Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-10-2014, 04:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ScyllaHide

ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy

------------------------------------------------------

ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar

Source code will be released soon!
Attached Files
File Type: rar NtApiTool.rar (1.10 MB, 185 views)
__________________
My blog: https://ntquery.wordpress.com

Last edited by Carbon; 05-03-2015 at 00:09.
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (04-11-2014), MarcElBichon (04-10-2014), niculaita (04-11-2014), ontryit (04-19-2014), quygia128 (04-11-2014), winndy (04-11-2014), Zipdecode (04-10-2014)
The Following User Says Thank You to Carbon For This Useful Post:
user1 (09-26-2018)
  #2  
Old 04-10-2014, 20:43
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Hi.
I try your plugin with Olly2.
Unfortunate the debugger freezes when i have loaded a simple file.
This could be due to a incompatibility.
I have OllyExt installed also.
Do you know any issue?
Reply With Quote
  #3  
Old 04-10-2014, 22:11
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?
Reply With Quote
  #4  
Old 04-11-2014, 05:22
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
@Carbon: very nice work as always .
@cypher: welcome on the board ,have fun .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #5  
Old 04-11-2014, 06:17
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin.

http://img0.www.suckmypic.net/img/V/7/Ut2y0azO/options.png

Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide !

Notes on VMP targets:

- set olly to break on system bp
- set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess

(attached is only the Olly1 plugin, HookLibrary.dll still needed from first post ! )

@ahmadmansoor thx!
Attached Files
File Type: rar ScyllaHide_v0.1b.rar (23.7 KB, 34 views)
Reply With Quote
The Following User Gave Reputation+1 to cypher For This Useful Post:
giv (04-11-2014)
  #6  
Old 04-11-2014, 17:34
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Quote:
Originally Posted by cypher View Post
I tried a virgin Olly2 with just OllyExt and ScyllaHide, both with all options enabled and its not freezing.

Could you tell us what exact OS you are using and maybe also provide the test target?
Does it happen for ALL exe you load ?
I must do further tests.
Was just a first time run.
RUN=freeze
Maybe my fault.
I will see.

Thank you!
Reply With Quote
  #7  
Old 04-11-2014, 21:57
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
- added "Olly title" option to Olly2 plugin

http://img0.www.suckmypic.net/img/r/8/w6x1i2yo/options.png
Attached Files
File Type: rar ScyllaHide_Olly2_v0.1a.rar (23.6 KB, 12 views)
Reply With Quote
  #8  
Old 04-11-2014, 22:33
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
please take this attachment.

(cant edit my own previous post or am I blind ?)
Attached Files
File Type: rar ScyllaHide_Olly2_v0.1a.rar (23.6 KB, 27 views)
Reply With Quote
  #9  
Old 04-13-2014, 23:47
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.2

Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin.

- Stealth hooks for 32-bit targets to defeat protectors like Themida
- Olly Plugin: Change olly caption
- Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect
Attached Files
File Type: rar ScyllaHide_v0.2.rar (314.2 KB, 79 views)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
alekine322 (04-15-2014), ali56s (04-14-2014), besoeso (04-14-2014), quygia128 (04-14-2014), zeuscane (04-14-2014)
  #10  
Old 04-14-2014, 10:05
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?
Reply With Quote
The Following User Gave Reputation+1 to ZeNiX For This Useful Post:
Kla$ (04-14-2014)
  #11  
Old 04-14-2014, 19:51
Ghandi2006 Ghandi2006 is offline
VIP
 
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
Thanks and great work. Is this going to remain private or can you see it going open source in the future?

HR,
Ghandi
Reply With Quote
  #12  
Old 04-14-2014, 20:36
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
Quote:
Originally Posted by ZeNiX View Post
I am not very sure how to use it correctly?

For example:
My OS is Windows 8.1 x64
I am using Ollydbg 1.10
My Target is 32-bit targets (x86)

Which version of ScyllaHide should I use?
x64 or x86?

Also, what is the version of TE?
You need HookLibraryx86.dll and ScyllaHideOlly1.dll
Olly1&2 only support x86

x64 builds are for TitanEngine or tools using it like x64_dbg or TitanScriptGUI

@Ghandi it will be open-sourced somewhen in the near future

Last edited by cypher; 04-14-2014 at 20:41. Reason: forgot sth
Reply With Quote
  #13  
Old 04-15-2014, 09:58
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Thank you.
On my system, it always pops up a messagebox saying:

---------------------------
ERROR
---------------------------
NT APIs missing

section

060200000109_x86_000162F9

file

W:\Zenix\OllyScylla\NtApiCollection.ini
---------------------------
OK
---------------------------
Reply With Quote
The Following User Gave Reputation+1 to ZeNiX For This Useful Post:
Kla$ (04-15-2014)
  #14  
Old 04-15-2014, 15:57
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hey ZeNiX,

You should run NtApiTool.rar and copy the INI file in the ScyllaHide.dll directory.

Greetings
Reply With Quote
  #15  
Old 04-15-2014, 16:06
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 112
Rept. Given: 89
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 54
Thanks Rcvd at 23 Times in 14 Posts
Kla$ Reputation: 76
mr.exodia
still the same error pops up
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 11:49.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )