Exetools  

Go Back   Exetools > General > Community Tools

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-10-2014, 04:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
ScyllaHide

ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various
functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy

------------------------------------------------------

ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar

Source code will be released soon!
Attached Files
File Type: rar NtApiTool.rar (1.10 MB, 185 views)
__________________
My blog: https://ntquery.wordpress.com

Last edited by Carbon; 05-03-2015 at 00:09.
Reply With Quote
The Following 7 Users Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (04-11-2014), MarcElBichon (04-10-2014), niculaita (04-11-2014), ontryit (04-19-2014), quygia128 (04-11-2014), winndy (04-11-2014), Zipdecode (04-10-2014)
The Following User Says Thank You to Carbon For This Useful Post:
user1 (09-26-2018)
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 23:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )