eXeLab
eXeL@B ВИДЕОКУРС !

ВИДЕОКУРС ВЗЛОМ
выпущен 12 ноября!


УЗНАТЬ БОЛЬШЕ >>
Домой | Статьи | RAR-cтатьи | FAQ | Форум | Скачать | Видеокурс
Новичку | Ссылки | Программирование | Интервью | Архив | Связь

Русский / Russian English / Английский

Сейчас на форуме: zds (+1 невидимый пользователь)
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS · SVN ·

 eXeL@B —› Софт, инструменты —› ScyllaHide Anti-Anti-Debug plugin for Olly1&2 and TitanEngine
<< . 1 . 2 . 3 .
Посл.ответ Сообщение

Ранг: 12.3 (новичок)
Статус: Участник

Создано: 10 апреля 2014 18:18 · Поправил: 12 мая 2016 11:22 cypherpunk New!
Цитата · Личное сообщение · #1

Актуальная версия: https://ci.appveyor.com/project/mrexodia/scyllahide/build/artifacts

Hi again,

together with Aguila, guy behind Scylla, we made a new Hiding plugin for Olly1&2, TitanEngine and IDA Pro 6.x

----------------------------------------------------------
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks
various functions in usermode to hide debugging. This will stay usermode!
For kernelmode hooks use TitanHide.

ScyllaHide is tested to work with VMProtect, Themida, Armadillo, Execryptor, Obsidium
If you find any protector that still detects debugger, please tell us.

Source code license:
GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware
- Kill Anti-Attach

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

Plugin specific:
- Update-Check
IDA:
- DLL injection (stealth / normal)
- IDA 64bit plugin
- IDA 32/64bit remote server
Olly1&2:
- Change Olly title
- Resume/Suspend all Threads in Thread window
- DLL injection (stealth / normal)
Olly1:
- Fix PE-Bugs
- Fix FPU Bug
- x64 compatibility mode
- Remove EP-Break
- Break on TLS
- Skip "EP outside code" message
- Advanced CTRL+G
- Skip "compressed code" message
- Ignore bad PE image (WinUPack)
- Skip "Load DLL" message

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directory
- for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directory
- for IDA v6 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideIDA.plw to your plugins directory
- for IDA v6 64bit: Copy ScyllaHideIDA.p64, NtApiCollection.ini, ScyllaHideIDASrvx64.exe and HookLibraryx64.dll to your plugins directory
- for x64dbg 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp32 to your plugins directory
- for x64dbg 64bit: Copy HookLibraryx64.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp64 to your plugins directory

ini Note:
The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Feel free to contribute settings for other protectors!

IDA Note:
- Start ScyllaHideIDASrvx64.exe to debug 64bit applications
- Start ScyllaHideIDASrvx86.exe to debug remotely 32bit applications

Commandline: ScyllaHideIDASrvxXX.exe <port>

ScyllaHideIDASrv Note:
- Server needs HookLibraryxXX.dll and NtApiCollection.ini

------------------------------------------------------

Special thanks to:

- What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
- waliedassar for his blog posts http://waleedassar.blogspot.de
- Peter Ferrie for his PDFs http://pferrie.host22.com
- MaRKuS-DJM for OllyAdvanced assembler source code

------------------------------------------------------

ToDo:
- x64 Exception Support

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll
or the following hooks will not work:
NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get
the function adresses from another source. The other source is the PDB file.
The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar

Get ScyllaHide here: https://bitbucket.org/NtQuery/scyllahide/downloads or here http://scyllahide.tk

| Сообщение посчитали полезным: ajax, deniskore, UniSoft, SReg, Gideon Vi, Alinator3500, plutos, alt76, jeep, gloom


Ранг: 12.3 (новичок)
Статус: Участник

Создано: 28 августа 2014 01:09 New!
Цитата · Личное сообщение · #2

since we aim to unify and replace good old plugins phantOm, strongOD, ollyAdvanced into one open-source plugin:

Are there any features by them you still miss in ScyllaHide ? Features you really use and dont want to miss


Ранг: 206.8 (наставник)
Статус: Участник
radical

Создано: 28 августа 2014 12:21 New!
Цитата · Личное сообщение · #3

cypherpunk
There is one nice feature for me in StrongOD - nopping with Del key and nopping the specified number of bytes using 1-9 keys.


Ранг: 630.4 (!)
Статус: Участник
CyberMonk

Создано: 12 мая 2016 00:27 New!
Цитата · Личное сообщение · #4

Плагин уже много раз обновился, а в бинарном виде его нигде не выкладывают?!

| Сообщение посчитали полезным: plutos



Ранг: 990.3 (! ! !)
Статус: Модератор
Author of DiE

Создано: 12 мая 2016 11:22 New!
Цитата · Личное сообщение · #5

mak

https://ci.appveyor.com/project/mrexodia/scyllahide/build/artifacts

| Сообщение посчитали полезным: mak, plutos

<< . 1 . 2 . 3 .
 eXeL@B —› Софт, инструменты —› ScyllaHide Anti-Anti-Debug plugin for Olly1&2 and TitanEngine

Оригинальный DVD-ROM: eXeL@B DVD !

Вы находитесь на форуме сайта EXELAB.RU
Проект ReactOS