Resource icon

ScyllaHide - Usermode Anti-Debugger 08-09-2020

Hexui Undetected CSGO Cheats PUBG Accounts
ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see TitanHide. Forked from NtQuery/ScyllaHide.

ScyllaHide supports various debuggers through plugins:
PE x64 debugging is fully supported with plugins for x64dbg and IDA.

If you cannot attach a debugger, the first thing you should try is ScyllaHide, there is a good chance it will solve the issue with almost no work.

ScyllaHide makes it very easy to defeat boiler plate usermode antidebug code. You just inject it or use the plugins and then you can attach a debugger. AAA games will have protection which regular ScyllaHide cannot bypass, these companies know the first thing everyone tries is ScyllaHide.

ScyllaHide - Usermode Anti-Debugger

Please note that ScyllaHide is not limited to these debuggers. You can use the standalone command line version of ScyllaHide. You can inject ScyllaHide into any process debugged by any debugger.

InjectorCLI.exe ”process name” ”HookLibrary.dll path” [nowait]
InjectorCLI.exe pid process ID ”HookLibrary.dll path” [nowait]
For example: InjectorCLI.exe crackme.exe C:\HookLibrary.dll

The injector waits for a keystroke after injection by default. You can modify this behaviour by passing ”nowait” (without quotes) as the last parameter.

OllyDbg v1
Copy scylla_hide.ini, HookLibraryx86.dll and ScyllaHideOlly1.dll to your specific plugins directory.

OllyDbg v2
Copy scylla_hide.ini, HookLibraryx86.dll and ScyllaHideOlly2.dll to your specific plugins directory.

32-bit: Copy scylla_hide.ini, HookLibraryx86.dll and ScyllaHideIDA.plw to your IDA plugins directory.
64-bit: Copy scylla_hide.ini, HookLibraryx64.dll, ScyllaHideIDASrvx64.exe and ScyllaHideIDA.p64 to your IDA plugins directory.

Note: Start ScyllaHideIDASrvx64.exe to debug 64bit applications remotely. Start ScyllaHideIDASrvx86.exe to debug 32bit applications remotely. Command line: ScyllaHideIDASrvxXX.exe For example: ScyllaHideIDASrvxXX.exe 1345 ScyllaHideIDASrv needs HookLibraryxXX.dll.

32-bit: Copy scylla_hide.ini, HookLibraryx86.dll and ScyllaHideX64DBGPlugin.dp32 to your \x32\plugins\ directory.
64-bit: Copy scylla_hide.ini, HookLibraryx64.dll and ScyllaHideX64DBGPlugin.dp64 to your \x64\plugins\ directory.

32-bit: Copy scylla_hide.ini, HookLibraryx86.dll and ScyllaHideTEx86.dll to your \plugins\x86\ directory.
64-bit: Copy scylla_hide.ini, HookLibraryx64.dll and ScyllaHideTEx64.dll to your \plugins\x64\ directory



Process Environment Block (PEB)
The most important anti-anti-debug option. Almost every protector checks for PEB values. There are three important options and one minor option.

BeingDebugged: Very important option, should always be enabled. IsDebuggerPresent uses this value to check for debuggers.

NtGlobalFlag: Very important option, a lot of protectors check this value.

HeapFlags: Very important option. E.g. Themida checks for heap artifacts and heap flags.

StartupInfo: This is not really important, only a few protectors check for this. Maybe Enigma checks it.

The THREADINFOCLASS value ThreadHideFromDebugger (17) is a wellknown anti-debug measurement. The debugger cannot handle hidden threads. This leads to a loss of control over the target.

The PROCESSINFOCLASS value ProcessHandleTracing (32) can be used to detect a debugger. The PROCESSINFOCLASS value ProcessBreakOnTermination (29) can be used to generate a Blue Screen of Death on process termination. ScyllaHide protects from both. The function RtlSetProcessIsCritical from ntdll.dll uses ProcessBreakOnTermination internally.

The SYSTEM_INFORMATION_CLASS value SystemKernelDebuggerInformation (35) can be used to detect kernel debuggers. The SYSTEM_INFORMATION_CLASS value SystemProcessInformation (5) is used to get a process list. A debugger should be hidden in a process list and the debugee should have a good parent process ID like the ID from explorer.exe.

A very important option. Various PROCESSINFOCLASS values can be used to detect a debugger: • ProcessDebugFlags (31): Should return 1 in the supplied buffer, unless this value was previously set to PROCESS_DEBUG_INHERIT (0x1), then 0. • ProcessDebugPort (7): Should return 0 in the supplied buffer. • ProcessDebugObjectHandle (30): Should write 0 to the supplied buffer, close the debug object handle, and return the error STATUS_PORT_NOT_SET (0xC0000353). • ProcessBasicInformation (0): Reveals the parent process ID. • ProcessBreakOnTermination (29): Please see NtSetInformationProcess in Section 3.1.3. • ProcessHandleTracing (32): Please see NtSetInformationProcess in Section 3.1.3. A lot of protectors use this function to detect debuggers. The windows API CheckRemoteDebuggerPresent uses NtQueryInformationProcess with ProcessDebugPort internally.

The OBJECT_INFORMATION_CLASS ObjectTypesInformation (3) and ObjectTypeInformation (2) can be used to detect debuggers. ScyllaHide filters DebugObject references.

A very unrealiable anti-debug method. This is only used in some UnpackMe’s or in some Proof of Concept code. Only activate this if you really need it. Probably you will never need this option. This function is used in the kernel32.dll SwitchToThread function.

Threads hidden from debuggers can be created with a special creation flag THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER (4). ScyllaHide doesn’t allow hidden threads. The anti-debug effect is similar to NtSetInformationThread

(deprecated since v1.3) OutputDebugStringW uses OutputDebugStringA internally, so hooking the ANSI version is enough. This is a very unreliable anti-debug method, so you will not need this option very often. The Listing shows the implementation of the function. The recent versions of ScyllaHide don’t need this hook anymore, because they handle the DBG_PRINTEXCEPTION_C exception. See Section 3.1.19.

Very effective anti-debug method. This is used e.g. in Yoda’s Protector. ”Blocks keyboard and mouse input events from reaching applications.”

This is a system call function in user32.dll. The windows APIs FindWindowA/W and FindWindowExA/W call this internally. The debugger window will be hidden.

This is a system call function in user32.dll. The windows APIs EnumWindows and EnumThreadWindows call this internally. The debugger window will be hidden.

This is a system call function in user32.dll. The windows API GetWindowThreadProcessId calls this internally, see Listing for implementation. This is used to hide the debugger process.

ScyllaHide returns STATUS_ACCESS_DENIED unless the process has debug privileges enabled. If the process has debug privileges, ScyllaHide will take no action and return success. This anti-debug measurement isn’t used very often. Probably you will never need this option in a real world taret.

This is called with an invalid handle to detect a debugger. ScyllaHide calls NtQueryObject to check the validity of the handle. A few protectors are using this method.

Remove Debug Privileges
If a debugger creates the process of the target, the target may have debug privileges. This is an unreliable way to detect a debugger.

Hardware Breakpoint Protection (DRx)
Hardware breakpoints can be detected/cleared with exceptions or the windows APIs NtGetContextThread/NtSetContextThread. Enable this option only if you need it!

There are a few windows APIs to measure the time. Timing can be used to detect debuggers, because they slow down execution. Enable with care and only if you need it!

Raise Exception
It is possible to raise specific exceptions with various windows API functions (e.g. RaiseException from kernel32.dll). The problem is that various debuggers consume various different exceptions and the exception is not returned to the application. The application can detect a debugger if there is no exception triggered. Please see the Listing for an example code.

Special Features

Prevent Thread Creation

This option prevents the creation of new threads. This can be useful if a protector uses a lot of protection threads. This option can be useful for EXECryptor. Enable with care and only if you need it! You must know what you are doing here!

RunPE Unpacker
This option hooks NtResumeThread. If the malware creates a new process, ScyllaHide terminates and dumps any newly created process. If you are unpacking malware, enable and try it. Should only be used inside a Virtual Machine.

A typical RunPE workflow:

1. Create a new process of any target in suspended state (process flag CREATE_SUSPENDED: 0x00000004)
2. Replace the original process PE image with a new (malicious) PE image. This can involve several steps and various windows API functions.
3. Start the process with the Windows API function ResumeThread (or NtResumeThread).

Remove entry point breakpoint
Some protectors use Thread-Local-Storage (TLS) as entrypoint and check for breakpoints at the normal PE entrypoint address. You must remove the PE entrypoint to hide your debugger. This option is necessary for VMProtect.
First release
Last update
0.00 star(s) 0 ratings

More resources from Rake

Community Mods