#1
|
|||
|
|||
ScyllaHide
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide. ------------------------------------------------------ Debugger Hiding: - PEB - BeingDebugged, NtGlobalFlag, Heap Flags - NtSetInformationThread - ThreadHideFromDebugger - NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation - NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation - NtQueryObject - ObjectTypesInformation, ObjectTypeInformation - NtYieldExecution - NtSetDebugFilterState - NtUserBuildHwndList - NtUserFindWindowEx - NtUserQueryWindow - NtClose - GetTickCount - BlockInput - OutputDebugStringA Protecting and Stealthing DRx (Hardware Breakpoints): - NtGetContextThread - NtSetContextThread - KiUserExceptionDispatcher (only x86) - NtContinue (only x86) ------------------------------------------------------ Usage standalone (debugger-independent): InjectorCLI.exe <process name> <HookLibrary.dll path> For example: InjectorCLI.exe crackme.exe C:\HookLibrary.dll ------------------------------------------------------ Plugins: - for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\ (can be combined with TitanHide which does kernelmode hiding) - for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy - for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy ------------------------------------------------------ ToDo: - x64 compatibility support - x64 Exception Support - Better (stealth) hooks ------------------------------------------------------ NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx Info about NtApiCollection.ini: Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses from another source. The other source is the PDB file. The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress It will download the PDB file from the Microsoft server to resolve the missing function adresses. Binaries: NtApiTool.rar Source code will be released soon!
__________________
My blog: https://ntquery.wordpress.com Last edited by Carbon; 05-03-2015 at 00:09. |
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (04-11-2014), MarcElBichon (04-10-2014), niculaita (04-11-2014), ontryit (04-19-2014), quygia128 (04-11-2014), winndy (04-11-2014), Zipdecode (04-10-2014) |
The Following User Says Thank You to Carbon For This Useful Post: | ||
user1 (09-26-2018) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ScyllaHide HookLibraryx86.dll | phroyt | General Discussion | 3 | 10-25-2019 09:48 |
ScyllaHide Detector | Lueilwitz | Source Code | 2 | 08-07-2019 06:32 |