ScyllaHide是一个开源的x64/ x86的用户模式防反调试库。它的各种挂钩在用户模式功能隐藏调试。这将保持用户模式!对于内核模式挂钩使用TitanHide。
这个插件感觉蛮好用的
自定义配置文件
针对不同的壳做不同的设置
插件已配置好
VMProtect x86/x64
ThemIDA x86
Obsidium x86
Armadillo x86
OllyDbg v1
OllyDbg v2
IDA
x64_dbg
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList
- NtUserFindWindowEx
- NtUserQueryWindow
- NtClose
- GetTickCount
- BlockInput
- OutputDebugStringA
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
------------------------------------------------------
Usage standalone (debugger-independent):
InjectorCLI.exe <process name> <HookLibrary.dll path>
For example:
InjectorCLI.exe crackme.exe C:\HookLibrary.dll
------------------------------------------------------
Plugins:
- for TitanEngine: Copy HookLibrary.dll and ScyllaHide.dll to plugins\x86\ or plugins\x64\
(can be combined with TitanHide which does kernelmode hiding)
- for OllyDbg v1.10: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy
- for OllyDbg v2.01: Copy HookLibrary.dll and ScyllaHide.dll to your plugins directoy