#61
|
||||
|
||||
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example: NtQueryInformationProcess Code:
CPU Disasm Address Hex dump Command Comments 77768D50 B8 19000000 MOV EAX,19 ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength) 77768D55 E8 04000000 CALL ntdll.77768D5E 77768D5A 0000 ADD BYTE PTR DS:[EAX],AL 77768D5C 70 77 JO SHORT ntdll.77768DD5 77768D5E 5A POP EDX 77768D5F 807A 03 4B CMP BYTE PTR DS:[EDX+3],4B 77768D63 75 0A JNE SHORT ntdll.77768D6F 77768D65 64:FF15 C000000 CALL DWORD PTR FS:[0C0] 77768D6C C2 1400 RETN 14 Code:
CPU Disasm Address Hex dump Command Comments 77768C90 B8 0D000000 MOV EAX,0D 77768C95 BA B0D57777 MOV EDX,ntdll.7777D5B0 77768C9A FFD2 CALL EDX 77768C9C C2 1000 RETN 10 Code:
CPU Disasm Address Hex dump Command Comments 7777D5B0 64:8B15 3000000 MOV EDX,DWORD PTR FS:[30] 7777D5B7 8B92 54020000 MOV EDX,DWORD PTR DS:[EDX+254] 7777D5BD F7C2 02000000 TEST EDX,00000002 7777D5C3 74 03 JE SHORT ntdll.7777D5C8 7777D5C5 CD 2E INT 2E 7777D5C7 C3 RETN 7777D5C8 EA CFD57777 330 JMP FAR 0033:7777D5CF ; Far jump or call 7777D5CF 41 INC ECX 7777D5D0 FFA7 F8000000 JMP DWORD PTR DS:[EDI+0F8]
__________________
Welcome to my place http://www.reaonline.net Last edited by Computer_Angel; 09-04-2015 at 12:45. |
#62
|
|||
|
|||
Quote:
Regards, |
#63
|
||||
|
||||
Nopes. There's a lot of change. First need to fix the remote hook feature.
__________________
Welcome to my place http://www.reaonline.net |
#64
|
|||
|
|||
Win 10 is a nightmare for "stealth" hooking. Probably they wanted to defeat malware.
I think I can work on it this weekend.
__________________
My blog: https://ntquery.wordpress.com |
The Following 4 Users Say Thank You to Carbon For This Useful Post: | ||
Computer_Angel (09-07-2015), RedBlkJck (09-07-2015), TechLord (09-05-2015), ZeNiX (09-06-2015) |
#65
|
||||
|
||||
Call Wow64SystemServiceCall now is seperate for Ntdll & User32.dll .. maybe other dll too. So need to change the NativeContinue structure to suit this.
__________________
Welcome to my place http://www.reaonline.net |
#66
|
|||
|
|||
Win10 has more surprises to offer:
https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/ I also see some weird behavior of NtQueryInformationProcess. You can query ProcessBasicInformation with different buffer sizes. size = 24 -> normal behavior, expected size like in all windows editions size = 32 -> extended information? You can get more information...
__________________
My blog: https://ntquery.wordpress.com |
The Following User Gave Reputation+1 to Carbon For This Useful Post: | ||
Loki (09-08-2015) |
The Following 4 Users Say Thank You to Carbon For This Useful Post: | ||
besoeso (09-08-2015), elephant (11-15-2015), Loki (09-08-2015), Storm Shadow (12-11-2015) |
#67
|
||||
|
||||
@Carbon is there any update on making this working win 10.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
#68
|
||||
|
||||
Don't ask questions, here is fixed ScyllaHide for Windows 10 x86/x64.
Tested with x64/x32dbg on VMProtect and Obsidium targets. Quote:
Last edited by mudlord; 04-21-2016 at 10:50. |
The Following User Gave Reputation+1 to mudlord For This Useful Post: | ||
niculaita (04-22-2016) |
#69
|
|||
|
|||
This is the version of ScyllaHide that I use personally. It includes the fix provided by mudlord in the previous post (fix made by Colin). I also push this to the 'vs13' branch on the original repository.
Code: https://github.com/x64dbg/ScyllaHide Build of the latest version is always available here: https://ci.appveyor.com/project/mrex...uild/artifacts |
The Following 5 Users Gave Reputation+1 to mr.exodia For This Useful Post: | ||
ahmadmansoor (04-26-2016), Kjacky (04-22-2016), Newbie_Cracker (04-25-2016), Storm Shadow (04-22-2016), TechLord (04-23-2016) |
The Following 8 Users Say Thank You to mr.exodia For This Useful Post: | ||
ahmadmansoor (04-26-2016), bolzano_1989 (04-23-2016), Kjacky (04-22-2016), Newbie_Cracker (04-25-2016), nikkapedd (04-23-2016), Storm Shadow (04-22-2016), TechLord (04-23-2016), ZeNiX (04-27-2016) |
#70
|
|||
|
|||
Quote:
|
#71
|
||||
|
||||
I get same error in the newest version.
__________________
The devil whispered in my ear, "you're not strong enough to withstand the storm." Today I whispered in the devils ear, "I am the storm." |
#72
|
|||
|
|||
The error comes from idaserver.cpp:
Code:
int main(int argc, char *argv[]) { LogWrap = LogWrapper; LogErrorWrap = LogWrapper; if (sizeof(IDA_SERVER_EXCHANGE) != IDA_SERVER_EXCHANGE_STRUCT_SIZE) { printf("WRONG!!! Size of IDA_SERVER_EXCHANGE %d == %d?\n\n", sizeof(IDA_SERVER_EXCHANGE), IDA_SERVER_EXCHANGE_STRUCT_SIZE); getchar(); return 0; } |
#73
|
|||
|
|||
Probably this can be fixed by updating the SDK to the same version as your IDA version...
|
#74
|
|||
|
|||
I guess these days everybody has already switched to the latest public IDA...
six dot eight BTW, anybody seen this kind of warning (error?) in IDA: --------------------------- Error --------------------------- Failed to unprotect WOW64 gateway --------------------------- OK --------------------------- Last edited by sendersu; 08-29-2016 at 05:02. |
#75
|
|||
|
|||
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance --------------------------- Error --------------------------- Windows 10 SysWowSpecialJmpAddress was not found! --------------------------- §°§¬ --------------------------- --------------------------- ERROR --------------------------- Unknown syscall structure! --------------------------- §°§¬ --------------------------- |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ScyllaHide HookLibraryx86.dll | phroyt | General Discussion | 3 | 10-25-2019 09:48 |
ScyllaHide Detector | Lueilwitz | Source Code | 2 | 08-07-2019 06:32 |