├── Images ├── plugins.png ├── scylla_kill_anti_attach.png ├── scylla_options.png ├── themidie_messagebox.png └── themidie_start.png ├── README.md ├── Themidie_DLL ├── hooks.hpp ├── main.cpp └── ntdll.h └── Themidie_X64DBG_Plugin ├── Themidie_X64DBG_PLUGIN.ico ├── Themidie_X64DBG_PLUGIN.png ├── Themidie_X64DBG_PLUGIN.rc ├── plugin.cpp ├── plugin.hpp ├── resource.h ├── themidie.cpp └── themidie.hpp /Images/plugins.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Images/plugins.png -------------------------------------------------------------------------------- /Images/scylla_kill_anti_attach.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Images/scylla_kill_anti_attach.png -------------------------------------------------------------------------------- /Images/scylla_options.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Images/scylla_options.png -------------------------------------------------------------------------------- /Images/themidie_messagebox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Images/themidie_messagebox.png -------------------------------------------------------------------------------- /Images/themidie_start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Images/themidie_start.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Themidie - /!\ For educational purposes only /!\ 2 | 3 | x64dbg plugin to bypass Themida 3.x Anti-Debugger / VM / Monitoring programs checks (64bits only) 4 | 5 | - [x64dbg](https://github.com/x64dbg/x64dbg) 6 | - [DLL injection](https://en.wikipedia.org/wiki/DLL_injection) ([LoadLibrary](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya)) 7 | - Hooks ([MinHook](https://github.com/TsudaKageyu/minhook)) 8 | 9 | 10 | ### Usage 11 | 12 | - Download the [latest version](https://github.com/VenTaz/Themidie/releases/latest) of Themidie and extract Themidie.dll and Themidie.dp64 to x64dbg's plugins folder 13 | - Download the [latest version](https://github.com/x64dbg/ScyllaHide/releases/latest) of ScyllaHide and extract HookLibraryx64.dll and ScyllaHideX64DBGPlugin.dp64 to x64dbg's plugins folder 14 | 15 | ![](Images/plugins.png) 16 | 17 | - Start x64dbg, click on the plugins tab, go to ScyllaHide -> Options 18 | 19 | ![](Images/scylla_options.png) 20 | 21 | - Disable everything, enable "Kill Anti-Attach" only and click on the "OK" button 22 | 23 | ![](Images/scylla_kill_anti_attach.png) 24 | 25 | - Go back to the plugins tab, go to Themidie -> Start, then select and open the executable that you want to debug 26 | 27 | ![](Images/themidie_start.png) 28 | 29 | - When this MessageBox will apear, you will be able to attach x64dbg to the target process and debug it. 30 | 31 | ![](Images/themidie_messagebox.png) 32 | 33 | 34 | ### Hooks 35 | 36 | Themidie hooks the following functions: 37 | 38 | | Module | Function name 39 | | - | - 40 | | kernel32.dll | [GetModuleHandleA](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea) 41 | | user32.dll | [FindWindowA](https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-findwindowa) 42 | | Advapi32.dll | [RegOpenKeyA](https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeya) 43 | | Advapi32.dll | [RegQueryValueExA](https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexa) 44 | | ntdll.dll | [NtSetInformationThread](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationthread) 45 | | ntdll.dll | [NtQueryVirtualMemory](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryvirtualmemory) 46 | 47 | 48 | ### Limitations 49 | Themidie only works for x64 executables, tested on various Themida 3.x+ versions, Windows 10 2004, latest x64dbg and ScyllaHide versions. 50 | 51 | 52 | #### Contact 53 | Discord: VenTaz#8766 54 | -------------------------------------------------------------------------------- /Themidie_DLL/hooks.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ntdll.h" 3 | 4 | typedef HINSTANCE__ *(*GMHA)(const char*); 5 | GMHA og_gmha = 0; 6 | 7 | typedef HWND__ *(*FWA)(const char*, const char*); 8 | FWA og_fwa = 0; 9 | 10 | typedef long (*ROKA)(HKEY__*, const char*, HKEY__**); 11 | ROKA og_roka = 0; 12 | 13 | typedef long (*RQVEA)(HKEY__*, const char*, unsigned long*, unsigned long*, unsigned char*, unsigned long*); 14 | RQVEA og_rqvea = 0; 15 | 16 | typedef long (*NSIT)(HANDLE, _THREADINFOCLASS, void*, unsigned long); 17 | NSIT og_nsit = 0; 18 | 19 | typedef long (*NQVM)(HANDLE, void*, _MEMORY_INFORMATION_CLASS, void*, unsigned long long, unsigned long long*); 20 | NQVM og_nqvm = 0; 21 | 22 | const char *bad_modules[3] = { 23 | "dateinj01.dll", 24 | "cmdvrt32.dll", 25 | "SbieDll.dll" 26 | }; 27 | 28 | const char *bad_windows[7] = { 29 | "File Monitor - Sysinternals: www.sysinternals.com", 30 | "Process Monitor - Sysinternals: www.sysinternals.com", 31 | "Registry Monitor - Sysinternals: www.sysinternals.com", 32 | "Regmon", 33 | "Filemon", 34 | "18467-41", 35 | "PROCMON_WINDOW_CLASS" 36 | }; 37 | 38 | const char *good_keys[3] = { 39 | "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", 40 | "SYSTEM\\ControlSet001\\Control\\Class\\{", 41 | "Hardware\\description\\System" 42 | }; 43 | 44 | const char *bad_key = "HARDWARE\\ACPI\\DSDT\\VBOX__"; 45 | 46 | const char *good_values[4] = { 47 | "EnableLUA", 48 | "DriverDesc", 49 | "SystemBiosVersion", 50 | "VideoBiosVersion" 51 | }; 52 | 53 | unsigned long 54 | get_process_id_by_thread_handle(void *thread) 55 | { 56 | _THREAD_BASIC_INFORMATION thread_basic_information; 57 | 58 | if (NT_SUCCESS(NtQueryInformationThread(thread, ThreadBasicInformation, &thread_basic_information, sizeof(_THREAD_BASIC_INFORMATION), 0))) 59 | return HandleToULong(thread_basic_information.ClientId.UniqueProcess); 60 | 61 | return 0; 62 | } 63 | 64 | HINSTANCE__ * 65 | gmha_hook(const char *module_name) 66 | { 67 | for (int i = 0; i < _countof(bad_modules); i++) 68 | if (strstr(module_name, bad_modules[i])) return 0; 69 | 70 | return og_gmha(module_name); 71 | } 72 | 73 | HWND__ * 74 | fwa_hook(const char *class_name, const char *window_name) 75 | { 76 | if (class_name == 0 || window_name == 0) return og_fwa(class_name, window_name); 77 | 78 | for (int i = 0; i < _countof(bad_windows); i++) 79 | if (strstr(class_name, bad_windows[i]) || strstr(window_name, bad_windows[i])) return 0; 80 | 81 | return og_fwa(class_name, window_name); 82 | } 83 | 84 | long 85 | roka_hook(HKEY__ *key, const char* sub_key, HKEY__ **result) 86 | { 87 | 88 | for (int i = 0; i < _countof(good_keys); i++) 89 | if (strstr(sub_key, good_keys[i])) return 0L; 90 | 91 | if (strstr(sub_key, bad_key)) return 1L; 92 | 93 | return og_roka(key, sub_key, result); 94 | } 95 | 96 | long 97 | rqvea_hook(HKEY__ *key, const char *value_name, unsigned long *reserved, unsigned long *type, unsigned char *lp_data, unsigned long *lpcb_data) 98 | { 99 | for (int i = 0; i < _countof(good_values); i++) 100 | if (strstr(value_name, good_values[i])) return 0L; 101 | 102 | return og_rqvea(key, value_name, reserved, type, lp_data, lpcb_data); 103 | } 104 | 105 | long 106 | nsit_hook(HANDLE thread_handle, _THREADINFOCLASS thread_information_class, void *thread_information, unsigned long thread_information_length) 107 | { 108 | if (thread_information_class == ThreadHideFromDebugger && thread_information_length == 0) 109 | if (thread_handle == NtCurrentThread || HandleToULong(NtCurrentTeb()->ClientId.UniqueProcess) == get_process_id_by_thread_handle(thread_handle)) 110 | return 0L; 111 | 112 | return og_nsit(thread_handle, thread_information_class, thread_information, thread_information_length); 113 | } 114 | 115 | long 116 | nqvm_hook(HANDLE process_handle, void *base_address, _MEMORY_INFORMATION_CLASS memory_information_class, void *memory_information, unsigned long long memory_information_length, unsigned long long *return_length) 117 | { 118 | static int is_loaded = 0; 119 | static int nqvm_count = 0; 120 | 121 | if (process_handle == NtCurrentProcess && !is_loaded) 122 | { 123 | if (memory_information_class == MemoryBasicInformation && nqvm_count == 0 || memory_information_class == MemoryRegionInformation && nqvm_count == 1) 124 | nqvm_count++; 125 | else if (memory_information_class == MemoryMappedFilenameInformation && nqvm_count == 2) 126 | { 127 | MH_DisableHook(&GetModuleHandleA); 128 | is_loaded = 1; 129 | MessageBoxA(0, "The executable is now loaded in the memory. You can attach x64dbg to the target process.", "Themidie", 64L); 130 | } 131 | } 132 | 133 | return og_nqvm(process_handle, base_address, memory_information_class, memory_information, memory_information_length, return_length); 134 | } 135 | -------------------------------------------------------------------------------- /Themidie_DLL/main.cpp: -------------------------------------------------------------------------------- 1 | #include "MinHook.h" 2 | #include "hooks.hpp" 3 | 4 | #define error(message) MessageBoxA(0, message, "Themidie", 16L); 5 | 6 | bool DllMain(HINSTANCE__ *module, unsigned long call_reason, void *reserved) 7 | { 8 | if (call_reason == 1) 9 | { 10 | LdrDisableThreadCalloutsForDll(module); 11 | 12 | if (MH_Initialize() != 0) 13 | error("Could not initialize hooks"); 14 | 15 | if (MH_CreateHook(&GetModuleHandleA, &gmha_hook, (void**)&og_gmha) != 0) 16 | error("Could not hook GetModuleHandleA"); 17 | 18 | if (MH_CreateHook(&FindWindowA, &fwa_hook, (void**)&og_fwa) != 0) 19 | error("Could not hook FindWindowA"); 20 | 21 | if (MH_CreateHook(&RegOpenKeyA, &roka_hook, (void**)&og_roka) != 0) 22 | error("Could not hook RegOpenKeyA"); 23 | 24 | if (MH_CreateHook(&RegQueryValueExA, &rqvea_hook, (void**)&og_rqvea) != 0) 25 | error("Could not hook RegQueryValueExA"); 26 | 27 | if (MH_CreateHook(&NtSetInformationThread, &nsit_hook, (void**)&og_nsit) != 0) 28 | error("Could not hook NtSetInformationThread"); 29 | 30 | if (MH_CreateHook(&NtQueryVirtualMemory, &nqvm_hook, (void**)&og_nqvm) != 0) 31 | error("Could not hook NtQueryVirtualMemory"); 32 | 33 | if (MH_EnableHook(0) != 0) 34 | error("Could not enable hooks"); 35 | 36 | } 37 | 38 | return 1; 39 | } -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.ico -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.png -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Themidie_X64DBG_Plugin/Themidie_X64DBG_PLUGIN.rc -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/plugin.cpp: -------------------------------------------------------------------------------- 1 | #include "themidie.hpp" 2 | 3 | int plugin_handle = 0, h_menu = 0; 4 | 5 | HWND__ *hwnd_dlg = 0; 6 | HINSTANCE__ *instance = 0; 7 | ICONDATA main_icon = { 0 }; 8 | 9 | 10 | PLUG_EXPORT bool 11 | pluginit(PLUG_INITSTRUCT *init_struct) 12 | { 13 | init_struct->pluginVersion = PLUGIN_VERSION; 14 | init_struct->sdkVersion = PLUG_SDKVERSION; 15 | strncpy_s(init_struct->pluginName, PLUGIN_NAME, _TRUNCATE); 16 | plugin_handle = init_struct->pluginHandle; 17 | return 1; 18 | } 19 | 20 | 21 | PLUG_EXPORT void 22 | plugsetup(PLUG_SETUPSTRUCT *setup_struct) 23 | { 24 | hwnd_dlg = setup_struct->hwndDlg; 25 | h_menu = setup_struct->hMenu; 26 | 27 | HRSRC__ *res_main_icon = FindResourceW(instance, MAKEINTRESOURCEW(IDB_PNG1), L"PNG"); 28 | void *loaded_main_icon = LoadResource(instance, res_main_icon); 29 | main_icon.data = LockResource(loaded_main_icon); 30 | main_icon.size = SizeofResource(instance, res_main_icon); 31 | 32 | _plugin_menuseticon(h_menu, (const ICONDATA*)&main_icon); 33 | 34 | plugin_setup(setup_struct); 35 | } 36 | 37 | 38 | PLUG_EXPORT bool 39 | plugstop() { return 1; } 40 | 41 | 42 | PLUG_EXPORT BOOL APIENTRY 43 | DllMain(HINSTANCE__ *module, unsigned long reason, void *reserved) 44 | { 45 | instance = module; 46 | return 1; 47 | } -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/plugin.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "pluginsdk/bridgemain.h" 4 | #include "pluginsdk/_plugins.h" 5 | 6 | #pragma comment(lib, "pluginsdk/x64dbg.lib") 7 | 8 | #define PLUG_EXPORT extern "C" __declspec(dllexport) 9 | 10 | extern int pluginHandle, h_menu; 11 | extern HWND__ *hwnd_dlg; 12 | extern HINSTANCE__ *instance; 13 | 14 | enum ThemidieMenus : int { 15 | MENU_START, 16 | MENU_ABOUT 17 | }; -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/VenTaz/Themidie/8a8d05cdf544887ca8891a71a73e516ef0f52a58/Themidie_X64DBG_Plugin/resource.h -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/themidie.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_MEAN_AND_LEAN 2 | #include 3 | #include 4 | #include "themidie.hpp" 5 | 6 | 7 | std::string 8 | convert_path(std::string& path) 9 | { 10 | unsigned long long position{}; 11 | 12 | while ((position = path.find("\\")) != std::string::npos) { 13 | path.erase(position, std::string("\\").size()); 14 | path.insert(position, "/"); 15 | } 16 | 17 | return path; 18 | } 19 | 20 | std::string 21 | remove_exe_name_from_path(std::string& path) 22 | { 23 | unsigned long long pos = std::string::npos; 24 | std::string exe_name = "x64dbg.exe"; 25 | 26 | while ((pos = path.find(exe_name)) != std::string::npos) 27 | { 28 | path.erase(pos, exe_name.length()); 29 | } 30 | 31 | return path; 32 | } 33 | 34 | void 35 | start(std::string exe_path) 36 | { 37 | _STARTUPINFOA si; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); 38 | _PROCESS_INFORMATION pi; memset(&pi, 0, sizeof(pi)); 39 | 40 | int next = 0; 41 | 42 | HINSTANCE__ *kernel_module = 0; 43 | void *load_library_function = 0, *themidie_dll_address = 0; 44 | void *remote_thread = 0; 45 | 46 | next = CreateProcessA(exe_path.c_str(), 0, 0, 0, 0, 4, 0, 0, &si, &pi); 47 | if (!next) { error("Could not create target process, please retry with admin rights."); } 48 | 49 | else 50 | { 51 | kernel_module = GetModuleHandleA("kernel32.dll"); 52 | if (!kernel_module) { error("Could not find kernel32.dll module into target process. Is it loaded?"); } 53 | 54 | else 55 | { 56 | load_library_function = GetProcAddress(kernel_module, "LoadLibraryA"); 57 | if (!load_library_function) { error("Could not find LoadLibraryA function into target process."); } 58 | 59 | else 60 | { 61 | char buffer[260]; GetModuleFileNameA(0, buffer, 260); 62 | std::string themidie_dll_path = convert_path(remove_exe_name_from_path(std::string(buffer)) + "plugins\\Themidie.dll"); 63 | 64 | themidie_dll_address = VirtualAllocEx(pi.hProcess, 0, strlen(themidie_dll_path.c_str()), 8192 | 4096, 4); 65 | if (!themidie_dll_address) { error("Could not allocate memory into target process."); } 66 | 67 | else 68 | { 69 | next = WriteProcessMemory(pi.hProcess, themidie_dll_address, themidie_dll_path.c_str(), strlen(themidie_dll_path.c_str()), 0); 70 | if (!next) { error("Could not write Themidie into target process."); } 71 | 72 | else 73 | { 74 | remote_thread = CreateRemoteThread(pi.hProcess, 0, 0, (PTHREAD_START_ROUTINE)load_library_function, themidie_dll_address, 0, 0); 75 | if (!remote_thread) { error("Could not load Themidie into target process."); } 76 | 77 | else 78 | { 79 | next = ShowWindow(GetForegroundWindow(), 6); 80 | if (!next) { error("Could not minimize x64dbg window. Is the ShowWindow function hooked by another plugin?"); } 81 | 82 | else 83 | { 84 | CloseHandle(pi.hProcess); 85 | ResumeThread(pi.hThread); 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | 95 | void 96 | open_and_start_exe() 97 | { 98 | tagOFNA ofn; 99 | char file_name[260] = ""; 100 | memset(&ofn, 0, sizeof(ofn)); 101 | ofn.lStructSize = sizeof(tagOFNA); 102 | ofn.hwndOwner = NULL; 103 | ofn.lpstrFilter = "Executable Files (*.exe*)\0*.exe*\0"; 104 | ofn.lpstrFile = file_name; 105 | ofn.nMaxFile = 260; 106 | ofn.Flags = 524288 | 4096 | 4; 107 | ofn.lpstrDefExt = ""; 108 | GetOpenFileNameA(&ofn); 109 | std::string file_name_string = file_name; 110 | start(convert_path(file_name_string)); 111 | } 112 | 113 | 114 | PLUG_EXPORT void 115 | CBMENUENTRY(CBTYPE cb_type, PLUG_CB_MENUENTRY* info) 116 | { 117 | switch (info->hEntry) 118 | { 119 | 120 | case MENU_START: 121 | open_and_start_exe(); 122 | break; 123 | 124 | case MENU_ABOUT: 125 | tagMSGBOXPARAMSA mpar; 126 | char hdr[64]; 127 | char about[128]; 128 | wsprintfA(hdr, "Themidie"); 129 | wsprintfA(about, "Author: VenTaz\nDiscord: VenTaz#8766\nhttps://hactify.ru"); 130 | memset(&mpar, 0, sizeof(mpar)); 131 | mpar.cbSize = sizeof(mpar); 132 | mpar.hInstance = instance; 133 | mpar.hwndOwner = hwnd_dlg; 134 | mpar.dwStyle = 0L | 128L; 135 | mpar.dwLanguageId = MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL); 136 | mpar.lpszIcon = MAKEINTRESOURCEA(IDI_ICON1); 137 | mpar.lpszText = about; 138 | mpar.lpszCaption = hdr; 139 | MessageBoxIndirectA(&mpar); 140 | break; 141 | 142 | default: 143 | break; 144 | 145 | } 146 | } 147 | 148 | 149 | void 150 | plugin_setup(PLUG_SETUPSTRUCT *setup_struct) 151 | { 152 | h_menu = setup_struct->hMenu; 153 | 154 | _plugin_menuaddentry(h_menu, MENU_START, "&Start"); 155 | _plugin_menuaddseparator(h_menu); 156 | _plugin_menuaddentry(h_menu, MENU_ABOUT, "&About"); 157 | } 158 | 159 | -------------------------------------------------------------------------------- /Themidie_X64DBG_Plugin/themidie.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "plugin.hpp" 4 | #include "resource.h" 5 | 6 | #define PLUGIN_NAME "Themidie" 7 | #define PLUGIN_VERSION 1 8 | 9 | #define error(message) MessageBoxA(0, message, "Themidie", MB_ICONEXCLAMATION); 10 | 11 | void plugin_setup(PLUG_SETUPSTRUCT *setup_struct); --------------------------------------------------------------------------------