ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks
various functions in usermode to hide debugging. This will stay usermode!
For kernelmode hooks use TitanHide.
Source code license:
GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html
------------------------------------------------------
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- GetTickCount
- BlockInput
- OutputDebugStringA - OutputDebugStringW
Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)
Plugin specific:
Olly1&2:
- Change Olly title
- Resume/Suspend all Threads in Thread window
- DLL injection (stealth / normal)
Olly1:
- Fix PE-Bugs
- Fix FPU Bug
- x64 compatibility mode
- Remove EP-Break
- Break on TLS
------------------------------------------------------
Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>
For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
------------------------------------------------------
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directoy
------------------------------------------------------
Special thanks to:
- What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
- waliedassar for his blog posts http://waleedassar.blogspot.de
- Peter Ferrie for his PDFs http://pferrie.host22.com
------------------------------------------------------
ToDo:
- x64 Exception Support
------------------------------------------------------
NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll
or the following hooks will not work:
NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx
Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get
the function adresses from another source. The other source is the PDB file.
The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar
https://bitbucket.org/NtQuery/scyllahide/downloads/scyllahide_IDA_PRO.rar
Sourcehttps://forum.tuts4you.com
various functions in usermode to hide debugging. This will stay usermode!
For kernelmode hooks use TitanHide.
Source code license:
GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html
------------------------------------------------------
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- GetTickCount
- BlockInput
- OutputDebugStringA - OutputDebugStringW
Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)
Plugin specific:
Olly1&2:
- Change Olly title
- Resume/Suspend all Threads in Thread window
- DLL injection (stealth / normal)
Olly1:
- Fix PE-Bugs
- Fix FPU Bug
- x64 compatibility mode
- Remove EP-Break
- Break on TLS
------------------------------------------------------
Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>
For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
------------------------------------------------------
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directoy
------------------------------------------------------
Special thanks to:
- What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
- waliedassar for his blog posts http://waleedassar.blogspot.de
- Peter Ferrie for his PDFs http://pferrie.host22.com
------------------------------------------------------
ToDo:
- x64 Exception Support
------------------------------------------------------
NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll
or the following hooks will not work:
NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx
Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get
the function adresses from another source. The other source is the PDB file.
The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar
https://bitbucket.org/NtQuery/scyllahide/downloads/scyllahide_IDA_PRO.rar
Sourcehttps://forum.tuts4you.com
