nihilus/ScyllaHide nihilus/ScyllaHide

  • Stars
    star
    232
  • Rank 172,847 (Top 4 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created about 10 years ago
  • Updated about 10 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nihilus/ScyllaHide
github

nihilus

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details 

ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks 
various functions in usermode to hide debugging. This will stay usermode! 
For kernelmode hooks use TitanHide.

ScyllaHide is tested to work with VMProtect, Themida, Armadillo, Execryptor, Obsidium
If you find any protector that still detects debugger, please tell us.

Source code license:
GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html

------------------------------------------------------

Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW

Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter

Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware
- Kill Anti-Attach

Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)

Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

Plugin specific:
- Update-Check
IDA:
- DLL injection (stealth / normal)
- IDA 64bit plugin
- IDA 32/64bit remote server
Olly1&2:
- Change Olly title
- Resume/Suspend all Threads in Thread window
- DLL injection (stealth / normal)
Olly1:
- Fix PE-Bugs
- Fix FPU Bug
- x64 compatibility mode
- Remove EP-Break
- Break on TLS
- Skip "EP outside code" message
- Advanced CTRL+G
- Skip "compressed code" message
- Ignore bad PE image (WinUPack)
- Skip "Load DLL" message

------------------------------------------------------

Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>

For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll

------------------------------------------------------

Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
  (can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibraryx86.dll and ScyllaHideOlly1.dll to your plugins directory
- for OllyDbg v2.01: Copy HookLibraryx86.dll and ScyllaHideOlly2.dll to your plugins directory
- for IDA v6 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini, ScyllaHideIDASrvx86.exe and ScyllaHideIDA.plw to your plugins directory
- for IDA v6 64bit: Copy ScyllaHideIDA.p64, NtApiCollection.ini, ScyllaHideIDASrvx64.exe and HookLibraryx64.dll to your plugins directory
- for x64dbg 32bit: Copy HookLibraryx86.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp32 to your plugins directory 
- for x64dbg 64bit: Copy HookLibraryx64.dll, NtApiCollection.ini and ScyllaHideX64DBGPlugin.dp64 to your plugins directory 

ini Note:
The default ini contains settings for this protectors:
- VMProtect x86/x64
- Obsidium x86
- Themida x86
- Armadillo x86

Feel free to contribute settings for other protectors!

IDA Note:
- Start ScyllaHideIDASrvx64.exe to debug 64bit applications
- Start ScyllaHideIDASrvx86.exe to debug remotely 32bit applications

Commandline: ScyllaHideIDASrvxXX.exe <port>

ScyllaHideIDASrv Note:
- Server needs HookLibraryxXX.dll and NtApiCollection.ini

------------------------------------------------------

Special thanks to:

- What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281
- waliedassar for his blog posts http://waleedassar.blogspot.de
- Peter Ferrie for his PDFs http://pferrie.host22.com
- MaRKuS-DJM for OllyAdvanced assembler source code
- MS Spy++ style Window Finder http://www.codeproject.com/Articles/1698/MS-Spy-style-Window-Finder

------------------------------------------------------

ToDo:
- x64 Exception Support

------------------------------------------------------

NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll 
or the following hooks will not work: 
NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx

Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get 
the function adresses from another source. The other source is the PDB file. 
The adresses can be resolved with this tool: https://bitbucket.org/NtQuery/pdb-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: https://bitbucket.org/NtQuery/scyllahide/downloads/NtApiTool.rar

More Repositories

1

hexrays_tools

C++
204
star
2

IDA_Signsrch

IDA Signsrch
C
149
star
3

IDA-IDC-Scripts

Varoius IDC-scripts I've collected during the years.
Python
130
star
4

idastealth

C
98
star
5

IDA_ClassInformer

IDA ClassInformer PlugIn
C++
63
star
6

GUID-Finder

C++
50
star
7

IDASimulator

IDASimulator is a plugin that extends IDA's conditional breakpoint support, making it easy to augment / replace complex executable code inside a debugged process with Python code. Specifically, IDASimulator makes use of conditional breakpoints in the IDA debugger to hijack the execution flow of a process and invoke Python handler functions whenever particular code blocks are executed. With support for multiple target architectures, it handles details such as register initialization, memory allocation, pointers, function arguments and return values seamlessly and transparently, making it easy to replace, modify and subvert existing functionality (or lack thereof) in the target process. IDASimulator also includes the IDASim python module, on which IDASimulator is based. This allows for all of the features of IDASimulator to be integrated into more complex IDAPython scripts. IDASimulator currently supports the x86, x86_64, ARM and MIPS32 architectures. Porting to other architectures is very easy.
Python
47
star
8

ida-pro-swf

C++
29
star
9

IDA_FunctionStringAssociate_PlugIn

IDA FunctionStringAssociate PlugIn
C++
27
star
10

idascope

Python
26
star
11

IDA_COM_Plugin

C++
25
star
12

Fast_IDB2Sig_and_LoadMap_IDA_plugins

C++
20
star
13

optimice

Python
17
star
14

arm-thumb-decompiler-plugin

C++
17
star
15

IDA_Extrapass

IDA ExtraPass PlugIn
C
15
star
16

idapathfinder

Python
15
star
17

IndirectCalls

C++
15
star
18

detpdb

C++
14
star
19

desquirr

C++
14
star
20

idatools

Tools for IDA
JavaScript
13
star
21

IDAProBoschME7

Siemens Bosch ME7.x Disassembler Helper for IDA Pro
C
13
star
22

ida-x86emu-QT

C++
12
star
23

bios_parse

Python
12
star
24

PPCAltivec

C++
12
star
25

idaplugs

Plugins for IDA Pro by servil
C++
11
star
26

uberstealth

C
11
star
27

IDA2PAT_Reloaded

C++
10
star
28

turbodiff

C++
10
star
29

CommentViewer

C++
9
star
30

patchdiff3

Continuation of the popular patchdiff IDA plugin
C++
9
star
31

RECPP

RECPP is a IDA plugin / API for reversing C++ applications based on Igor Skochinsky articles and scripts (http://www.openrce.org/articles/full_view/21)
C++
8
star
32

idastruct

C++
8
star
33

jeb2-plugin-macho

Mach-O Object Plugin for JEB2 https://www.pnfsoftware.com
Java
8
star
34

HeapTracer

C++
8
star
35

ida-libbfd-loader

IDA Pro libbfd based loader for misc formats that IDA cannot handle, like IRIX ECOFF etc.
CMake
7
star
36

bflt-utils

C
7
star
37

ida-plugins-collection

Python
7
star
38

ida-unicode-string-convert

C++
7
star
39

WhatAPIs

IDA WhatAPIs PlugIn
C++
7
star
40

ida-sync-plugin

C++
6
star
41

ida-pro-plugin-wizard-for-vs2013

JavaScript
6
star
42

StructDump

C++
6
star
43

axis-cris-idp

IDA Pro CPU plugin for the AXIS CRIS architecture
C++
6
star
44

arm-helper

C++
6
star
45

IDA-CC

http://forum.exetools.com/showthread.php?t=13569&page=3
6
star
46

idainject

C++
6
star
47

binarydiffer

C++
6
star
48

garmin-ida-loader

C++
6
star
49

processstalker

C++
6
star
50

Cypress-M8-IDA-Processor-Module

C++
6
star
51

analyzecore

C++
6
star
52

IDA-omf2pat

IDA FLAIR helpers for making .SIG files from Borland sources by servil
C++
5
star
53

IDA-rails

C++
5
star
54

IDA-pinlog

C
5
star
55

findStrcpy

C++
5
star
56

fujitsu-fr30-idp

IDA Pro CPU plugin for the Fujitsu FR30 architecture
C++
5
star
57

cyrplw

C
5
star
58

findMemcpy

C++
5
star
59

bignum-dumper

C++
5
star
60

findMalloc

C++
4
star
61

get-asm-code

C++
4
star
62

Automated-Generic-Function-Naming

Python
4
star
63

MIPSJT

MIPS JT fixup for IDA PRO
C++
4
star
64

rsrcExtractor

C++
4
star
65

IdaThingy

C++
4
star
66

ppc2

C++
4
star
67

krypton

Python
4
star
68

gerbay1

C++
4
star
69

ida-dbdump

C++
4
star
70

tree-cbass

Python
4
star
71

ida-x86emu

C++
4
star
72

IDAWinHelpViewer

C++
3
star
73

depload

C++
3
star
74

ppchelper

C++
3
star
75

ida_objectivec_plugins

C++
3
star
76

IDA_MarkRefCnt

IDA MarkRefCount PlugIn
C++
3
star
77

idaplugininfo

This is a little utility to dump information about installed IDA Pro plugins. The key parts of the IDA PLUGIN export "plugin_t" struct data.
C#
3
star
78

REDB

Python
3
star
79

IDA_WaitBoxEx

IDA WaitBoxEx
C++
3
star
80

CopyAndPast

Binary Copy and Paste
C++
2
star
81

idaocaml

C
2
star
82

idapatchwork

https://bitbucket.org/daniel_plohmann/idapatchwork
Python
2
star
83

ncoverage

C#
2
star
84

ida_load_all_dump_load

C++
2
star
85

IDA-auto-declaration

IDA PRO plugin for automatic type declaration like char, byte, float, double wchar etc...
2
star
86

vctaxo

C++
2
star
87

malflare

C++
2
star
88

ParseBinTree

take IDA PRO memory lines and print binary tree node.
Python
2
star
89

IDACSharp

C# 'Scripts' for IDA 6.6+ based on https://idacsharp.codeplex.com/
2
star
90

mynav

Python
2
star
91

wwcd2

Ida pro What Would Capstone Decode by Stefan Esser
C++
2
star
92

Hotch

C++
2
star
93

rails

C++
1
star
94

ida-vs2005templates

C++
1
star
95

classinformer

https://sourceforge.net/projects/classinformer/ partially adapted for ida64
1
star
96

ida_plugin_depack_aplib_and_lzma

Assembly
1
star
97

CLU

C
1
star
98

idastruct-1

Script helper in working with ida structures
Python
1
star
99

COSA-IDA

Comprehensive Static Analyzer For Android Application (COSA with IDA Pro)
Java
1
star
100

lltd-osx

LLTD (LLD2D) for OS X
C
1
star