Skip to content

Commit

Permalink
Revert to 1b45597.
Browse files Browse the repository at this point in the history
  • Loading branch information
@nihilus
nihilus committed Oct 6, 2014
1 parent 5c4fadb commit ba9f4a8
Show file tree
Hide file tree
Showing 26 changed files with 1,366 additions and 1,501 deletions.
175 changes: 10 additions & 165 deletions Documentation/ScyllaHideDocumentation.tex
View file
Expand Up @@ -35,9 +35,9 @@
citecolor = red % Colour of citations
}

\title{ScyllaHide v1.3 - Documentation}
\title{ScyllaHide v1.2 - Documentation}
\author{}
\date{2014-09-22}
\date{2014-08-27}

\begin{document}

Expand All @@ -52,63 +52,6 @@
\newpage
\pagenumbering{arabic}

\section{Description}

ScyllaHide is an advanced open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This tool is intended to stay in usermode (ring3). If you need kernelmode (ring0) Anti-Anti-Debug please see \href{https://bitbucket.org/mrexodia/titanhide}{TitanHide}.

ScyllaHide supports various debuggers with plugins:
\begin{itemize}
\item OllyDbg v1 and v2 \url{http://www.ollydbg.de}
\item x64\_dbg \url{http://x64dbg.com} or \url{https://bitbucket.org/mrexodia/x64_dbg}
\item Hex-Rays IDA v6+ \url{https://www.hex-rays.com/products/ida/}
\item TitanEngine v2 \url{https://bitbucket.org/mrexodia/titanengine-update} and \url{http://www.reversinglabs.com/open-source/titanengine.html}
\end{itemize}

PE x64 debugging is fully supported with plugins for x64\_dbg and IDA.

Please note: ScyllaHide is not limited to these debuggers. You can use the standalone commandline version of ScyllaHide. You can inject ScyllaHide in any process debugged by any debugger.

\section{Usage Information}
\subsubsection{Standalone (debugger-independent)}
InjectorCLI.exe "process name" "HookLibrary.dll path"

For example:
InjectorCLI.exe crackme.exe \path{C:\HookLibrary.dll}

\subsubsection{OllyDbg v1}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx86.dll and ScyllaHideOlly1.dll to your specific plugins directory.

\subsubsection{OllyDbg v2}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx86.dll and ScyllaHideOlly2.dll to your specific plugins directory.

\subsubsection{IDA v6}
\textbf{32-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx86.dll and ScyllaHideIDA.plw to your IDA plugins directory.

\textbf{64-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx64.dll, ScyllaHideIDASrvx64.exe and ScyllaHideIDA.p64 to your IDA plugins directory.

Note: \\Start ScyllaHideIDASrvx64.exe to debug 64bit applications (remotely). \\Start ScyllaHideIDASrvx86.exe to debug 32bit applications remotely.

Commandline: ScyllaHideIDASrvxXX.exe "port"\\
For example: ScyllaHideIDASrvxXX.exe 1345

ScyllaHideIDASrv needs HookLibraryxXX.dll and NtApiCollection.ini

\subsubsection{x64\_dbg}
\textbf{32-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx86.dll and ScyllaHideX64DBGPlugin.dp32 to your \path{\x32\plugins\} directory.

\textbf{64-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx64.dll and ScyllaHideX64DBGPlugin.dp64 to your \path{\x64\plugins\} directory.

\subsubsection{TitanEngine}
\textbf{32-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx86.dll and ScyllaHideTEx86.dll to your \path{\plugins\x86\} directory.

\textbf{64-bit:}
Copy scylla\_hide.ini, NtApiCollection.ini, HookLibraryx64.dll and ScyllaHideTEx64.dll to your \path{\plugins\x64\} directory.

\section{Features}

\subsection{Anti-Anti-Debug}
Expand All @@ -117,7 +60,7 @@ \subsubsection{Process Environment Block (PEB)}
The most important anti-anti-debug option. Almost every protector checks for PEB values. There are three important options and one minor option.
\begin{itemize}
\item BeingDebugged: Very important option, should be always enabled. \textit{IsDebuggerPresent} is using this value to check for debuggers.
\item NtGlobalFlag: Very important option, a lot of protectors check this value.
\item NtGlobalFlag: Very important option, a lot of protectors check for this value.
\item HeapFlags: Very important option. E.g. Themida checks for heap artifacts and heap flags.
\item StartupInfo: This is not really important, only a few protectors check for this. Maybe Enigma checks it.
\end{itemize}
Expand All @@ -128,7 +71,7 @@ \subsubsection{NtSetInformationThread}

\subsubsection{NtSetInformationProcess}
\label{sec:NtSetInformationProcess_section}
The PROCESSINFOCLASS value ProcessHandleTracing (32) can be used to detect a debugger. The PROCESSINFOCLASS value ProcessBreakOnTermination (29) can be used to generate a Blue Screen of Death on process termination. ScyllaHide protects from both. The function \textit{RtlSetProcessIsCritical} from ntdll.dll uses ProcessBreakOnTermination internally.
The PROCESSINFOCLASS value ProcessHandleTracing (32) can be used to detect a debugger. The PROCESSINFOCLASS value ProcessBreakOnTermination (19) can be used to generate a Blue Screen of Death on process termination. ScyllaHide protects from both.

\subsubsection{NtQuerySystemInformation}
The SYSTEM\_INFORMATION\_CLASS value SystemKernelDebuggerInformation (35) can be used to detect kernel debuggers. The SYSTEM\_INFORMATION\_CLASS value SystemProcessInformation (5) is used to get a process list. A debugger should be hidden in a process list and the debugee should have a good parent process ID like the ID from explorer.exe.
Expand All @@ -149,31 +92,13 @@ \subsubsection{NtQueryObject}
The OBJECT\_INFORMATION\_CLASS ObjectTypesInformation (3) and ObjectTypeInformation (2) can be used to detect debuggers. ScyllaHide filters DebugObject references.

\subsubsection{NtYieldExecution}
A very unrealiable anti-debug method. This is only used in some UnpackMe's or in some Proof of Concept code. Only activate this if you really need it. Probably you will never need this option. This function is used in the kernel32.dll \textit{SwitchToThread} function.

\begin{lstlisting}[language=C, caption=SwitchToThread Implementation]
BOOL __stdcall SwitchToThread()
{
//STATUS_NO_YIELD_PERFORMED 0x40000024
return NtYieldExecution() != 0x40000024;
}
\end{lstlisting}
A very unrealiable anti-debug method. This is only used in some UnpackMe's or in some Proof of Concept code. Only activate this if you really need it. Probably you will never need this option.

\subsubsection{NtCreateThreadEx}
Threads hidden from debuggers can be created with a special creation flag THREAD\_CREATE\_FLAGS\_HIDE\_FROM\_DEBUGGER (4). ScyllaHide doesn't allow hidden threads. The anti-debug effect is similar to \textit{NtSetInformationThread} in Section~\ref{sec:NtSetInformationThread_section}.

\subsubsection{OutputDebugStringA (deprecated since v1.3)}
\textit{OutputDebugStringW} uses \textit{OutputDebugStringA} internally, so hooking the ANSI version is enough. This is a very unreliable anti-debug method, so you will not need this option very often. The Listing shows the implementation of the function. The recent versions of ScyllaHide don't need this hook anymore, because they handle the DBG\_PRINTEXCEPTION\_C exception. See Section~\ref{sec:RaiseException_section}.

\begin{lstlisting}[language=C, caption=OutputDebugStringA Implementation]
void __stdcall OutputDebugStringA(LPCSTR lpOutputString)
{
ULONG_PTR args[2];
args[0] = (ULONG_PTR)strlen(lpOutputString);
args[1] = (ULONG_PTR)lpOutputString;
RaiseException(0x40010006, 0, 2, args);//DBG_PRINTEXCEPTION_C
}
\end{lstlisting}
\subsubsection{OutputDebugStringA}
\textit{OutputDebugStringW} uses \textit{OutputDebugStringA} internally. ScyllaHide only hooks the ANSI version and this is therefore enough. This is a very unreliable anti-debug method, so you will not need this option very often.

\subsubsection{BlockInput}
Very effective anti-debug method. This is used e.g. in Yoda's Protector. "Blocks keyboard and mouse input events from reaching applications."
Expand All @@ -189,19 +114,10 @@ \subsubsection{NtUserBuildHwndList}
Note: Requires a valid relative virtual address in NtApiCollection.ini.

\subsubsection{NtUserQueryWindow}
This is a system call function in user32.dll. The windows API \textit{GetWindowThreadProcessId} calls this internally, see Listing for implementation. This is used to hide the debugger process.
This is a system call function in user32.dll. The windows API \textit{GetWindowThreadProcessId} calls this internally. This is used to hide the debugger process.

Note: Requires a valid relative virtual address in NtApiCollection.ini.

\begin{lstlisting}[language=C, caption=GetWindowThreadProcessId Implementation]
DWORD __stdcall GetWindowThreadProcessId(HWND hWnd, LPDWORD lpdwProcessId)
{
if (lpdwProcessId != 0)
*lpdwProcessId = (DWORD)NtUserQueryWindow(hwnd, WindowProcess);//0
return (DWORD)NtUserQueryWindow(hwnd, WindowThread);//2
}
\end{lstlisting}

\subsubsection{NtSetDebugFilterState}
ScyllaHide returns always STATUS\_ACCESS\_DENIED. This anti-debug measurement isn't used very often. Probably you will never need this option in a real world target.

Expand All @@ -217,49 +133,6 @@ \subsubsection{Hardware Breakpoint Protection (DRx)}
\subsubsection{Timing}
There are a few windows APIs to measure the time. Timing can be used to detect debuggers, because they slow down the execution. Enable with care and only if you need it!

\subsubsection{Raise Exception}
\label{sec:RaiseException_section}
It is possible to raise specific exceptions with various windows API functions (e.g. \textit{RaiseException} from kernel32.dll). The problem is that various debuggers consume various different exceptions and the exception is not returned to the application. The application can detect a debugger if there is no exception triggered. Please see the Listing for an example code.

\begin{lstlisting}[language=C, caption=Raise Exception Example]
__try
{
RaiseException(0x40010006, 0, 0, 0);//DBG_PRINTEXCEPTION_C
MessageBox("Debugger detected");
}
__except(EXCEPTION_EXECUTE_HANDLER) //catch exception
{
MessageBox("Debugger NOT detected");
}
\end{lstlisting}

Examples for swallowed exceptions are:

\begin{itemize}
\item 0x4000001F STATUS\_WX86\_BREAKPOINT
\item 0x40010006 DBG\_PRINTEXCEPTION\_C
\item 0x40010007 DBG\_RIPEXCEPTION
\item 0x80000001 STATUS\_GUARD\_PAGE\_VIOLATION
\item 0x80000003 STATUS\_BREAKPOINT
\item 0xC0000025 STATUS\_NONCONTINUABLE\_EXCEPTION
\item 0xC0000420 STATUS\_ASSERTION\_FAILURE
\end{itemize}

\begin{table}[H]
\caption{OllyDbg v1, v2 and WinDbg v6 comparision on Windows 7 64-bit.}
\begin{tabular}{lrcccl}
& \multicolumn{1}{c}{} & \textbf{Olly v1} & \textbf{Olly v2} & \textbf{WinDbg v6} & \\
& \textbf{DBG\_RIPEXCEPTION} & X & X & X & \\
& \textbf{DBG\_PRINTEXCEPTION\_C} & X & X & X & \\
& \textbf{NONCONTINUABLE\_EXCEPTION} & X & X & & \\
& \textbf{WX86\_BREAKPOINT} & X & & & \\
& \textbf{GUARD\_PAGE\_VIOLATION} & X & & & \\
& \textbf{BREAKPOINT} & X & & & \\
& \textbf{ASSERTION\_FAILURE} & & & X & \\
& \multicolumn{1}{l}{} & \multicolumn{1}{l}{} & \multicolumn{1}{l}{} & \multicolumn{1}{l}{} &
\end{tabular}
\end{table}

\subsection{Special}
\subsubsection{DLL Injection}
Normal DLL injection or stealth dll injection. You better try the normal injection first...
Expand Down Expand Up @@ -304,7 +177,7 @@ \subsubsection{Fix Olly Bugs}
\item FPU bug
\item Format string (sprintf) bug, CVE-2004-0733 \url{http://www.cvedetails.com/cve/CVE-2004-0733/}
\item NT Symbols path bug, patch by blabberer \url{http://www.woodmann.com/forum/showthread.php?8460-Debug-symbols-information-symbol-server-setup&p=56246&viewfull=1#post56246}
\item Faulty handle bug. Sometimes Olly does not terminate and this error appears "Operating system reports error ERROR\_ACCESS\_DENIED"
\item Faulty handle bug. Sometimes Olly does not terminate, error appears "Operating system reports error ERROR\_ACCESS\_DENIED"
\end{itemize}

\subsubsection{x64 single-step fix}
Expand All @@ -331,26 +204,6 @@ \subsubsection{Advanced CTRL+G}
\subsubsection{Change window caption}
Change the OllyDbg window caption. This can be useful against e.g. FindWindow anti-debug tricks. You don't need to enable this, if you have the NtUser* hooks enabled! Hint: You can use it to make the currently used profile visible.

\subsubsection{Special Keyboard Shortcuts}

\begin{itemize}
\item "INSERT" will fill the selected data with 0x00 bytes
\item "DELETE" will fill the selected data with 0x90 (NOP) bytes
\end{itemize}

\subsubsection{Custom Toolbar}
This setting displays a custom toolbar while using the dump and cpu window.


\subsubsection{Exception Problem}
OllyDbg has a problem with several exceptions. The exceptions can be triggered in different ways. They cannot be ignored with the exception options.

\begin{itemize}
\item 0x40010006 STATUS\_ILLEGAL\_INSTRUCTION
\item 0xC000001E STATUS\_INVALID\_LOCK\_SEQUENCE
\end{itemize}

For example, EXECryptor uses STATUS\_INVALID\_LOCK\_SEQUENCE to defeat OllyDbg. Obsidium uses STATUS\_ILLEGAL\_INSTRUCTION.

\subsection{OllyDbg v2 Specific}

Expand Down Expand Up @@ -405,6 +258,7 @@ \subsection{Nt* APIs from user32.dll}
NtUserQueryWindow(
IN HWND hwnd,
IN WINDOWINFOCLASS WindowInfo);

\end{lstlisting}

\subsection{Special PEB Fix Information}
Expand Down Expand Up @@ -457,15 +311,6 @@ \section{Developer Contact Information}

\section{Version History}

Version 1.3
\begin{itemize}
\item All Plugins: Improved tooltips
\item All Plugins: Bugfixes
\item All Plugins: Don't swallow exceptions like DBG\_RIPEXCEPTION or DBG\_PRINTEXCEPTION\_C
\item Olly v1 Plugin: Custom Toolbar for Dump and CPU window
\item Olly v1 Plugin: Special shortcuts
\end{itemize}

Version 1.2
\begin{itemize}
\item All Plugins: New attach dialog with crosshair/bullseye window finder.
Expand Down
4 changes: 2 additions & 2 deletions HookLibrary/HookLibrary.vcxproj
View file
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
Expand Down Expand Up @@ -194,4 +194,4 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
</Project>

0 comments on commit ba9f4a8

Please sign in to comment.