Want to Join Us ?

you'll be able to discuss, share and send private messages.

Release ScullaHide

Discussion in 'Plugins' started by storm shadow, Apr 25, 2014.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks
    various functions in usermode to hide debugging. This will stay usermode!
    For kernelmode hooks use TitanHide.

    Source code license:
    GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html

    ------------------------------------------------------

    Debugger Hiding:
    - PEB - BeingDebugged, NtGlobalFlag, Heap Flags
    - NtSetInformationThread - ThreadHideFromDebugger
    - NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
    - NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
    - NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
    - NtYieldExecution
    - NtSetDebugFilterState
    - NtUserBuildHwndList - EnumWindows
    - NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
    - NtUserQueryWindow
    - NtClose
    - NtCreateThreadEx
    - GetTickCount
    - BlockInput
    - OutputDebugStringA - OutputDebugStringW

    Special functions:
    - Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !

    Protecting and Stealthing DRx (Hardware Breakpoints):
    - NtGetContextThread
    - NtSetContextThread
    - KiUserExceptionDispatcher (only x86)
    - NtContinue (only x86)

    Hooks:
    - Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

    Plugin specific:
    Olly1&2:
    - Change Olly title
    - Resume/Suspend all Threads in Thread window
    - DLL injection (stealth / normal)
    Olly1:
    - Fix PE-Bugs
    - Fix FPU Bug
    - x64 compatibility mode
    - Remove EP-Break
    - Break on TLS

    ------------------------------------------------------

    Usage standalone (debugger-independent):
    InjectorCLI.exe <process name> <HookLibrary.dll path>

    For example:
    InjectorCLI.exe crackme.exe C:\HookLibrary.dll

    ------------------------------------------------------

    Plugins:
    - for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
    (can be combined with TitanHide which does kernelmode hiding)
    - for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directoy
    - for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directoy

    ------------------------------------------------------

    Special thanks to:

    - What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
    - waliedassar for his blog posts http://waleedassar.blogspot.de
    - Peter Ferrie for his PDFs http://pferrie.host22.com

    ------------------------------------------------------
    ToDo:
    - x64 Exception Support

    ------------------------------------------------------

    NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll
    or the following hooks will not work:
    NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

    Info about NtApiCollection.ini:
    Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get
    the function adresses from another source. The other source is the PDB file.
    The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
    It will download the PDB file from the Microsoft server to resolve the missing function adresses.
    Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar
    https://bitbucket.org/NtQuery/scyllahide/downloads/scyllahide_IDA_PRO.rar
    Sourcehttps://forum.tuts4you.com
     
    Rip Cord likes this.
  2. Nihilus

    Well-Known Member Developer

    Something for me to fork :)
    A pity it is closed source. So I won't fork it then.
     
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

  4. samoray

    Active Member

    Does anyone know how to install ScyllaHide to IDA 7.0 ?
    I tried many times but it doesnt seem to work:
    I downloaded the latest version from here:
    https://bitbucket.org/NtQuery/scyllahide/downloads/ida_pro_7_pre_release1.rar
    But once loaded into IDA I get this:
    "C:\Program Files\IDA 7.0\plugins\HookLibraryx64.dll: incompatible plugin version, skipped"
    Is there any other (against anti-debugging tricks) for IDA 7.0 ?
    Thanks in advance
     
  5. m4n0w4r

    Well-Known Member

    Try this link: https://github.com/vdisasm/ScyllaHideForIda7
     
    storm shadow, Rip Cord and samoray like this.
  6. samoray

    Active Member

    It seems to be working Thank you:)
     
Top