | 2 | 08-07-2019 06:32 |