Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to get over kernel32.checkremotedebuggerpresent? #118

Open
devimauz opened this issue Jan 19, 2021 · 6 comments
Open

How to get over kernel32.checkremotedebuggerpresent? #118

devimauz opened this issue Jan 19, 2021 · 6 comments

Comments

@devimauz
Copy link

Looks like Debugger can't hide.
Tested with x32dbg.
What is the solution for it?
@Mattiwatti
Copy link
Member

It is working for me.

You need to have the NtQueryInformationProcess hook enabled in your profile for CheckRemoteDebuggerPresent to not see the debugger.

@devimauz
Copy link
Author

It's enabled.

@Mattiwatti
Copy link
Member

Can you share the executable you're debugging? A screenshot of your ScyllaHide profile would also be helpful.

@seraluda
Copy link

maybe this is the target, latest vmprotect
hxxp://media*fire.com/file/bi6bpm7g20gq0bq/MRT_V3.71.zip/file

@devimauz
Copy link
Author

devimauz commented Jan 27, 2021 via email

@Mattiwatti
Copy link
Member

I just tested Obsidium 1.7.0 build 12, the current version available for download on their website. Both x86 and x64 are working for me using x64dbg and the "Obsidium x86/x64" profile in ScyllaHide.

Please provide more details of what isn't working and/or an executable to reproduce this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mattiwatti @devimauz @seraluda