Archive for May, 2014

ScyllaHide 0.8

Posted: May 3, 2014 in Uncategorized
Tags:
6

Author: Aguila

ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

Image

——————————————————
Debugger Hiding:
– PEB – BeingDebugged, NtGlobalFlag, Heap Flags
– NtSetInformationThread – ThreadHideFromDebugger
– NtQuerySystemInformation – SystemKernelDebuggerInformation, SystemProcessInformation
– NtQueryInformationProcess – ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
– NtQueryObject – ObjectTypesInformation, ObjectTypeInformation
– NtYieldExecution
– NtSetDebugFilterState
– NtUserBuildHwndList – EnumWindows
– NtUserFindWindowEx – FindWindowA/W, FindWindowExA/W
– NtUserQueryWindow
– NtClose
– NtCreateThreadEx
– GetTickCount
– BlockInput
– OutputDebugStringA – OutputDebugStringW

Special functions:
– Prevent Thread creation – for protectors like Execryptor. Only use if you know what you are doing !

Protecting and Stealthing DRx (Hardware Breakpoints):
– NtGetContextThread
– NtSetContextThread
– KiUserExceptionDispatcher (only x86)
– NtContinue (only x86)

Hooks:
– Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

Plugin specific:
Olly1&2:
– Change Olly title
– Resume/Suspend all Threads in Thread window
– DLL injection (stealth / normal)
Olly1:
– Fix PE-Bugs
– Fix FPU Bug
– x64 compatibility mode
– Remove EP-Break
– Break on TLS

——————————————————

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

——————————————————

Plugins:
– for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
– for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directory
– for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directory
– for IDA v6 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideIDA.plw to your plugins directory
– for IDA v6 64bit: Copy ScyllaHideIDA.p64, NtApiCollection.ini, ScyllaHideIDASrvx64.exe and HookLibraryx64.dll to your plugins directory

IDA Note:
– Start ScyllaHideIDASrvx64.exe to debug 64bit applications
– Start ScyllaHideIDASrvx86.exe to debug remotely 32bit applications

Commandline: ScyllaHideIDASrvxXX.exe <port>

ScyllaHideIDASrv Note:
– Server needs HookLibraryxXX.dll and NtApiCollection.ini

——————————————————

Download here:https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.8.rar

Regards,