ScyllaHide
ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks variousfunctions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use
TitanHide.
------------------------------------------------------
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
------------------------------------------------------
Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>
For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
------------------------------------------------------
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
------------------------------------------------------
ToDo:
- x64 compatibility support
- x64 Exception Support
- Better (stealth) hooks
------------------------------------------------------
NOTE: You need to put NtApiCollection.ini in the same directory as ScyllaHide.dll or the following hooks will not
work: NtUserQueryWindow, NtUserBuildHwndList, NtUserFindWindowEx
Info about NtApiCollection.ini:
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function adresses
from another source. The other source is the PDB file. The adresses can be resolved with this tool:
https://bitbucket.or...-getprocaddress
It will download the PDB file from the Microsoft server to resolve the missing function adresses.
Binaries: NtApiTool.rar
From:https://forum.tuts4you.com/files/file/939-scyllahide/#
{:301_1008:}虽然完全看不懂,不知道干什么用的,还是先支持一下楼主 好东西 先收下 这个还是很好用的。 下载了 谢谢了哦 可惜是E文的
页:
[1]