Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 05-07-2014, 01:33
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi Carbon :
I think I try both file my compiled and ur release builds .and same result.
I note that too when I use IDA it try to inject the dll and it fail too .
I have code Plugin for x64_dbg.
so when I use
Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
after cbCB_DEBUGEVENT ,so if we use it the debugger will catched .
maybe I do something wrong .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #32  
Old 05-07-2014, 02:03
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Your problem is probably the structure alignment. You must adjust the compiler settings to 1 byte structure alignment.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #33  
Old 05-07-2014, 02:07
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 504
Rept. Rcvd 372 Times in 142 Posts
Thanks Given: 320
Thanks Rcvd at 405 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
it is already : 1 Byte (/Zp1)
but I use vs 2010 v100 not v120 if could be make a problem !!
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #34  
Old 05-07-2014, 02:20
cypher cypher is offline
Friend
 
Join Date: Mar 2014
Posts: 13
Rept. Given: 0
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
cypher Reputation: 9
@ahmadmansoor

fork the scyllahide repo on bitbucket. then push the plugin as new project in the solution and I'll have a look and fixup the project.

Edit: platform toolset isnt a problem. Actually all plugins and the hooklib are built for release with v90 for compatibility reasons but I do use v100 myself for developing. Also I do use V2010

Last edited by cypher; 05-07-2014 at 02:27.
Reply With Quote
  #35  
Old 05-09-2014, 03:55
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 0.9

- All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins !
(ini section in ollydbg.ini now deprecated !)
- Load/Save ini profiles in Olly1&2 and IDA plugin
- RunPE malware unpacker
- NtSetInformationProcess Hook in GUI


Please post your special Protector Profiles here.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post:
besoeso (05-09-2014), Kla$ (05-10-2014), UniSoft (05-09-2014)
  #36  
Old 05-09-2014, 14:39
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,657
Rept. Given: 801
Rept. Rcvd 1,283 Times in 561 Posts
Thanks Given: 226
Thanks Rcvd at 562 Times in 240 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Hi Carbon (although I'm used to spell another name.)
Your ScyllaHide does not seems to get along with the OdbgScript.
As i related before with Phantom and StrongOD is OK to run the script and with ScyllaHide the script just "goes in the ditch".
I think i will review my script and i will send you or eXoDia to take a look along with some unpackmes.
Reply With Quote
  #37  
Old 05-10-2014, 04:59
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
structure alignment of x64_dbg will be forced to 1 byte in the next release.

Greetings
Reply With Quote
  #38  
Old 05-11-2014, 01:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Version 1.0

- added sprintf %s Olly1 bugfix to "Fix Olly bugs"
- x64dbg 32/64bit plugins https://bitbucket.org/mrexodia/x64_dbg
- fixed alignment bug 64bit


The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Themida/Winlicense x64 will only work with TitanHide
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 2 Users Gave Reputation+1 to Carbon For This Useful Post:
copyleft (05-11-2014), Kla$ (05-11-2014)
  #39  
Old 05-11-2014, 04:57
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,064
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
very nice work! congrats and keep going
Generally speaking you are the first who did hte x64 plugin fo rIDA, but I"m starting to test it from x32 as well
some minor notes so far:

Version 1.0: on Update check
http://prntscr.com/3i1484

win xp sp3 eng prof x32
IDA 6.1 x32

2) version.txt inside the archive ScyllaHide_v1.0.rar contains the string "0.9"
3) how to use hte feature "RunPE malware unpacker"
Reply With Quote
  #40  
Old 08-17-2014, 02:00
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
New Version here.

Version 1.1
- Added "thanks" to About
- Added kill anti-attach (for x86 only)
- Olly v1 Plugin: Advanced CTRL+G
- Olly v1 Plugin: Skip "compressed code" message
- Olly v1 Plugin: Ignore bad PE image (WinUPack)
- Olly v1 Plugin: Skip "Load DLL" message

Thanks to MaRKuS-DJM for OllyAdvanced assembler source code.

Check out the new documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.1Doc.pdf
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 11 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-18-2014), besoeso (08-17-2014), emo (08-17-2014), Insid3Code (08-17-2014), kienmanowar (08-19-2014), mr.exodia (08-17-2014), quygia128 (08-18-2014), Storm Shadow (08-17-2014), uranus64 (08-17-2014), xtiaoshi (08-17-2014), Zipdecode (08-17-2014)
  #41  
Old 08-18-2014, 23:35
jump jump is offline
VIP
 
Join Date: Jan 2009
Posts: 305
Rept. Given: 84
Rept. Rcvd 51 Times in 26 Posts
Thanks Given: 22
Thanks Rcvd at 41 Times in 27 Posts
jump Reputation: 51
Does it support any version of IDA or specific version ?
Reply With Quote
  #42  
Old 08-19-2014, 00:38
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ScyllaHide is tested with IDA Pro 6.1, 6.3 and 6.5.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 5 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-19-2014), Pan88168 (08-20-2014), sendersu (08-19-2014), xtiaoshi (08-20-2014), [ID]ZE (08-20-2014)
  #43  
Old 08-20-2014, 05:03
Storm Shadow's Avatar
Storm Shadow Storm Shadow is offline
Family
 
Join Date: Jun 2014
Posts: 281
Rept. Given: 186
Rept. Rcvd 191 Times in 78 Posts
Thanks Given: 138
Thanks Rcvd at 245 Times in 97 Posts
Storm Shadow Reputation: 100-199 Storm Shadow Reputation: 100-199
Plugin is running like a charm, and hiding very well.
Would it be possible to add the very nice pdf , as tooltips to the combo box explaining each item in future versions.
Im using the ida version.

Regards
Reply With Quote
  #44  
Old 08-22-2014, 02:31
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
@Storm Shadow

I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase

@ALL
There is a mistake in the provided Themida configuration!!! You must enable all NtUser* hooks for Themida! This is missing in the standard configuration.

NtUserBuildHwndListHook=1
NtUserFindWindowExHook=1
NtUserQueryWindowHook=1


The Olly v1 plugin was updated with a little olly bugfix.
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHideOllyv1_v1.2.rar

And doc update:
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf
(e.g. more info about RunPE)
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 3 Users Gave Reputation+1 to Carbon For This Useful Post:
Artic (08-22-2014), nikkapedd (08-25-2014), sendersu (08-22-2014)
  #45  
Old 08-22-2014, 07:32
UniSoft's Avatar
UniSoft UniSoft is offline
Family
 
Join Date: May 2010
Location: Shenzhen, China
Posts: 124
Rept. Given: 23
Rept. Rcvd 259 Times in 42 Posts
Thanks Given: 23
Thanks Rcvd at 405 Times in 73 Posts
UniSoft Reputation: 200-299 UniSoft Reputation: 200-299 UniSoft Reputation: 200-299
Quote:
Originally Posted by Carbon View Post
I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase
indeed it is not too much work!
Check in attach... By the way maybe someone can help to fill all the tips.
There is only one problem, you've made a separate checkBox'es and labels in dialog template, but need to use only checkBox (Set Caption and Left Text = True).
Attached Files
File Type: txt ToolTips.c.txt (6.7 KB, 15 views)

Last edited by UniSoft; 08-22-2014 at 07:55.
Reply With Quote
The Following User Gave Reputation+1 to UniSoft For This Useful Post:
Storm Shadow (08-22-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 16:37.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )