Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 04-15-2014, 17:37
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 732
Rept. Given: 177
Rept. Rcvd 773 Times in 259 Posts
Thanks Given: 213
Thanks Rcvd at 885 Times in 242 Posts
ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899 ZeNiX Reputation: 700-899
Problem solved.
After downloaded the symbols, we need to use pdb-getprocaddress to get three addresses.

In my system, they are...

[060200000109_x86_000162F9]
NtUserQueryWindow=00009965
NtUserBuildHwndList=0000FBB1
NtUserFindWindowEx=0000804C
Reply With Quote
  #17  
Old 04-16-2014, 03:03
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Thanks ZeNiX, I added it here:
https://bitbucket.org/NtQuery/pdb-getprocaddress/commits/8ac27b0c21d3df3b95e775afff24ad993fc492d8

If somebody wants to share his config, please do it
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #18  
Old 04-16-2014, 05:05
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 197
Rept. Given: 138
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 31 Times in 25 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
heres mine:
[060200000100_x86_00025FBF]
NtUserQueryWindow=00008CC1
NtUserBuildHwndList=00011DC3
NtUserFindWindowEx=00007757
NtUserInternalGetWindowText=0000CC60
NtUserGetClassName=00008CE3
Reply With Quote
The Following User Gave Reputation+1 to DMichael For This Useful Post:
Dreamer (04-16-2014)
  #19  
Old 04-17-2014, 20:44
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.3

- Fix for Olly plugins caption reset
- Fix STARTUPINFO structure, GetStartupInfoA/W
- Resume/Suspend all Threads in Thread window
- x64 compatibility mode for Olly1
- fix PE-Bugs for Olly1
- fix FPU-Bug for Olly1
- split "Protect DRx" into its options (ini option ProtectDRx now deprecated)
- Fix PEB Patch bug, now Themida works on WinXP

Binary: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.3.rar
Source: https://bitbucket.org/NtQuery/scyllahide/
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 4 Users Gave Reputation+1 to Carbon For This Useful Post:
alekine322 (04-19-2014), besoeso (04-17-2014), giv (04-17-2014), UniSoft (04-25-2014)
  #20  
Old 04-21-2014, 03:35
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.4

- Olly v1/v2 Plugins: Apply hooks without restarting
- Olly v1 Plugin: Added "Break on TLS"


https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.4.rar
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following User Gave Reputation+1 to Carbon For This Useful Post:
zeuscane (04-21-2014)
  #21  
Old 04-23-2014, 13:48
leetone's Avatar
leetone leetone is offline
Family
 
Join Date: Apr 2014
Posts: 144
Rept. Given: 41
Rept. Rcvd 31 Times in 20 Posts
Thanks Given: 21
Thanks Rcvd at 50 Times in 36 Posts
leetone Reputation: 34
Thank you for the binary release. I've got the source via github and I'm building my own "nightlies" - was this built in VS2008 or VS2010? It isn't native to 2012 or 2013
Reply With Quote
  #22  
Old 04-23-2014, 21:55
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
I'm building with VS2010. Since the platform toolset is set to v90, you either need to have VS2008 express installed to get that toolset or you simply change toolset to v100.
We use v90 on purpose to guarantee max compatibility on older systems but for testing, v100 is just fine.
Reply With Quote
  #23  
Old 04-24-2014, 02:39
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.5

- NtCreateThreadEx hook
- Prevent Thread creation
(special hook for some protectors like Execryptor. Only use this if you know what you do)
- Split Hide PEB into 4 options (ini option PEB now deprecated)
- Inject DLL option added (2 methods)
- Replaced Olly2 dialog
- Improved "Break on TLS"

Download: you know where
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 4 Users Gave Reputation+1 to Carbon For This Useful Post:
besoeso (04-24-2014), nikkapedd (04-25-2014), UniSoft (04-25-2014), Wannabe (04-30-2014)
  #24  
Old 04-29-2014, 21:23
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
Version 0.7

- IDA 64bit plugin
- IDA 32/64bit remote server
- IDA DLL Injection
- IDA option to start x64 server automatically
Reply With Quote
The Following 4 Users Gave Reputation+1 to cypher For This Useful Post:
Kla$ (04-30-2014), nikkapedd (04-30-2014), nulli (04-30-2014), UniSoft (05-04-2014)
  #25  
Old 05-03-2014, 03:53
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
Version 0.8

- Olly v1 Plugin: option "Skip EP outside of code message"
- Fix for NtSetInformationProcess -> ProcessHandleTracing
- All plugins: Update-Check
- Timing Hooks: GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter
- "Remove Debug Privileges" added
Reply With Quote
The Following 3 Users Gave Reputation+1 to cypher For This Useful Post:
besoeso (05-03-2014), nikkapedd (05-06-2014), UniSoft (05-04-2014)
  #26  
Old 05-04-2014, 01:15
besoeso's Avatar
besoeso besoeso is offline
Family
 
Join Date: May 2010
Posts: 174
Rept. Given: 416
Rept. Rcvd 100 Times in 39 Posts
Thanks Given: 487
Thanks Rcvd at 55 Times in 39 Posts
besoeso Reputation: 100-199 besoeso Reputation: 100-199
@cypher

Is posible add io hooks support too?, so DeviceIoControlFile.
Reply With Quote
  #27  
Old 05-04-2014, 02:47
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
@besoeso
How does this work? Antidebug with DeviceIoControlFile? Do you have an example code?
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #28  
Old 05-05-2014, 14:42
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Congrats mate...
I have tested today with a VMProtect target and to my real surprise it works flawless.


Offtopic:
Just don't forget the Scylla 0.9.6b problem that i have reported of Themida nnpack in tuts4you.

See ya!
Reply With Quote
  #29  
Old 05-06-2014, 19:59
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
x64 need more test

Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .

by the way what the useful of :
Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
it work as opposite of each other !!
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #30  
Old 05-07-2014, 00:39
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by ahmadmansoor View Post
Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .
Did you compile it yourself? This is some alginment check, this should not be a problem in the release builds.


Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
This is from the POISON source and to be honest I don't understand it completly but it works very well. It is something against Heap flag artifacts. Themida/WL looks for special artifacts on the process heaps and this little trick prevents the creation of these artifacts. I think other hide plugin use the same trick. I don't know who invented it originally, but it is a very clever way to solve this problem, so the author is probably some genius.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 13:08.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )