ScyllaHide

[ahmadmansoor]

Hi Carbon :
I think I try both file my compiled and ur release builds .and same result.
I note that too when I use IDA it try to inject the dll and it fail too .
I have code Plugin for x64_dbg.
so when I use

Quote:

if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}

if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}

after cbCB_DEBUGEVENT ,so if we use it the debugger will catched .
maybe I do something wrong .

[Carbon]

Your problem is probably the structure alignment. You must adjust the compiler settings to 1 byte structure alignment.

[ahmadmansoor]

it is already : 1 Byte (/Zp1)
but I use vs 2010 v100 not v120 if could be make a problem !!

[cypher]

@ahmadmansoor

fork the scyllahide repo on bitbucket. then push the plugin as new project in the solution and I'll have a look and fixup the project.

Edit: platform toolset isnt a problem. Actually all plugins and the hooklib are built for release with v90 for compatibility reasons but I do use v100 myself for developing. Also I do use V2010

[Carbon]

Version 0.9

- All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins !
(ini section in ollydbg.ini now deprecated !)
- Load/Save ini profiles in Olly1&2 and IDA plugin
- RunPE malware unpacker
- NtSetInformationProcess Hook in GUI


Please post your special Protector Profiles here.

[giv]

Hi Carbon (although I'm used to spell another name.)
Your ScyllaHide does not seems to get along with the OdbgScript.
As i related before with Phantom and StrongOD is OK to run the script and with ScyllaHide the script just "goes in the ditch".
I think i will review my script and i will send you or eXoDia to take a look along with some unpackmes.

[mr.exodia]

structure alignment of x64_dbg will be forced to 1 byte in the next release.

Greetings

[Carbon]

Version 1.0

- added sprintf %s Olly1 bugfix to "Fix Olly bugs"
- x64dbg 32/64bit plugins https://bitbucket.org/mrexodia/x64_dbg
- fixed alignment bug 64bit


The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Themida/Winlicense x64 will only work with TitanHide

[sendersu]

very nice work! congrats and keep going
Generally speaking you are the first who did hte x64 plugin fo rIDA, but I"m starting to test it from x32 as well
some minor notes so far:

Version 1.0: on Update check
http://prntscr.com/3i1484

win xp sp3 eng prof x32
IDA 6.1 x32

2) version.txt inside the archive ScyllaHide_v1.0.rar contains the string "0.9"
3) how to use hte feature "RunPE malware unpacker"

[Carbon]

New Version here.

Version 1.1
- Added "thanks" to About
- Added kill anti-attach (for x86 only)
- Olly v1 Plugin: Advanced CTRL+G
- Olly v1 Plugin: Skip "compressed code" message
- Olly v1 Plugin: Ignore bad PE image (WinUPack)
- Olly v1 Plugin: Skip "Load DLL" message

Thanks to MaRKuS-DJM for OllyAdvanced assembler source code.

Check out the new documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.1Doc.pdf

[jump]

Does it support any version of IDA or specific version ?

[Carbon]

ScyllaHide is tested with IDA Pro 6.1, 6.3 and 6.5.

[Storm Shadow]

Plugin is running like a charm, and hiding very well.
Would it be possible to add the very nice pdf , as tooltips to the combo box explaining each item in future versions.
Im using the ida version.

Regards

[Carbon]

@Storm Shadow

I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase

@ALL
There is a mistake in the provided Themida configuration!!! You must enable all NtUser* hooks for Themida! This is missing in the standard configuration.

NtUserBuildHwndListHook=1
NtUserFindWindowExHook=1
NtUserQueryWindowHook=1


The Olly v1 plugin was updated with a little olly bugfix.
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHideOllyv1_v1.2.rar

And doc update:
https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHidev1.2Doc.pdf
(e.g. more info about RunPE)

[UniSoft]

Quote:

Originally Posted by Carbon

I don't think it is necessary to add tooltips. This is a lot of work for a very little usability increase

indeed it is not too much work!
Check in attach... By the way maybe someone can help to fill all the tips.
There is only one problem, you've made a separate checkBox'es and labels in dialog template, but need to use only checkBox (Set Caption and Left Text = True).