Актуальная версия: https://ci.appveyor.com/project/mrexodia/scyllahide/build/artifacts

Hi again,

together with Aguila, guy behind Scylla, we made a new Hiding plugin for Olly1&2, TitanEngine and IDA Pro 6.x

----------------------------------------------------------
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks
various functions in usermode to hide debugging. This will stay usermode!
For kernelmode hooks use TitanHide.

ScyllaHide is tested to work with VMProtect, Themida, Armadillo, Execryptor, Obsidium
If you find any protector that still detects debugger, please tell us.

Source code license:
GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware
- Kill Anti-Attach

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

Plugin specific:
- Update-Check
IDA:
- DLL injection (stealth / normal)
- IDA 64bit plugin
- IDA 32/64bit remote server
Olly1&2:
- Change Olly title
- Resume/Suspend all Threads in Thread window
- DLL injection (stealth / normal)
Olly1:
- Fix PE-Bugs
- Fix FPU Bug
- x64 compatibility mode
- Remove EP-Break
- Break on TLS
- Skip "EP outside code" message
- Advanced CTRL+G
- Skip "compressed code" message
- Ignore bad PE image (WinUPack)
- Skip "Load DLL" message

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directory
- for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directory
- for IDA v6 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideIDA.plw to your plugins directory
- for IDA v6 64bit: Copy ScyllaHideIDA.p64, NtApiCollection.ini, ScyllaHideIDASrvx64.exe and HookLibraryx64.dll to your plugins directory
- for x64dbg 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp32 to your plugins directory
- for x64dbg 64bit: Copy HookLibraryx64.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp64 to your plugins directory

ini Note:
The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Feel free to contribute settings for other protectors!

IDA Note:
- Start ScyllaHideIDASrvx64.exe to debug 64bit applications
- Start ScyllaHideIDASrvx86.exe to debug remotely 32bit applications

Commandline: ScyllaHideIDASrvxXX.exe <port>

ScyllaHideIDASrv Note:
- Server needs HookLibraryxXX.dll and NtApiCollection.ini

------------------------------------------------------

Special thanks to:

- What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
- waliedassar for his blog posts http://waleedassar.blogspot.de
- Peter Ferrie for his PDFs http://pferrie.host22.com
- MaRKuS-DJM for OllyAdvanced assembler source code

------------------------------------------------------

ToDo:
- x64 Exception Support

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll
or the following hooks will not work:
NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get
the function adresses from another source. The other source is the PDB file.
The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar

Get ScyllaHide here: https://bitbucket.org/NtQuery/scyllahide/downloads or here http://scyllahide.tk

| Сообщение посчитали полезным: ajax, deniskore, UniSoft, SReg, Gideon Vi, Alinator3500, plutos, alt76, jeep, gloom

Second attachement for first post

http://rghost.net/53950505 NtApiTool.rar (cant attach 1mb file)

| Сообщение посчитали полезным:

Thanks, please update bitbucket link, url is not valid.

| Сообщение посчитали полезным:

какой же это open-source если source вовсе не open?

| Сообщение посчитали полезным: Dr0p

@deniskore thx. link updated. but you can simply grab the NtApiTool.rar its the binaries. Link only points to the source. And its not interesting (not the actual hiding code)

@Unisoft we will release the source somewhen in the near future but first wanna get some feedback and fix bugs that may still arise although we tested everything

| Сообщение посчитали полезным:

- added "change olly title" option to Olly1 plugin
- added "Remove EP break" to Olly1 plugin.

Now it runs VMProtect targets in a "virgin" Olly with only ScyllaHide !

Notes on VMP targets:

- set olly to break on system bp
- set ScyllaHide with at least these options: PEB, NtClose, NtQueryInformationProcess

| Сообщение посчитали полезным:

- added "Olly title" option to Olly2 plugin

59f0_11.04.2014_EXELAB.rU.tgz - ScyllaHide_Olly2_v0.1a.rar

| Сообщение посчитали полезным:

cypherpunk
Really good work, tested with the one of the latest VMP protected target ! (with strongOD and phantom program detected debugger).

-----
ds

| Сообщение посчитали полезным:

Обновлена до 02, http://forum.exetools.com/showpost.php?p=90799&postcount=10

-----
...или ты работаешь хорошо, или ты работаешь много...

| Сообщение посчитали полезным:

Залейте...

| Сообщение посчитали полезным:

community is fast but anyways "officially" by me:

Version 0.2 is out

Warning: Since this version, ScyllaHide is not compatible with Stealth64! You need to remove the Stealth64 plugin.

- Stealth hooks for 32-bit targets to defeat protectors like Themida
- Olly Plugins: Change olly caption
- Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect

Upcoming features:
- Fix Olly1 PE bugs, like strongOD does
- Your feature request?

Tell us what you like to have integrated to make this plugin awesome!
We are trying to combine all great features of other plugins into one !

| Сообщение посчитали полезным: TryAga1n, SReg, elch, Gideon Vi, alt76, nocser6

по мойму до уровня OllyExt еще не дотягивает..

| Сообщение посчитали полезным:

Всеравно палит Ollydbg Обсидиум 1.5.

| Сообщение посчитали полезным:

apc пишет:
Всеравно палит Ollydbg Обсидиум 1.5

отключи Protecting and Stealthing DRx

sendersu пишет:
по мойму до уровня OllyExt еще не дотягивает..

Информативно. Напиши, чего не хватает - cypherpunk сам об этом просит.

| Сообщение посчитали полезным:

Gideon Vi пишет:

отключи Protecting and Stealthing DRx
Даже не включал

| Сообщение посчитали полезным:

cypherpunk
the ida (32&64) plugins will be very appreciated!

ps: or to do it for any custom unpacker/tracer engine. should be very nice

-----
От многой мудрости много скорби, и умножающий знание умножает печаль

| Сообщение посчитали полезным:

here comes

Version 0.3

- Fix for Olly plugins caption reset
- Fix STARTUPINFO structure, GetStartupInfoA/W
- Resume/Suspend all Threads in Thread window
- x64 compatibility mode for Olly1
- fix PE-Bugs for Olly1
- fix FPU-Bug for Olly1
- split "Protect DRx" into its options (ini option ProtectDRx now deprecated)
- Fix PEB Patch bug, now Themida works on WinXP


and its open-source now ! https://bitbucket.org/NtQuery/scyllahide

@ajax yup we also thought about IDA. I'll have a look at the plugin SDK

| Сообщение посчитали полезным: SReg, ajax, Jaa, v00doo, Gideon Vi

ajax пишет:
ps: or to do it for any custom unpacker/tracer engine. should be very nice

for a random engine you can use the ScyllaHide InjectorCLI to inject into a random process when the engine stops it at EP or systembp.
or
TitanHide (driver / kernelmode) which works for every PID you set with TitanHide GUI

| Сообщение посчитали полезным:

cypherpunk пишет:
@ajax yup we also thought about IDA. I'll have a look at the plugin SDK

Does anyone have the IDA 6.1 plugin SDK documents ? I only have headers/samples but no SDK documentation

| Сообщение посчитали полезным:

Some info about writing plugins:
http://www.binarypool.com/idapluginwriting/

| Сообщение посчитали полезным: cypherpunk

cypherpunk пишет:
for a random engine you can use the ScyllaHide InjectorCLI
yes, i saw it during today's night. looked a bit, my be something misunderstood, like - how to set required options, etc?
or TitanHide (driver / kernelmode) which works for every PID you set with TitanHide GUI
no, thanks

-----
От многой мудрости много скорби, и умножающий знание умножает печаль

| Сообщение посчитали полезным:

@TryAga1n thx. the linked PDF in that article looks good

@ajax the InjectorCLI reads scylla_hide.ini and creates it with all options enabled if it doesnt find that file

| Сообщение посчитали полезным:

cypherpunk
gimme the keys (manual) and i'll be "touch" this world

-----
От многой мудрости много скорби, и умножающий знание умножает печаль

| Сообщение посчитали полезным:

Version 0.4

- Olly v1/v2 Plugins: Apply hooks without restarting
- Olly v1 Plugin: Added "Break on TLS"

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.4.rar

| Сообщение посчитали полезным: SReg

Код исходный так понимаю придётся получить методом ресерча ?

| Сообщение посчитали полезным:

--> Source <--
Не?

-----
One death is a tragedy, one million is a statistic.

| Сообщение посчитали полезным: Dr0p

Процедуры не защищены от фолтов, тоесть никакой валидации аргументов нет. Частично проверка проходит в сервисах, но не везде. Допустим NtGetContextThread с не валидной ссылкой приведёт к #AV. Слетит походу всё, ядро же фолт не развернёт, просто вернув статус.

| Сообщение посчитали полезным:

Version 0.5

- NtCreateThreadEx hook
- Prevent Thread creation
(special hook for some protectors like Execryptor. Only use this if you know what you do)
- Split Hide PEB into 4 options (ini option PEB now deprecated)
- Inject DLL option added (2 methods)
- Replaced Olly2 dialog
- Improved "Break on TLS"

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.5.rar

-----
...или ты работаешь хорошо, или ты работаешь много...

| Сообщение посчитали полезным: v00doo

Version 0.5a

- critical bug fixed where some hooks didnt work

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v0.5a.rar

| Сообщение посчитали полезным: SReg, v00doo

ajax
https://bitbucket.org/NtQuery/scyllahide/downloads/scyllahide_IDA_PRO.rar

| Сообщение посчитали полезным: ajax