├── .editorconfig ├── .github └── workflows │ └── build.yml ├── .gitignore ├── 3rdparty ├── README.txt ├── distorm │ ├── config.h │ ├── decoder.c │ ├── decoder.h │ ├── distorm.c │ ├── distorm.h │ ├── distorm.vcxproj │ ├── distorm.vcxproj.filters │ ├── instructions.c │ ├── instructions.h │ ├── insts.c │ ├── insts.h │ ├── mnemonics.c │ ├── mnemonics.h │ ├── operands.c │ ├── operands.h │ ├── prefix.c │ ├── prefix.h │ ├── textdefs.c │ ├── textdefs.h │ ├── wstring.c │ ├── wstring.h │ └── x86defs.h ├── ntdll │ ├── ntdll.h │ ├── ntdll_x64.lib │ ├── ntdll_x86.lib │ ├── ntdllp_x64.lib │ └── ntdllp_x86.lib ├── ollydbg1 │ ├── ollydbg.lib │ └── ollyplugindefinitions.h ├── ollydbg2 │ ├── ollydbg.lib │ └── plugin.h ├── titan │ └── TitanEngine.h └── x64dbg │ ├── _dbgfunctions.h │ ├── _plugin_types.h │ ├── _plugins.h │ ├── bridgegraph.h │ ├── bridgelist.h │ ├── bridgemain.h │ ├── jansson │ ├── jansson.h │ ├── jansson_config.h │ ├── jansson_x64.a │ ├── jansson_x64.lib │ ├── jansson_x64dbg.h │ ├── jansson_x86.a │ └── jansson_x86.lib │ ├── x32bridge.lib │ ├── x32dbg.lib │ ├── x64bridge.lib │ └── x64dbg.lib ├── ConfigCollection ├── ScyllaHide.pdf └── scylla_hide.ini ├── Documentation ├── .gitignore ├── README ├── ScyllaHideDocumentation.tex ├── gpl-3.0.tex ├── idaplugin.PNG ├── newattachdialog.PNG ├── ollyadvancedctrlg.PNG ├── ollyv1plugin.PNG └── ollyv2plugin.PNG ├── HookLibrary ├── DllMain.cpp ├── Export.def ├── HookHelper.cpp ├── HookHelper.h ├── HookLibrary.vcxproj ├── HookLibrary.vcxproj.filters ├── HookMain.h ├── HookedFunctions.cpp ├── HookedFunctions.h ├── InstrumentationCallbackX64.asm ├── InstrumentationCallbackX86.asm ├── Tls.h └── hook.props ├── InjectorCLI ├── ApplyHooking.cpp ├── ApplyHooking.h ├── CliMain.cpp ├── DynamicMapping.cpp ├── DynamicMapping.h ├── Icon.rc ├── InjectorCLI.vcxproj ├── InjectorCLI.vcxproj.filters ├── RemoteHook.cpp ├── RemoteHook.h └── resource.h ├── LICENSE ├── PluginGeneric ├── AttachDialog.cpp ├── AttachDialog.h ├── Injector.cpp ├── Injector.h ├── OllyExceptionHandler.cpp ├── OllyExceptionHandler.h ├── OptionsDialog.cpp ├── OptionsDialog.h ├── findere.bmp ├── finderf.bmp ├── ghost.ico └── searchwindow.cur ├── README.md ├── SCMRevGen ├── SCMRevGen.vcxproj ├── date.exe ├── libiconv2.dll ├── libintl3.dll └── make_scmrev.h.bat ├── Scylla ├── Logger.cpp ├── Logger.h ├── NtApiShim.h ├── OsInfo.cpp ├── OsInfo.h ├── Peb.cpp ├── Peb.h ├── PebHider.cpp ├── PebHider.h ├── Resource.h ├── Scylla.vcxproj ├── Scylla.vcxproj.filters ├── Settings.cpp ├── Settings.h ├── User32Loader.cpp ├── User32Loader.h ├── Util.cpp ├── Util.h ├── Version.cpp ├── Version.h ├── VersionPatch.cpp ├── VersionPatch.h ├── Win32kSyscalls.h ├── scylla.debug.props ├── scylla.props └── scylla.release.props ├── ScyllaHide.sln ├── ScyllaHideGenericPlugin ├── ScyllaHideGenericPlugin.cpp ├── ScyllaHideGenericPlugin.h ├── ScyllaHideGenericPlugin.vcxproj └── ScyllaHideGenericPlugin.vcxproj.filters ├── ScyllaHideIDAProPlugin ├── IdaServerClient.cpp ├── IdaServerClient.h ├── ScyllaHideIDAProPlugin.cpp ├── ScyllaHideIDAProPlugin.rc ├── ScyllaHideIDAProPlugin.vcxproj ├── ScyllaHideIDAProPlugin.vcxproj.filters └── resource.h ├── ScyllaHideIDAServer ├── Icon.rc ├── IdaServerExchange.h ├── ScyllaHideIDAServer.vcxproj ├── ScyllaHideIDAServer.vcxproj.filters ├── idaserver.cpp ├── idaserver.h └── resource.h ├── ScyllaHideOlly1Plugin ├── ScyllaHideOlly1Plugin.cpp ├── ScyllaHideOlly1Plugin.rc ├── ScyllaHideOlly1Plugin.vcxproj ├── ScyllaHideOlly1Plugin.vcxproj.filters ├── olly1patches.cpp ├── olly1patches.h └── resource.h ├── ScyllaHideOlly2Plugin ├── ScyllaHideOlly2Plugin.cpp ├── ScyllaHideOlly2Plugin.rc ├── ScyllaHideOlly2Plugin.vcxproj ├── ScyllaHideOlly2Plugin.vcxproj.filters └── resource.h ├── ScyllaHideTEPlugin ├── ScyllaHideTEPlugin.cpp ├── ScyllaHideTEPlugin.vcxproj └── ScyllaHideTEPlugin.vcxproj.filters ├── ScyllaHideX64DBGPlugin ├── Ghost-icon.png ├── ScyllaHideX64DBGPlugin.cpp ├── ScyllaHideX64DBGPlugin.rc ├── ScyllaHideX64DBGPlugin.vcxproj ├── ScyllaHideX64DBGPlugin.vcxproj.filters └── resource.h ├── ScyllaTest ├── ScyllaTest.vcxproj ├── ScyllaTest.vcxproj.filters └── main.cpp ├── changelog.txt └── release.bat /.editorconfig: -------------------------------------------------------------------------------- 1 | ; Top-most EditorConfig file 2 | root = true 3 | 4 | ; Windows-style newlines 5 | [*] 6 | end_of_line = CRLF 7 | 8 | ; Tab indentation 9 | [*.{c,cpp,h,hpp}] 10 | indent_style = space 11 | indent_size = 4 12 | trim_trailing_whitespace = true 13 | insert_final_newline = true 14 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Visual Studio 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | # Skip building pull requests from the same repository 8 | if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }} 9 | runs-on: windows-2019 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v3 13 | with: 14 | fetch-depth: 0 15 | 16 | - name: Setup VS environment 17 | uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.0 18 | with: 19 | #vsversion: 2019 # blows up on github. lol... 20 | # toolset should be 14.27, but it's not installed on Github. release.bat will help out here instead so we will eventually get a 14.27 env 21 | toolset: 14.29 22 | 23 | - name: Build 24 | run: | 25 | cmd /c call release.bat 26 | 27 | - name: Get current time 28 | uses: srfrnk/current-time@5a4163ad035ccd9a407ec9e519c3b6ba1b633d1e # v1.1.0 29 | id: current-time 30 | with: 31 | format: YYYY-MM-DD_HH-MM 32 | 33 | - uses: actions/upload-artifact@v3 34 | with: 35 | name: ${{ github.event.repository.name }}_${{ steps.current-time.outputs.formattedTime }} 36 | path: Release/ 37 | 38 | - name: Compress artifacts 39 | uses: vimtor/action-zip@26a249fb00d43ca98dad77a4b3838025fc226aa1 # v1.1 40 | if: ${{ startsWith(github.ref, 'refs/tags/') }} 41 | with: 42 | files: Release/ 43 | dest: ${{ github.event.repository.name }}_${{ steps.current-time.outputs.formattedTime }}.zip 44 | 45 | - name: Release 46 | uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 47 | if: ${{ startsWith(github.ref, 'refs/tags/') }} 48 | with: 49 | prerelease: ${{ !startsWith(github.ref, 'refs/tags/v') || contains(github.ref, '-pre') }} 50 | files: ${{ github.event.repository.name }}_${{ steps.current-time.outputs.formattedTime }}.zip 51 | generate_release_notes: true 52 | env: 53 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | [Xx]64/ 19 | [Xx]86/ 20 | [Bb]uild/ 21 | bld/ 22 | [Bb]in/ 23 | [Oo]bj/ 24 | scmrev.h 25 | 26 | # Make it possible to keep a local copy of the sacred IDA SDK 27 | # without accidentally committing it and receiving a takedown request 28 | # as a thank you for helping to expand the IDA plugin ecosystem 29 | 3rdparty/idasdk/ 30 | 31 | # Visual Studio 2015 cache/options directory 32 | .vs/ 33 | # Uncomment if you have tasks that create the project's static files in wwwroot 34 | #wwwroot/ 35 | 36 | # MSTest test Results 37 | [Tt]est[Rr]esult*/ 38 | [Bb]uild[Ll]og.* 39 | 40 | # NUNIT 41 | *.VisualState.xml 42 | TestResult.xml 43 | 44 | # Build Results of an ATL Project 45 | [Dd]ebugPS/ 46 | [Rr]eleasePS/ 47 | dlldata.c 48 | 49 | # DNX 50 | project.lock.json 51 | artifacts/ 52 | 53 | *_i.c 54 | *_p.c 55 | *_i.h 56 | *.ilk 57 | *.meta 58 | *.obj 59 | *.pch 60 | *.pdb 61 | *.pgc 62 | *.pgd 63 | *.rsp 64 | *.sbr 65 | *.tlb 66 | *.tli 67 | *.tlh 68 | *.tmp 69 | *.tmp_proj 70 | *.log 71 | *.vspscc 72 | *.vssscc 73 | .builds 74 | *.pidb 75 | *.svclog 76 | *.scc 77 | 78 | # Chutzpah Test files 79 | _Chutzpah* 80 | 81 | # Visual C++ cache files 82 | ipch/ 83 | *.aps 84 | *.ncb 85 | *.opendb 86 | *.opensdf 87 | *.sdf 88 | *.cachefile 89 | *.VC.db 90 | 91 | # Visual Studio profiler 92 | *.psess 93 | *.vsp 94 | *.vspx 95 | *.sap 96 | 97 | # TFS 2012 Local Workspace 98 | $tf/ 99 | 100 | # Guidance Automation Toolkit 101 | *.gpState 102 | 103 | # ReSharper is a .NET coding add-in 104 | _ReSharper*/ 105 | *.[Rr]e[Ss]harper 106 | *.DotSettings.user 107 | 108 | # JustCode is a .NET coding add-in 109 | .JustCode 110 | 111 | # TeamCity is a build add-in 112 | _TeamCity* 113 | 114 | # DotCover is a Code Coverage Tool 115 | *.dotCover 116 | 117 | # NCrunch 118 | _NCrunch_* 119 | .*crunch*.local.xml 120 | nCrunchTemp_* 121 | 122 | # MightyMoose 123 | *.mm.* 124 | AutoTest.Net/ 125 | 126 | # Web workbench (sass) 127 | .sass-cache/ 128 | 129 | # Installshield output folder 130 | [Ee]xpress/ 131 | 132 | # DocProject is a documentation generator add-in 133 | DocProject/buildhelp/ 134 | DocProject/Help/*.HxT 135 | DocProject/Help/*.HxC 136 | DocProject/Help/*.hhc 137 | DocProject/Help/*.hhk 138 | DocProject/Help/*.hhp 139 | DocProject/Help/Html2 140 | DocProject/Help/html 141 | 142 | # Click-Once directory 143 | publish/ 144 | 145 | # Publish Web Output 146 | *.[Pp]ublish.xml 147 | *.azurePubxml 148 | 149 | # TODO: Un-comment the next line if you do not want to checkin 150 | # your web deploy settings because they may include unencrypted 151 | # passwords 152 | #*.pubxml 153 | *.publishproj 154 | 155 | # NuGet Packages 156 | *.nupkg 157 | # The packages folder can be ignored because of Package Restore 158 | **/packages/* 159 | # except build/, which is used as an MSBuild target. 160 | !**/packages/build/ 161 | # Uncomment if necessary however generally it will be regenerated when needed 162 | #!**/packages/repositories.config 163 | # NuGet v3's project.json files produces more ignoreable files 164 | *.nuget.props 165 | *.nuget.targets 166 | 167 | # Microsoft Azure Build Output 168 | csx/ 169 | *.build.csdef 170 | 171 | # Microsoft Azure Emulator 172 | ecf/ 173 | rcf/ 174 | 175 | # Windows Store app package directory 176 | AppPackages/ 177 | BundleArtifacts/ 178 | 179 | # Visual Studio cache files 180 | # files ending in .cache can be ignored 181 | *.[Cc]ache 182 | # but keep track of directories ending in .cache 183 | !*.[Cc]ache/ 184 | 185 | # Others 186 | ClientBin/ 187 | [Ss]tyle[Cc]op.* 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.pfx 193 | *.publishsettings 194 | node_modules/ 195 | orleans.codegen.cs 196 | 197 | # RIA/Silverlight projects 198 | Generated_Code/ 199 | 200 | # Backup & report files from converting an old project file 201 | # to a newer Visual Studio version. Backup files are not needed, 202 | # because we have git ;-) 203 | _UpgradeReport_Files/ 204 | Backup*/ 205 | UpgradeLog*.XML 206 | UpgradeLog*.htm 207 | 208 | # SQL Server files 209 | *.mdf 210 | *.ldf 211 | 212 | # Business Intelligence projects 213 | *.rdl.data 214 | *.bim.layout 215 | *.bim_*.settings 216 | 217 | # Microsoft Fakes 218 | FakesAssemblies/ 219 | 220 | # GhostDoc plugin setting file 221 | *.GhostDoc.xml 222 | 223 | # Node.js Tools for Visual Studio 224 | .ntvs_analysis.dat 225 | 226 | # Visual Studio 6 build log 227 | *.plg 228 | 229 | # Visual Studio 6 workspace options file 230 | *.opt 231 | 232 | # Visual Studio LightSwitch build output 233 | **/*.HTMLClient/GeneratedArtifacts 234 | **/*.DesktopClient/GeneratedArtifacts 235 | **/*.DesktopClient/ModelManifest.xml 236 | **/*.Server/GeneratedArtifacts 237 | **/*.Server/ModelManifest.xml 238 | _Pvt_Extensions 239 | 240 | # LightSwitch generated files 241 | GeneratedArtifacts/ 242 | ModelManifest.xml 243 | 244 | # Paket dependency manager 245 | .paket/paket.exe 246 | 247 | # FAKE - F# Make 248 | .fake/ 249 | 250 | # ========================= 251 | # Windows detritus 252 | # ========================= 253 | 254 | # Windows image file caches 255 | Thumbs.db 256 | ehthumbs.db 257 | 258 | # Folder config file 259 | Desktop.ini 260 | 261 | # Recycle Bin used on file shares 262 | $RECYCLE.BIN/ 263 | 264 | # Mac crap 265 | .DS_Store 266 | -------------------------------------------------------------------------------- /3rdparty/README.txt: -------------------------------------------------------------------------------- 1 | To build the IDA plugin, extract the contents of idasdk695.zip in the directory "idasdk" -------------------------------------------------------------------------------- /3rdparty/distorm/config.h: -------------------------------------------------------------------------------- 1 | /* 2 | config.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef CONFIG_H 13 | #define CONFIG_H 14 | 15 | /* diStorm version number. */ 16 | #define __DISTORMV__ 0x030304 17 | 18 | #include /* memset, memcpy - can be easily self implemented for libc independency. */ 19 | 20 | #include "distorm.h" 21 | 22 | 23 | /* 24 | * 64 bit offsets support: 25 | * This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET 26 | * Note: make sure that the caller (library user) defines it too! 27 | */ 28 | #ifndef SUPPORT_64BIT_OFFSET 29 | #define SUPPORT_64BIT_OFFSET 30 | #endif 31 | 32 | /* 33 | * If you compile diStorm as a dynamic library (.dll or .so) file, make sure you uncomment the next line. 34 | * So the interface functions will be exported, otherwise they are useable only for static library. 35 | * For example, this macro is being set for compiling diStorm as a .dll for Python with CTypes. 36 | */ 37 | /* #define DISTORM_DYNAMIC */ 38 | 39 | /* 40 | * If DISTORM_LIGHT is defined, everything involved in formatting the instructions 41 | * as text will be excluded from compilation. 42 | * distorm_decode(..) and distorm_format(..) will not be available. 43 | * This will decrease the size of the executable and leave you with decomposition functionality only. 44 | * 45 | * Note: it should be either set in the preprocessor definitions manually or in command line -D switch. 46 | */ 47 | #ifndef DISTORM_LIGHT 48 | #define DISTORM_LIGHT 49 | #endif 50 | /* 51 | * diStorm now supports little/big endian CPU's. 52 | * It should detect the endianness according to predefined macro's of the compiler. 53 | * If you don't use GCC/MSVC you will have to define it on your own. 54 | */ 55 | 56 | /* These macros are used in order to make the code portable. */ 57 | #ifdef __GNUC__ 58 | 59 | #include 60 | 61 | #define _DLLEXPORT_ 62 | #define _FASTCALL_ 63 | #define _INLINE_ static 64 | /* GCC ignores this directive... */ 65 | /*#define _FASTCALL_ __attribute__((__fastcall__))*/ 66 | 67 | /* Set endianity (supposed to be LE though): */ 68 | #ifdef __BIG_ENDIAN__ 69 | #define BE_SYSTEM 70 | #endif 71 | 72 | /* End of __GCC__ */ 73 | 74 | #elif __WATCOMC__ 75 | 76 | #include 77 | 78 | #define _DLLEXPORT_ 79 | #define _FASTCALL_ 80 | #define _INLINE_ __inline 81 | 82 | /* End of __WATCOMC__ */ 83 | 84 | #elif __DMC__ 85 | 86 | #include 87 | 88 | #define _DLLEXPORT_ 89 | #define _FASTCALL_ 90 | #define _INLINE_ __inline 91 | 92 | /* End of __DMC__ */ 93 | 94 | #elif __TINYC__ 95 | 96 | #include 97 | 98 | #define _DLLEXPORT_ 99 | #define _FASTCALL_ 100 | #define _INLINE_ 101 | 102 | /* End of __TINYC__ */ 103 | 104 | #elif _MSC_VER 105 | 106 | /* stdint alternative is defined in distorm.h */ 107 | 108 | #define _DLLEXPORT_ __declspec(dllexport) 109 | #define _FASTCALL_ __fastcall 110 | #define _INLINE_ __inline 111 | 112 | /* Set endianity (supposed to be LE though): */ 113 | #if !defined(_M_IX86) && !defined(_M_X64) 114 | #define BE_SYSTEM 115 | #endif 116 | 117 | #endif /* #elif _MSC_VER */ 118 | 119 | /* If the library isn't compiled as a dynamic library don't export any functions. */ 120 | #ifndef DISTORM_DYNAMIC 121 | #undef _DLLEXPORT_ 122 | #define _DLLEXPORT_ 123 | #endif 124 | 125 | #ifndef FALSE 126 | #define FALSE 0 127 | #endif 128 | #ifndef TRUE 129 | #define TRUE 1 130 | #endif 131 | 132 | /* Define stream read functions for big endian systems. */ 133 | #ifdef BE_SYSTEM 134 | /* 135 | * These functions can read from the stream safely! 136 | * Swap endianity of input to little endian. 137 | */ 138 | static _INLINE_ int16_t RSHORT(const uint8_t *s) 139 | { 140 | return s[0] | (s[1] << 8); 141 | } 142 | static _INLINE_ uint16_t RUSHORT(const uint8_t *s) 143 | { 144 | return s[0] | (s[1] << 8); 145 | } 146 | static _INLINE_ int32_t RLONG(const uint8_t *s) 147 | { 148 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 149 | } 150 | static _INLINE_ uint32_t RULONG(const uint8_t *s) 151 | { 152 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24); 153 | } 154 | static _INLINE_ int64_t RLLONG(const uint8_t *s) 155 | { 156 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56); 157 | } 158 | static _INLINE_ uint64_t RULLONG(const uint8_t *s) 159 | { 160 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56); 161 | } 162 | #else 163 | /* Little endian macro's will just make the cast. */ 164 | #define RSHORT(x) *(int16_t *)x 165 | #define RUSHORT(x) *(uint16_t *)x 166 | #define RLONG(x) *(int32_t *)x 167 | #define RULONG(x) *(uint32_t *)x 168 | #define RLLONG(x) *(int64_t *)x 169 | #define RULLONG(x) *(uint64_t *)x 170 | #endif 171 | 172 | #endif /* CONFIG_H */ 173 | -------------------------------------------------------------------------------- /3rdparty/distorm/decoder.h: -------------------------------------------------------------------------------- 1 | /* 2 | decoder.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2011 Gil Dabah 8 | 9 | This program is free software: you can redistribute it and/or modify 10 | it under the terms of the GNU General Public License as published by 11 | the Free Software Foundation, either version 3 of the License, or 12 | (at your option) any later version. 13 | 14 | This program is distributed in the hope that it will be useful, 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | GNU General Public License for more details. 18 | 19 | You should have received a copy of the GNU General Public License 20 | along with this program. If not, see 21 | */ 22 | 23 | 24 | #ifndef DECODER_H 25 | #define DECODER_H 26 | 27 | #include "config.h" 28 | 29 | typedef unsigned int _iflags; 30 | 31 | _DecodeResult decode_internal(_CodeInfo* ci, int supportOldIntr, _DInst result[], unsigned int maxResultCount, unsigned int* usedInstructionsCount); 32 | 33 | #endif /* DECODER_H */ 34 | -------------------------------------------------------------------------------- /3rdparty/distorm/distorm.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | Header Files 79 | 80 | 81 | -------------------------------------------------------------------------------- /3rdparty/distorm/insts.h: -------------------------------------------------------------------------------- 1 | /* 2 | insts.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef INSTS_H 13 | #define INSTS_H 14 | 15 | #include "instructions.h" 16 | 17 | 18 | /* Flags Table */ 19 | extern _iflags FlagsTable[]; 20 | 21 | /* Root Trie DB */ 22 | extern _InstSharedInfo InstSharedInfoTable[]; 23 | extern _InstInfo InstInfos[]; 24 | extern _InstInfoEx InstInfosEx[]; 25 | extern _InstNode InstructionsTree[]; 26 | 27 | /* 3DNow! Trie DB */ 28 | extern _InstNode Table_0F_0F; 29 | /* AVX related: */ 30 | extern _InstNode Table_0F, Table_0F_38, Table_0F_3A; 31 | 32 | /* 33 | * The inst_lookup will return on of these two instructions according to the specified decoding mode. 34 | * ARPL or MOVSXD on 64 bits is one byte instruction at index 0x63. 35 | */ 36 | extern _InstInfo II_MOVSXD; 37 | 38 | /* 39 | * The NOP instruction can be prefixed by REX in 64bits, therefore we have to decide in runtime whether it's an XCHG or NOP instruction. 40 | * If 0x90 is prefixed by a usable REX it will become XCHG, otherwise it will become a NOP. 41 | * Also note that if it's prefixed by 0xf3, it becomes a Pause. 42 | */ 43 | extern _InstInfo II_NOP; 44 | extern _InstInfo II_PAUSE; 45 | 46 | /* 47 | * RDRAND and VMPTRLD share same 2.3 bytes opcode, and then alternates on the MOD bits, 48 | * RDRAND is OT_FULL_REG while VMPTRLD is OT_MEM, and there's no such mixed type. 49 | * So a hack into the inst_lookup was added for this decision, the DB isn't flexible enough. :( 50 | */ 51 | extern _InstInfo II_RDRAND; 52 | 53 | /* 54 | * Used for letting the extract operand know the type of operands without knowing the 55 | * instruction itself yet, because of the way those instructions work. 56 | * See function instructions.c!inst_lookup_3dnow. 57 | */ 58 | extern _InstInfo II_3DNOW; 59 | 60 | /* Helper tables for pseudo compare mnemonics. */ 61 | extern uint16_t CmpMnemonicOffsets[8]; /* SSE */ 62 | extern uint16_t VCmpMnemonicOffsets[32]; /* AVX */ 63 | 64 | #endif /* INSTS_H */ 65 | -------------------------------------------------------------------------------- /3rdparty/distorm/operands.h: -------------------------------------------------------------------------------- 1 | /* 2 | operands.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef OPERANDS_H 13 | #define OPERANDS_H 14 | 15 | #include "config.h" 16 | #include "decoder.h" 17 | #include "prefix.h" 18 | #include "instructions.h" 19 | 20 | 21 | extern uint32_t _REGISTERTORCLASS[]; 22 | 23 | int operands_extract(_CodeInfo* ci, _DInst* di, _InstInfo* ii, 24 | _iflags instFlags, _OpType type, _OperandNumberType opNum, 25 | unsigned int modrm, _PrefixState* ps, _DecodeType effOpSz, 26 | _DecodeType effAdrSz, int* lockableInstruction); 27 | 28 | #endif /* OPERANDS_H */ 29 | -------------------------------------------------------------------------------- /3rdparty/distorm/prefix.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/distorm/prefix.c -------------------------------------------------------------------------------- /3rdparty/distorm/prefix.h: -------------------------------------------------------------------------------- 1 | /* 2 | prefix.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef PREFIX_H 13 | #define PREFIX_H 14 | 15 | #include "config.h" 16 | #include "decoder.h" 17 | 18 | 19 | /* Specifies the type of the extension prefix, such as: REX, 2 bytes VEX, 3 bytes VEX. */ 20 | typedef enum {PET_NONE = 0, PET_REX, PET_VEX2BYTES, PET_VEX3BYTES} _PrefixExtType; 21 | 22 | /* Specifies an index into a table of prefixes by their type. */ 23 | typedef enum {PFXIDX_NONE = -1, PFXIDX_REX, PFXIDX_LOREP, PFXIDX_SEG, PFXIDX_OP_SIZE, PFXIDX_ADRS, PFXIDX_MAX} _PrefixIndexer; 24 | 25 | /* 26 | * This holds the prefixes state for the current instruction we decode. 27 | * decodedPrefixes includes all specific prefixes that the instruction got. 28 | * start is a pointer to the first prefix to take into account. 29 | * last is a pointer to the last byte we scanned. 30 | * Other pointers are used to keep track of prefixes positions and help us know if they appeared already and where. 31 | */ 32 | typedef struct { 33 | _iflags decodedPrefixes, usedPrefixes; 34 | const uint8_t *start, *last, *vexPos, *rexPos; 35 | _PrefixExtType prefixExtType; 36 | uint16_t unusedPrefixesMask; 37 | /* Indicates whether the operand size prefix (0x66) was used as a mandatory prefix. */ 38 | int isOpSizeMandatory; 39 | /* If VEX prefix is used, store the VEX.vvvv field. */ 40 | unsigned int vexV; 41 | /* The fields B/X/R/W/L of REX and VEX are stored together in this byte. */ 42 | unsigned int vrex; 43 | 44 | /* !! Make sure pfxIndexer is LAST! Otherwise memset won't work well with it. !! */ 45 | 46 | /* Holds the offset to the prefix byte by its type. */ 47 | int pfxIndexer[PFXIDX_MAX]; 48 | } _PrefixState; 49 | 50 | /* 51 | * Intel supports 6 types of prefixes, whereas AMD supports 5 types (lock is seperated from rep/nz). 52 | * REX is the fifth prefix type, this time I'm based on AMD64. 53 | * VEX is the 6th, though it can't be repeated. 54 | */ 55 | #define MAX_PREFIXES (5) 56 | 57 | int prefixes_is_valid(unsigned int ch, _DecodeType dt); 58 | void prefixes_ignore(_PrefixState* ps, _PrefixIndexer pi); 59 | void prefixes_ignore_all(_PrefixState* ps); 60 | uint16_t prefixes_set_unused_mask(_PrefixState* ps); 61 | void prefixes_decode(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt); 62 | void prefixes_use_segment(_iflags defaultSeg, _PrefixState* ps, _DecodeType dt, _DInst* di); 63 | 64 | #endif /* PREFIX_H */ 65 | -------------------------------------------------------------------------------- /3rdparty/distorm/textdefs.h: -------------------------------------------------------------------------------- 1 | /* 2 | textdefs.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef TEXTDEFS_H 13 | #define TEXTDEFS_H 14 | 15 | #include "config.h" 16 | #include "wstring.h" 17 | 18 | #ifndef DISTORM_LIGHT 19 | 20 | #define PLUS_DISP_CHR '+' 21 | #define MINUS_DISP_CHR '-' 22 | #define OPEN_CHR '[' 23 | #define CLOSE_CHR ']' 24 | #define SP_CHR ' ' 25 | #define SEG_OFF_CHR ':' 26 | 27 | /* 28 | Naming Convention: 29 | 30 | * get - returns a pointer to a string. 31 | * str - concatenates to string. 32 | 33 | * hex - means the function is used for hex dump (number is padded to required size) - Little Endian output. 34 | * code - means the function is used for disassembled instruction - Big Endian output. 35 | * off - means the function is used for 64bit offset - Big Endian output. 36 | 37 | * h - '0x' in front of the string. 38 | 39 | * b - byte 40 | * dw - double word (can be used for word also) 41 | * qw - quad word 42 | 43 | * all numbers are in HEX. 44 | */ 45 | 46 | void _FASTCALL_ str_hex_b(_WString* s, unsigned int x); 47 | void _FASTCALL_ str_code_hb(_WString* s, unsigned int x); 48 | void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x); 49 | void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]); 50 | 51 | #ifdef SUPPORT_64BIT_OFFSET 52 | void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x); 53 | #endif 54 | 55 | #endif /* DISTORM_LIGHT */ 56 | 57 | #endif /* TEXTDEFS_H */ 58 | -------------------------------------------------------------------------------- /3rdparty/distorm/wstring.c: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.c 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #include "wstring.h" 13 | 14 | #ifndef DISTORM_LIGHT 15 | 16 | void strclear_WS(_WString* s) 17 | { 18 | s->p[0] = '\0'; 19 | s->length = 0; 20 | } 21 | 22 | void chrcat_WS(_WString* s, uint8_t ch) 23 | { 24 | s->p[s->length] = ch; 25 | s->p[s->length + 1] = '\0'; 26 | s->length += 1; 27 | } 28 | 29 | void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len) 30 | { 31 | s->length = len; 32 | memcpy((int8_t*)s->p, buf, len + 1); 33 | } 34 | 35 | void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len) 36 | { 37 | memcpy((int8_t*)&s->p[s->length], buf, len + 1); 38 | s->length += len; 39 | } 40 | 41 | void strcat_WS(_WString* s, const _WString* s2) 42 | { 43 | memcpy((int8_t*)&s->p[s->length], s2->p, s2->length + 1); 44 | s->length += s2->length; 45 | } 46 | 47 | #endif /* DISTORM_LIGHT */ 48 | -------------------------------------------------------------------------------- /3rdparty/distorm/wstring.h: -------------------------------------------------------------------------------- 1 | /* 2 | wstring.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef WSTRING_H 13 | #define WSTRING_H 14 | 15 | #include "config.h" 16 | 17 | #ifndef DISTORM_LIGHT 18 | 19 | void strclear_WS(_WString* s); 20 | void chrcat_WS(_WString* s, uint8_t ch); 21 | void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len); 22 | void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len); 23 | void strcat_WS(_WString* s, const _WString* s2); 24 | 25 | /* 26 | * Warning, this macro should be used only when the compiler knows the size of string in advance! 27 | * This macro is used in order to spare the call to strlen when the strings are known already. 28 | * Note: sizeof includes NULL terminated character. 29 | */ 30 | #define strcat_WSN(s, t) strcatlen_WS((s), ((const int8_t*)t), sizeof((t))-1) 31 | #define strcpy_WSN(s, t) strcpylen_WS((s), ((const int8_t*)t), sizeof((t))-1) 32 | 33 | #endif /* DISTORM_LIGHT */ 34 | 35 | #endif /* WSTRING_H */ 36 | -------------------------------------------------------------------------------- /3rdparty/distorm/x86defs.h: -------------------------------------------------------------------------------- 1 | /* 2 | x86defs.h 3 | 4 | diStorm3 - Powerful disassembler for X86/AMD64 5 | http://ragestorm.net/distorm/ 6 | distorm at gmail dot com 7 | Copyright (C) 2003-2016 Gil Dabah 8 | This library is licensed under the BSD license. See the file COPYING. 9 | */ 10 | 11 | 12 | #ifndef X86DEFS_H 13 | #define X86DEFS_H 14 | 15 | 16 | #define SEG_REGS_MAX (6) 17 | #define CREGS_MAX (9) 18 | #define DREGS_MAX (8) 19 | 20 | /* Maximum instruction size, including prefixes */ 21 | #define INST_MAXIMUM_SIZE (15) 22 | 23 | /* Maximum range of imm8 (comparison type) of special SSE CMP instructions. */ 24 | #define INST_CMP_MAX_RANGE (8) 25 | 26 | /* Maximum range of imm8 (comparison type) of special AVX VCMP instructions. */ 27 | #define INST_VCMP_MAX_RANGE (32) 28 | 29 | /* Wait instruction byte code. */ 30 | #define INST_WAIT_INDEX (0x9b) 31 | 32 | /* Lea instruction byte code. */ 33 | #define INST_LEA_INDEX (0x8d) 34 | 35 | /* NOP/XCHG instruction byte code. */ 36 | #define INST_NOP_INDEX (0x90) 37 | 38 | /* ARPL/MOVSXD instruction byte code. */ 39 | #define INST_ARPL_INDEX (0x63) 40 | 41 | /* 42 | * Minimal MODR/M value of divided instructions. 43 | * It's 0xc0, two MSBs set, which indicates a general purpose register is used too. 44 | */ 45 | #define INST_DIVIDED_MODRM (0xc0) 46 | 47 | /* This is the escape byte value used for 3DNow! instructions. */ 48 | #define _3DNOW_ESCAPE_BYTE (0x0f) 49 | 50 | #define PREFIX_LOCK (0xf0) 51 | #define PREFIX_REPNZ (0xf2) 52 | #define PREFIX_REP (0xf3) 53 | #define PREFIX_CS (0x2e) 54 | #define PREFIX_SS (0x36) 55 | #define PREFIX_DS (0x3e) 56 | #define PREFIX_ES (0x26) 57 | #define PREFIX_FS (0x64) 58 | #define PREFIX_GS (0x65) 59 | #define PREFIX_OP_SIZE (0x66) 60 | #define PREFIX_ADDR_SIZE (0x67) 61 | #define PREFIX_VEX2b (0xc5) 62 | #define PREFIX_VEX3b (0xc4) 63 | 64 | /* REX prefix value range, 64 bits mode decoding only. */ 65 | #define PREFIX_REX_LOW (0x40) 66 | #define PREFIX_REX_HI (0x4f) 67 | /* In order to use the extended GPR's we have to add 8 to the Modr/M info values. */ 68 | #define EX_GPR_BASE (8) 69 | 70 | /* Mask for REX and VEX features: */ 71 | /* Base */ 72 | #define PREFIX_EX_B (1) 73 | /* Index */ 74 | #define PREFIX_EX_X (2) 75 | /* Register */ 76 | #define PREFIX_EX_R (4) 77 | /* Operand Width */ 78 | #define PREFIX_EX_W (8) 79 | /* Vector Lengh */ 80 | #define PREFIX_EX_L (0x10) 81 | 82 | #endif /* X86DEFS_H */ 83 | -------------------------------------------------------------------------------- /3rdparty/ntdll/ntdll_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ntdll/ntdll_x64.lib -------------------------------------------------------------------------------- /3rdparty/ntdll/ntdll_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ntdll/ntdll_x86.lib -------------------------------------------------------------------------------- /3rdparty/ntdll/ntdllp_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ntdll/ntdllp_x64.lib -------------------------------------------------------------------------------- /3rdparty/ntdll/ntdllp_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ntdll/ntdllp_x86.lib -------------------------------------------------------------------------------- /3rdparty/ollydbg1/ollydbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ollydbg1/ollydbg.lib -------------------------------------------------------------------------------- /3rdparty/ollydbg2/ollydbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/ollydbg2/ollydbg.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/_plugin_types.h: -------------------------------------------------------------------------------- 1 | #ifndef _PLUGIN_DATA_H 2 | #define _PLUGIN_DATA_H 3 | 4 | #ifdef BUILD_DBG 5 | 6 | #include "_global.h" 7 | #include "jansson/jansson.h" 8 | #include 9 | 10 | #else 11 | 12 | #ifdef __GNUC__ 13 | #include "dbghelp/dbghelp.h" 14 | #else 15 | #include 16 | #endif // __GNUC__ 17 | 18 | #ifndef deflen 19 | #define deflen 1024 20 | #endif // deflen 21 | 22 | #include "bridgemain.h" 23 | #include "_dbgfunctions.h" 24 | #include "jansson/jansson.h" 25 | 26 | #endif // BUILD_DBG 27 | 28 | #endif // _PLUGIN_DATA_H 29 | -------------------------------------------------------------------------------- /3rdparty/x64dbg/bridgelist.h: -------------------------------------------------------------------------------- 1 | #ifndef _LIST_H 2 | #define _LIST_H 3 | 4 | typedef struct 5 | { 6 | int count; //Number of element in the list. 7 | size_t size; //Size of list in bytes (used for type checking). 8 | void* data; //Pointer to the list contents. Must be deleted by the caller using BridgeFree (or BridgeList::Free). 9 | } ListInfo; 10 | 11 | #define ListOf(Type) ListInfo* 12 | 13 | #ifdef __cplusplus 14 | 15 | #include 16 | 17 | /** 18 | \brief A list object. This object is NOT thread safe. 19 | \tparam Type BridgeList contents type. 20 | */ 21 | template 22 | class BridgeList 23 | { 24 | public: 25 | /** 26 | \brief BridgeList constructor. 27 | \param _freeData (Optional) the free function. 28 | */ 29 | explicit BridgeList() 30 | { 31 | memset(&_listInfo, 0, sizeof(_listInfo)); 32 | } 33 | 34 | /** 35 | \brief BridgeList destructor. 36 | */ 37 | ~BridgeList() 38 | { 39 | Cleanup(); 40 | } 41 | 42 | /** 43 | \brief Gets the list data. 44 | \return Returns ListInfo->data. Can be null if the list was never initialized. Will be destroyed once this object goes out of scope! 45 | */ 46 | Type* Data() const 47 | { 48 | return reinterpret_cast(_listInfo.data); 49 | } 50 | 51 | /** 52 | \brief Gets the number of elements in the list. This will crash the program if the data is not consistent with the specified template argument. 53 | \return The number of elements in the list. 54 | */ 55 | int Count() const 56 | { 57 | if(_listInfo.size != _listInfo.count * sizeof(Type)) //make sure the user is using the correct type. 58 | __debugbreak(); 59 | return _listInfo.count; 60 | } 61 | 62 | /** 63 | \brief Cleans up the list, freeing the list data when it is not null. 64 | */ 65 | void Cleanup() 66 | { 67 | if(_listInfo.data) 68 | { 69 | BridgeFree(_listInfo.data); 70 | _listInfo.data = nullptr; 71 | } 72 | } 73 | 74 | /** 75 | \brief Reference operator (cleans up the previous list) 76 | \return Pointer to the ListInfo. 77 | */ 78 | ListInfo* operator&() 79 | { 80 | Cleanup(); 81 | return &_listInfo; 82 | } 83 | 84 | /** 85 | \brief Array indexer operator. This will crash if you try to access out-of-bounds. 86 | \param index Zero-based index of the item you want to get. 87 | \return Reference to a value at that index. 88 | */ 89 | Type & operator[](size_t index) const 90 | { 91 | if(index >= size_t(Count())) //make sure the out-of-bounds access is caught as soon as possible. 92 | __debugbreak(); 93 | return Data()[index]; 94 | } 95 | 96 | /** 97 | \brief Copies data to a ListInfo structure.. 98 | \param [out] listInfo If non-null, information describing the list. 99 | \param listData Data to copy in the ListInfo structure. 100 | \return true if it succeeds, false if it fails. 101 | */ 102 | static bool CopyData(ListInfo* listInfo, const std::vector & listData) 103 | { 104 | if(!listInfo) 105 | return false; 106 | listInfo->count = int(listData.size()); 107 | listInfo->size = listInfo->count * sizeof(Type); 108 | if(listInfo->count) 109 | { 110 | listInfo->data = BridgeAlloc(listInfo->size); 111 | Type* curItem = reinterpret_cast(listInfo->data); 112 | for(const auto & item : listData) 113 | { 114 | *curItem = item; 115 | ++curItem; 116 | } 117 | } 118 | else 119 | listInfo->data = nullptr; 120 | return true; 121 | } 122 | 123 | static bool Free(const ListInfo* listInfo) 124 | { 125 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) 126 | return false; 127 | BridgeFree(listInfo->data); 128 | return true; 129 | } 130 | 131 | static bool ToVector(const ListInfo* listInfo, std::vector & listData, bool freedata = true) 132 | { 133 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data)) 134 | return false; 135 | listData.resize(listInfo->count); 136 | for(int i = 0; i < listInfo->count; i++) 137 | listData[i] = ((Type*)listInfo->data)[i]; 138 | if(freedata && listInfo->data) 139 | BridgeFree(listInfo->data); 140 | return true; 141 | } 142 | 143 | private: 144 | ListInfo _listInfo; 145 | }; 146 | 147 | #endif //__cplusplus 148 | 149 | #endif //_LIST_H -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_config.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2010-2016 Petri Lehtinen 3 | * 4 | * Jansson is free software; you can redistribute it and/or modify 5 | * it under the terms of the MIT license. See LICENSE for details. 6 | * 7 | * 8 | * This file specifies a part of the site-specific configuration for 9 | * Jansson, namely those things that affect the public API in 10 | * jansson.h. 11 | * 12 | * The CMake system will generate the jansson_config.h file and 13 | * copy it to the build and install directories. 14 | */ 15 | 16 | #ifndef JANSSON_CONFIG_H 17 | #define JANSSON_CONFIG_H 18 | 19 | /* Define this so that we can disable scattered automake configuration in source files */ 20 | #ifndef JANSSON_USING_CMAKE 21 | #define JANSSON_USING_CMAKE 22 | #endif 23 | 24 | /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used, 25 | * as we will also check for __int64 etc types. 26 | * (the definition was used in the automake system) */ 27 | 28 | /* Bring in the cmake-detected defines */ 29 | #define HAVE_STDINT_H 1 30 | /* #undef HAVE_INTTYPES_H */ 31 | /* #undef HAVE_SYS_TYPES_H */ 32 | 33 | /* Include our standard type header for the integer typedef */ 34 | 35 | #if defined(HAVE_STDINT_H) 36 | # include 37 | #elif defined(HAVE_INTTYPES_H) 38 | # include 39 | #elif defined(HAVE_SYS_TYPES_H) 40 | # include 41 | #endif 42 | 43 | 44 | /* If your compiler supports the inline keyword in C, JSON_INLINE is 45 | defined to `inline', otherwise empty. In C++, the inline is always 46 | supported. */ 47 | #ifdef __cplusplus 48 | #define JSON_INLINE inline 49 | #else 50 | #define JSON_INLINE __inline 51 | #endif 52 | 53 | 54 | #define json_int_t long long 55 | #define json_strtoint strtoll 56 | #define JSON_INTEGER_FORMAT "I64d" 57 | 58 | 59 | /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */ 60 | #define JSON_HAVE_LOCALECONV 1 61 | 62 | 63 | /* Maximum recursion depth for parsing JSON input. 64 | This limits the depth of e.g. array-within-array constructions. */ 65 | #define JSON_PARSER_MAX_DEPTH 2048 66 | 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_x64.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/jansson/jansson_x64.a -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/jansson/jansson_x64.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_x64dbg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "jansson.h" 4 | 5 | typedef json_t* JSON; 6 | 7 | static JSON_INLINE 8 | json_t* json_hex(unsigned json_int_t value) 9 | { 10 | char hexvalue[20]; 11 | sprintf_s(hexvalue, "0x%llX", value); 12 | return json_string(hexvalue); 13 | } 14 | 15 | static JSON_INLINE 16 | unsigned json_int_t json_hex_value(const json_t* hex) 17 | { 18 | unsigned json_int_t ret = 0; 19 | const char* hexvalue; 20 | hexvalue = json_string_value(hex); 21 | if(!hexvalue) 22 | return 0; 23 | sscanf_s(hexvalue, "0x%llX", &ret); 24 | return ret; 25 | } -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_x86.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/jansson/jansson_x86.a -------------------------------------------------------------------------------- /3rdparty/x64dbg/jansson/jansson_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/jansson/jansson_x86.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/x32bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/x32bridge.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/x32dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/x32dbg.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/x64bridge.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/x64bridge.lib -------------------------------------------------------------------------------- /3rdparty/x64dbg/x64dbg.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/3rdparty/x64dbg/x64dbg.lib -------------------------------------------------------------------------------- /ConfigCollection/ScyllaHide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ConfigCollection/ScyllaHide.pdf -------------------------------------------------------------------------------- /Documentation/.gitignore: -------------------------------------------------------------------------------- 1 | *.aux 2 | *.lof 3 | *.lol 4 | *.pdf 5 | *.gz 6 | *.toc 7 | *.out -------------------------------------------------------------------------------- /Documentation/README: -------------------------------------------------------------------------------- 1 | This documentation was created with MiKTeX Version 2.9.6850: https://miktex.org/ 2 | 3 | Compiler Setting: LuaLaTeX+MakeIndex+BibTex 4 | -------------------------------------------------------------------------------- /Documentation/idaplugin.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/Documentation/idaplugin.PNG -------------------------------------------------------------------------------- /Documentation/newattachdialog.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/Documentation/newattachdialog.PNG -------------------------------------------------------------------------------- /Documentation/ollyadvancedctrlg.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/Documentation/ollyadvancedctrlg.PNG -------------------------------------------------------------------------------- /Documentation/ollyv1plugin.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/Documentation/ollyv1plugin.PNG -------------------------------------------------------------------------------- /Documentation/ollyv2plugin.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/Documentation/ollyv2plugin.PNG -------------------------------------------------------------------------------- /HookLibrary/DllMain.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #pragma comment(linker, "/ENTRY:DllMain") 4 | 5 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 6 | { 7 | LdrDisableThreadCalloutsForDll(hinstDLL); 8 | return TRUE; 9 | } -------------------------------------------------------------------------------- /HookLibrary/Export.def: -------------------------------------------------------------------------------- 1 | LIBRARY 2 | EXPORTS 3 | HookDllData 4 | HookedGetLocalTime 5 | HookedGetSystemTime 6 | HookedGetTickCount 7 | HookedGetTickCount64 8 | HookedKiUserExceptionDispatcher 9 | HookedNativeCallInternal 10 | HookedNtClose 11 | HookedNtContinue 12 | HookedNtCreateThread 13 | HookedNtCreateThreadEx 14 | HookedNtDuplicateObject 15 | HookedNtGetContextThread 16 | HookedNtQueryInformationProcess 17 | HookedNtQueryObject 18 | HookedNtQueryPerformanceCounter 19 | HookedNtQuerySystemInformation 20 | HookedNtQuerySystemTime 21 | HookedNtSetContextThread 22 | HookedNtSetDebugFilterState 23 | HookedNtSetInformationProcess 24 | HookedNtSetInformationThread 25 | HookedNtUserBlockInput 26 | HookedNtUserBuildHwndList 27 | HookedNtUserBuildHwndList_Eight 28 | HookedNtUserFindWindowEx 29 | HookedNtUserGetForegroundWindow 30 | HookedNtUserQueryWindow 31 | HookedNtYieldExecution 32 | HookedOutputDebugStringA 33 | HookedNtResumeThread 34 | HookedNtOpenFile 35 | HookedNtCreateSection 36 | HookedNtMapViewOfSection -------------------------------------------------------------------------------- /HookLibrary/HookHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | FORCEINLINE ULONG NTAPI RtlNtMajorVersion() 6 | { 7 | return *(PULONG)(0x7FFE0000 + 0x26C); 8 | } 9 | 10 | FORCEINLINE ULONG NTAPI RtlNtMinorVersion() 11 | { 12 | return *(PULONG)(0x7FFE0000 + 0x270); 13 | } 14 | 15 | FORCEINLINE ULONG NTAPI RtlGetTickCount() 16 | { 17 | return (ULONG)(*(PULONG64)(0x7FFE0000 + 0x320) * *(PULONG)(0x7FFE0000 + 0x4) >> 24); 18 | } 19 | 20 | bool HasDebugPrivileges(HANDLE hProcess); 21 | bool IsWow64Process(HANDLE ProcessHandle); 22 | NTSTATUS InstallInstrumentationCallbackHook(HANDLE ProcessHandle, BOOLEAN Remove); 23 | DWORD GetExplorerProcessId(); 24 | DWORD GetProcessIdByName(PUNICODE_STRING processName); 25 | bool IsProcessNameBad(PUNICODE_STRING processName); 26 | 27 | DWORD GetProcessIdByProcessHandle(HANDLE hProcess); 28 | DWORD GetProcessIdByThreadHandle(HANDLE hThread); 29 | 30 | bool RtlUnicodeStringContains(PUNICODE_STRING Str, PUNICODE_STRING SubStr, BOOLEAN CaseInsensitive); 31 | 32 | bool IsWindowNameBad(PUNICODE_STRING windowName); 33 | bool IsWindowClassNameBad(PUNICODE_STRING className); 34 | bool IsWindowBad(HWND hWnd); 35 | bool IsObjectTypeBad(USHORT objectTypeIndex); 36 | 37 | int ThreadDebugContextFindFreeSlotIndex(); 38 | int ThreadDebugContextFindExistingSlotIndex(); 39 | void ThreadDebugContextRemoveEntry(const int index); 40 | void ThreadDebugContextSaveContext(const int index, const PCONTEXT ThreadContext); 41 | 42 | void NTAPI RealGetSystemTime(PSYSTEMTIME lpSystemTime); 43 | void NTAPI RealGetLocalTime(LPSYSTEMTIME lpSystemTime); 44 | void IncreaseSystemTime(LPSYSTEMTIME lpTime); 45 | 46 | void TerminateProcessByProcessId(DWORD dwProcess); 47 | bool WriteMalwareToDisk(LPCVOID buffer, DWORD bufferSize, DWORD_PTR imagebase); 48 | bool WriteMemoryToFile(const WCHAR * filename, LPCVOID buffer, DWORD bufferSize, DWORD_PTR imagebase); 49 | void * GetPEBRemote(HANDLE hProcess); 50 | void DumpMalware(DWORD dwProcessId); 51 | -------------------------------------------------------------------------------- /HookLibrary/HookLibrary.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Header Files 39 | 40 | 41 | Header Files 42 | 43 | 44 | Header Files 45 | 46 | 47 | Header Files 48 | 49 | 50 | Header Files 51 | 52 | 53 | 54 | 55 | Source Files 56 | 57 | 58 | Source Files 59 | 60 | 61 | -------------------------------------------------------------------------------- /HookLibrary/HookedFunctions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | 6 | #define STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061L) 7 | #define STATUS_PORT_NOT_SET ((NTSTATUS)0xC0000353L) 8 | #define STATUS_HANDLE_NOT_CLOSABLE ((NTSTATUS)0xC0000235L) 9 | #define STATUS_INSUFFICIENT_RESOURCES ((NTSTATUS)0xC000009AL) 10 | #define PROCESS_DEBUG_INHERIT 0x00000001 // default for a non-debugged process 11 | #define PROCESS_NO_DEBUG_INHERIT 0x00000002 // default for a debugged process 12 | #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 13 | 14 | #ifndef _WIN64 15 | #define NAKED __declspec(naked) 16 | #else 17 | #define NAKED 18 | #endif 19 | 20 | typedef struct _SAVE_DEBUG_REGISTERS 21 | { 22 | DWORD dwThreadId; 23 | DWORD_PTR Dr0; 24 | DWORD_PTR Dr1; 25 | DWORD_PTR Dr2; 26 | DWORD_PTR Dr3; 27 | DWORD_PTR Dr6; 28 | DWORD_PTR Dr7; 29 | } SAVE_DEBUG_REGISTERS; 30 | 31 | //DbgBreakPoint 32 | 33 | NTSTATUS NTAPI HookedNtSetInformationThread(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength); 34 | NTSTATUS NTAPI HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); 35 | NTSTATUS NTAPI HookedNtQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); 36 | NTSTATUS NTAPI HookedNtQueryObject(HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength); 37 | NTSTATUS NTAPI HookedNtYieldExecution(); 38 | NTSTATUS NTAPI HookedNtGetContextThread(HANDLE ThreadHandle, PCONTEXT ThreadContext); 39 | NTSTATUS NTAPI HookedNtSetContextThread(HANDLE ThreadHandle, PCONTEXT ThreadContext); 40 | NTSTATUS NTAPI HookedNtContinue(PCONTEXT ThreadContext, BOOLEAN RaiseAlert); 41 | NTSTATUS NTAPI HookedNtSetInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength); 42 | NTSTATUS NTAPI HookedNtClose(HANDLE Handle); 43 | NTSTATUS NTAPI HookedNtDuplicateObject(HANDLE SourceProcessHandle, HANDLE SourceHandle, HANDLE TargetProcessHandle, PHANDLE TargetHandle, ACCESS_MASK DesiredAccess, ULONG HandleAttributes, ULONG Options); 44 | NTSTATUS NTAPI HookedNtSetDebugFilterState(ULONG ComponentId, ULONG Level, BOOLEAN State); 45 | NTSTATUS NTAPI HookedNtUserBuildHwndList(HDESK hDesktop, HWND hwndParent, BOOLEAN bChildren, ULONG dwThreadId, ULONG lParam, HWND* pWnd, PULONG pBufSize); 46 | NTSTATUS NTAPI HookedNtUserBuildHwndList_Eight(HDESK hDesktop, HWND hwndParent, BOOLEAN bChildren, BOOLEAN bUnknownFlag, ULONG dwThreadId, ULONG lParam, HWND* pWnd, PULONG pBufSize); 47 | NTSTATUS NTAPI HookedNtCreateThread(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PCLIENT_ID ClientId,PCONTEXT ThreadContext,PINITIAL_TEB InitialTeb,BOOLEAN CreateSuspended); 48 | NTSTATUS NTAPI HookedNtCreateThreadEx(PHANDLE ThreadHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,HANDLE ProcessHandle,PUSER_THREAD_START_ROUTINE StartRoutine,PVOID Argument,ULONG CreateFlags,ULONG_PTR ZeroBits,SIZE_T StackSize,SIZE_T MaximumStackSize,PPS_ATTRIBUTE_LIST AttributeList); 49 | HANDLE NTAPI HookedNtUserQueryWindow(HWND hwnd, WINDOWINFOCLASS WindowInfo); 50 | HWND NTAPI HookedNtUserGetForegroundWindow(); 51 | BOOL NTAPI HookedNtUserBlockInput(BOOL fBlockIt); 52 | 53 | 54 | DWORD WINAPI HookedGetTickCount(void); 55 | ULONGLONG WINAPI HookedGetTickCount64(void); 56 | void WINAPI HookedGetLocalTime(LPSYSTEMTIME lpSystemTime); 57 | void WINAPI HookedGetSystemTime(LPSYSTEMTIME lpSystemTime); 58 | NTSTATUS WINAPI HookedNtQuerySystemTime(PLARGE_INTEGER SystemTime); 59 | NTSTATUS NTAPI HookedNtQueryPerformanceCounter(PLARGE_INTEGER PerformanceCounter, PLARGE_INTEGER PerformanceFrequency); 60 | 61 | DWORD WINAPI HookedOutputDebugStringA(LPCSTR lpOutputString); 62 | #ifdef _WIN64 63 | void NTAPI HandleKiUserExceptionDispatcher(PEXCEPTION_RECORD pExcptRec, PCONTEXT ContextFrame); 64 | #else 65 | VOID NTAPI HookedKiUserExceptionDispatcher();//(PEXCEPTION_RECORD pExcptRec, PCONTEXT ContextFrame); 66 | #endif 67 | 68 | HWND NTAPI HookedNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType); 69 | 70 | NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendCount); 71 | 72 | NTSTATUS NTAPI HookedNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); 73 | NTSTATUS NTAPI HookedNtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle); 74 | NTSTATUS NTAPI HookedNtMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect); 75 | -------------------------------------------------------------------------------- /HookLibrary/InstrumentationCallbackX64.asm: -------------------------------------------------------------------------------- 1 | include ksamd64.inc 2 | 3 | extern InstrumentationCallback:near 4 | 5 | .code 6 | InstrumentationCallbackAsm proc 7 | 8 | cmp eax, 0 ; STATUS_SUCCESS 9 | jne ReturnToCaller 10 | 11 | push rax ; return value 12 | push rcx 13 | push rbx 14 | push rbp 15 | push rdi 16 | push rsi 17 | push rsp 18 | push r10 19 | push r11 20 | push r12 21 | push r13 22 | push r14 23 | push r15 24 | 25 | sub rsp, 20h 26 | mov rcx, r10 27 | mov rdx, rax 28 | call InstrumentationCallback 29 | add rsp, 20h 30 | 31 | pop r15 32 | pop r14 33 | pop r13 34 | pop r12 35 | pop r11 36 | pop r10 37 | pop rsp 38 | pop rsi 39 | pop rdi 40 | pop rbp 41 | pop rbx 42 | pop rcx 43 | add rsp, 8 ; preserve new rax 44 | 45 | ReturnToCaller: 46 | jmp r10 47 | 48 | InstrumentationCallbackAsm endp 49 | 50 | end 51 | -------------------------------------------------------------------------------- /HookLibrary/InstrumentationCallbackX86.asm: -------------------------------------------------------------------------------- 1 | include CallConv.inc 2 | .model flat 3 | 4 | extern _InstrumentationCallback@8:near 5 | 6 | .code 7 | _InstrumentationCallbackAsm proc 8 | 9 | cmp eax, 0 ; STATUS_SUCCESS 10 | jne ReturnToCaller 11 | 12 | pushad 13 | 14 | push eax 15 | push ecx 16 | call _InstrumentationCallback@8 17 | 18 | pop edi 19 | pop esi 20 | pop ebp 21 | add esp, 4 22 | pop ebx 23 | pop edx 24 | pop ecx 25 | add esp, 4 ; preserve new eax 26 | 27 | ReturnToCaller: 28 | jmp ecx 29 | 30 | _InstrumentationCallbackAsm endp 31 | 32 | end 33 | -------------------------------------------------------------------------------- /HookLibrary/Tls.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | // Hackplementation of thread local storage without using the CRT or LdrpAllocateTls 6 | 7 | static constexpr ULONG_PTR TebAllocationSize = (sizeof(TEB) + PAGE_SIZE - 1) & (~(PAGE_SIZE - 1)); 8 | 9 | #ifdef _WIN64 10 | // On x64 we can freely write past the end of the TEB since 2 zeroed pages are allocated for it. Leave some headroom for the TEB to grow in future Windows versions 11 | static constexpr LONG_PTR TebPadding = 0x200; // +512 12 | #else 13 | // On x86 and Wow64 we have a problem because sizeof(TEB) == PAGE_SIZE == TebAllocationSize, i.e. there are no spare zeroes past the end of the TEB, at least on Win 10. 14 | // Instead abuse the SpareBytes field for this. Because (1) this field has a slightly different offset on different versions of Windows (+1AC for 7 vs +1B9 for 10), 15 | // and (2) this field is not pointer-aligned, round the address up to pointer alignment. The offset is negative from the end since we are writing to the TEB, not past it 16 | static constexpr LONG_PTR TebPaddingFromEnd = (static_cast(TebAllocationSize) - FIELD_OFFSET(TEB, SpareBytes)); // 4096 - 441 = 3655 17 | static constexpr LONG_PTR TebPadding = ((-1 * TebPaddingFromEnd) + static_cast(alignof(PVOID)) - 1) & (~(static_cast(alignof(PVOID)) - 1)); // ALIGN_UP(-1 * 3655, PVOID) = -3652 18 | static_assert(TebPadding == -3652, "You touched ntdll.h didn't you?"); 19 | #endif 20 | 21 | // To create a TLS variable, declare it here 22 | enum class TlsVariable : ULONG_PTR 23 | { 24 | InstrumentationCallbackDisabled, // The only TLS variable we currently actually use... 25 | MaxTlsVariable // Must be last 26 | }; 27 | 28 | template 29 | struct TebOffset 30 | { 31 | constexpr static ULONG_PTR Value = (static_cast(sizeof(TEB)) + TebPadding) + (static_cast(Variable) * alignof(PVOID)); 32 | }; 33 | 34 | static_assert(TebOffset::Value <= TebAllocationSize - sizeof(PVOID), "TLS variable offsets exceed TEB allocation size"); 35 | static_assert(static_cast(TlsVariable::MaxTlsVariable) - 1 <= 5, "All out of TEB SpareBytes, find some new field to abuse"); // Only really applies to x86, but check on both 36 | 37 | FORCEINLINE 38 | volatile 39 | LONG* 40 | TlsGetInstrumentationCallbackDisabled( 41 | ) 42 | { 43 | return reinterpret_cast(reinterpret_cast(NtCurrentTeb()) + TebOffset::Value); 44 | } 45 | -------------------------------------------------------------------------------- /HookLibrary/hook.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | None 7 | MinSpace 8 | Size 9 | true 10 | MultiThreaded 11 | Default 12 | false 13 | 14 | 15 | ntdll\ntdllp_$(PlatformShortName).lib 16 | true 17 | false 18 | 19 | 20 | -------------------------------------------------------------------------------- /InjectorCLI/ApplyHooking.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "..\HookLibrary\HookMain.h" 4 | 5 | void ApplyPEBPatch(HANDLE hProcess, DWORD flags); 6 | void ApplyNtdllVersionPatch(HANDLE hProcess); 7 | bool ApplyHook(HOOK_DLL_DATA * hdd, HANDLE hProcess, BYTE * dllMemory, DWORD_PTR imageBase); 8 | void RestoreHooks(HOOK_DLL_DATA * hdd, HANDLE hProcess); 9 | -------------------------------------------------------------------------------- /InjectorCLI/DynamicMapping.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _SameTebFlags 6 | { 7 | union 8 | { 9 | struct 10 | { 11 | USHORT DbgSafeThunkCall : 1; 12 | USHORT DbgInDebugPrint : 1; 13 | USHORT DbgHasFiberData : 1; 14 | USHORT DbgSkipThreadAttach : 1; 15 | USHORT DbgWerInShipAssertCode : 1; 16 | USHORT DbgIssuedInitialBp : 1; 17 | USHORT DbgClonedThread : 1; 18 | USHORT SpareSameTebBits : 9; 19 | }; 20 | USHORT SameTebFlags; 21 | }; 22 | } SameTebFlags; 23 | 24 | #ifdef _WIN64 25 | #define TEB_OFFSET_SAME_TEB_FLAGS 0x17EE 26 | #else 27 | #define TEB_OFFSET_SAME_TEB_FLAGS 0xFCA 28 | #endif 29 | 30 | LPVOID MapModuleToProcess(HANDLE hProcess, BYTE * dllMemory, bool wipeHeaders); 31 | void DoBaseRelocation(PIMAGE_BASE_RELOCATION relocation, DWORD_PTR memory, DWORD_PTR dwDelta); 32 | DWORD GetDllFunctionAddressRVA(BYTE * dllMemory, LPCSTR apiName); 33 | DWORD RVAToOffset(PIMAGE_NT_HEADERS pNtHdr, DWORD dwRVA); 34 | HMODULE GetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName); 35 | bool ResolveImports(PIMAGE_IMPORT_DESCRIPTOR pImport, DWORD_PTR module); 36 | -------------------------------------------------------------------------------- /InjectorCLI/Icon.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/InjectorCLI/Icon.rc -------------------------------------------------------------------------------- /InjectorCLI/InjectorCLI.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | 55 | 56 | Resource Files 57 | 58 | 59 | 60 | 61 | Resource Files 62 | 63 | 64 | -------------------------------------------------------------------------------- /InjectorCLI/RemoteHook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #define MAXIMUM_INSTRUCTION_SIZE (16) //maximum instruction size == 16 5 | 6 | int GetDetourLen(const void * lpStart, const int minSize); 7 | void WriteJumper(unsigned char * lpbFrom, unsigned char * lpbTo); 8 | void * DetourCreate(void * lpFuncOrig, void * lpFuncDetour, bool createTramp); 9 | void * DetourCreateRemote(void * hProcess, const char* funcName, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize); 10 | 11 | #ifdef _WIN64 12 | #define DetourCreateRemoteNative DetourCreateRemote 13 | #else 14 | void * DetourCreateRemote32(void * hProcess, const char* funcName, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize); 15 | void * DetourCreateRemoteWow64(void * hProcess, bool createTramp); 16 | 17 | #define DetourCreateRemoteNative DetourCreateRemote32 18 | #endif 19 | 20 | int LengthDisassemble(void* DisassmAddress); 21 | -------------------------------------------------------------------------------- /InjectorCLI/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/InjectorCLI/resource.h -------------------------------------------------------------------------------- /PluginGeneric/AttachDialog.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | INT_PTR CALLBACK AttachProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); 5 | -------------------------------------------------------------------------------- /PluginGeneric/Injector.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include "..\HookLibrary\HookMain.h" 3 | #include "..\InjectorCLI\DynamicMapping.h" 4 | 5 | #define IMAGE32(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) 6 | #define IMAGE64(NtHeaders) ((NtHeaders)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 7 | 8 | #define HEADER_FIELD(NtHeaders, Field) (IMAGE64(NtHeaders) \ 9 | ? ((PIMAGE_NT_HEADERS64)(NtHeaders))->OptionalHeader.Field \ 10 | : ((PIMAGE_NT_HEADERS32)(NtHeaders))->OptionalHeader.Field) 11 | #define THUNK_VAL(NtHeaders, Ptr, Val) (IMAGE64(NtHeaders) \ 12 | ? ((PIMAGE_THUNK_DATA64)(Ptr))->Val \ 13 | : ((PIMAGE_THUNK_DATA32)(Ptr))->Val) 14 | 15 | typedef struct _THREAD_SUSPEND_INFO 16 | { 17 | HANDLE ThreadId; 18 | HANDLE ThreadHandle; 19 | NTSTATUS SuspendStatus; 20 | } THREAD_SUSPEND_INFO, *PTHREAD_SUSPEND_INFO; 21 | 22 | typedef struct _PROCESS_SUSPEND_INFO 23 | { 24 | HANDLE ProcessId; 25 | HANDLE ProcessHandle; 26 | ULONG NumThreads; 27 | PTHREAD_SUSPEND_INFO ThreadSuspendInfo; // THREAD_SUSPEND_INFO[NumThreads] 28 | } PROCESS_SUSPEND_INFO, *PPROCESS_SUSPEND_INFO; 29 | 30 | void ReadNtApiInformation(HOOK_DLL_DATA *hdd); 31 | 32 | void InstallAntiAttachHook(); 33 | void startInjectionProcess(HANDLE hProcess, HOOK_DLL_DATA *hdd, BYTE * dllMemory, bool newProcess); 34 | void startInjection(DWORD targetPid, HOOK_DLL_DATA *hdd, const WCHAR * dllPath, bool newProcess); 35 | void injectDll(DWORD targetPid, const WCHAR * dllPath); 36 | BYTE * ReadFileToMemory(const WCHAR * targetFilePath); 37 | void FillHookDllData(HANDLE hProcess, HOOK_DLL_DATA * data); 38 | bool StartFixBeingDebugged(DWORD targetPid, bool setToNull); 39 | bool ApplyAntiAntiAttach(DWORD targetPid); 40 | 41 | DWORD GetAddressOfEntryPoint(BYTE * dllMemory); 42 | bool RemoveDebugPrivileges(HANDLE hProcess); 43 | bool SafeSuspendProcess(HANDLE hProcess, PPROCESS_SUSPEND_INFO suspendInfo); 44 | bool SafeResumeProcess(PPROCESS_SUSPEND_INFO suspendInfo); 45 | -------------------------------------------------------------------------------- /PluginGeneric/OllyExceptionHandler.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef BOOL (WINAPI *t_WaitForDebugEvent)(LPDEBUG_EVENT lpDebugEvent,DWORD dwMilliseconds); 6 | 7 | BOOL WINAPI HookedWaitForDebugEvent(LPDEBUG_EVENT lpDebugEvent,DWORD dwMilliseconds); 8 | 9 | void HookDebugLoop(); 10 | -------------------------------------------------------------------------------- /PluginGeneric/OptionsDialog.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | INT_PTR CALLBACK OptionsDlgProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); 5 | -------------------------------------------------------------------------------- /PluginGeneric/findere.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/PluginGeneric/findere.bmp -------------------------------------------------------------------------------- /PluginGeneric/finderf.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/PluginGeneric/finderf.bmp -------------------------------------------------------------------------------- /PluginGeneric/ghost.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/PluginGeneric/ghost.ico -------------------------------------------------------------------------------- /PluginGeneric/searchwindow.cur: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/PluginGeneric/searchwindow.cur -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ScyllaHide 2 | 3 | ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see [TitanHide](https://github.com/mrexodia/titanhide). Forked from [NtQuery/ScyllaHide](https://bitbucket.org/NtQuery/scyllahide). 4 | 5 | ScyllaHide supports various debuggers through plugins: 6 | 7 | - OllyDbg [v1](http://www.ollydbg.de) and [v2](http://www.ollydbg.de/version2.html) 8 | - [x64dbg](https://x64dbg.com) 9 | - [Hex-Rays IDA](https://www.hex-rays.com/products/ida/) v6 (not supported) 10 | - TitanEngine v2 ([original](http://www.reversinglabs.com/open-source/titanengine.html) and [updated](https://github.com/x64dbg/TitanEngine/) versions) 11 | 12 | PE x64 debugging is fully supported with plugins for x64dbg and IDA. 13 | 14 | Please note that ScyllaHide is not limited to these debuggers. You can use the standalone command line version of ScyllaHide. You can inject ScyllaHide into any process debugged by any debugger. 15 | 16 | More information is available in the [documentation](https://github.com/x64dbg/ScyllaHide/releases/download/docs-2019-05-17/ScyllaHide.pdf) (PDF). 17 | 18 | ## License 19 | ScyllaHide is licensed under the [GNU General Public License v3](https://www.gnu.org/licenses/gpl-3.0.en.html). 20 | 21 | ## Special thanks to 22 | - What for his [POISON Assembler source code](https://tuts4you.com/download.php?view.2281) 23 | - waliedassar for his [blog posts](http://waleedassar.blogspot.de) 24 | - Peter Ferrie for his [PDFs](http://pferrie.host22.com) 25 | - MaRKuS-DJM for [Olly Advanced](http://www.openrce.org/downloads/details/241/Olly_Advanced) 26 | - Lim Bio Liong for [MS Spy++ style Window Finder](http://www.codeproject.com/Articles/1698/MS-Spy-style-Window-Finder) 27 | -------------------------------------------------------------------------------- /SCMRevGen/SCMRevGen.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {4CEF9C8E-91C8-4148-94B1-AF2A3B597762} 24 | Win32Proj 25 | 10.0 26 | 27 | 28 | 29 | Utility 30 | false 31 | v142 32 | false 33 | false 34 | 14.27.29110 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | cmd.exe /C "make_scmrev.h.bat" 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /SCMRevGen/date.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/SCMRevGen/date.exe -------------------------------------------------------------------------------- /SCMRevGen/libiconv2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/SCMRevGen/libiconv2.dll -------------------------------------------------------------------------------- /SCMRevGen/libintl3.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/SCMRevGen/libintl3.dll -------------------------------------------------------------------------------- /SCMRevGen/make_scmrev.h.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | set GIT_VERSION_NUMBER=0 4 | set GIT_SHORT_HASH=unknown 5 | 6 | where git 1>nul 2>&1 7 | if errorlevel 1 goto :nogit 8 | 9 | for /f "usebackq delims=" %%i in (`git rev-list --count HEAD`) do ( 10 | set GIT_VERSION_NUMBER=%%i 11 | ) 12 | for /f "usebackq delims=" %%i in (`git rev-parse --short HEAD`) do ( 13 | set GIT_SHORT_HASH=%%i 14 | ) 15 | 16 | :nogit 17 | set COMPILE_DATE= 18 | for /f "usebackq delims=" %%i in (`date.exe +^"%%F %%H:%%M^"`) do ( 19 | set COMPILE_DATE=%%i 20 | ) 21 | set COMPILE_YEAR= 22 | for /f "usebackq delims=" %%i in (`date.exe +^"%%Y^"`) do ( 23 | set COMPILE_YEAR=%%i 24 | ) 25 | 26 | echo #pragma once> scmrev.h 27 | echo.>> scmrev.h 28 | echo #define GIT_VERSION_NUMBER %GIT_VERSION_NUMBER%>> scmrev.h 29 | echo #define GIT_SHORT_HASH_A "%GIT_SHORT_HASH%">> scmrev.h 30 | echo #define GIT_SHORT_HASH_W L"%GIT_SHORT_HASH%">> scmrev.h 31 | echo #define COMPILE_DATE_A "%COMPILE_DATE%">> scmrev.h 32 | echo #define COMPILE_DATE_W L"%COMPILE_DATE%">> scmrev.h 33 | echo #define COMPILE_YEAR_A "%COMPILE_YEAR%">> scmrev.h 34 | echo #define COMPILE_YEAR_W L"%COMPILE_YEAR%">> scmrev.h 35 | -------------------------------------------------------------------------------- /Scylla/Logger.cpp: -------------------------------------------------------------------------------- 1 | #include "Logger.h" 2 | #include 3 | #include 4 | #include 5 | #include "Util.h" 6 | 7 | const wchar_t scl::Logger::kFileName[] = L"scylla_hide.log"; 8 | 9 | scl::Logger::Logger() 10 | { 11 | ZeroMemory(cb_a_, sizeof(cb_a_)); 12 | ZeroMemory(cb_w_, sizeof(cb_w_)); 13 | } 14 | 15 | scl::Logger::~Logger() 16 | { 17 | if (file_.is_open()) 18 | file_.close(); 19 | } 20 | 21 | bool scl::Logger::SetLogFile(const wchar_t *filepath) 22 | { 23 | if (file_.is_open()) 24 | file_.close(); 25 | 26 | file_.open(filepath); 27 | 28 | return file_.is_open(); 29 | } 30 | 31 | void scl::Logger::LogDebug(const wchar_t *fmt, ...) 32 | { 33 | va_list ap; 34 | va_start(ap, fmt); 35 | LogGeneric("DEBUG", cb_a_[Debug], cb_w_[Debug], fmt, ap); 36 | va_end(ap); 37 | } 38 | 39 | void scl::Logger::LogInfo(const wchar_t *fmt, ...) 40 | { 41 | va_list ap; 42 | va_start(ap, fmt); 43 | LogGeneric("INFO", cb_a_[Info], cb_w_[Info], fmt, ap); 44 | va_end(ap); 45 | } 46 | 47 | void scl::Logger::LogError(const wchar_t *fmt, ...) 48 | { 49 | va_list ap; 50 | va_start(ap, fmt); 51 | LogGeneric("ERROR", cb_a_[Error], cb_w_[Error], fmt, ap); 52 | va_end(ap); 53 | } 54 | 55 | void scl::Logger::LogGeneric(const char *prefix, LogCbA cb_a, LogCbW cb_w, const wchar_t *fmt, va_list ap) 56 | { 57 | va_list vap; 58 | va_copy(vap, ap); 59 | auto strw = scl::vfmtw(fmt, ap); 60 | va_end(ap); 61 | 62 | if (cb_w) 63 | cb_w(strw.c_str()); 64 | 65 | if (cb_a || file_.is_open()) 66 | { 67 | auto stra = scl::wstr_conv().to_bytes(strw); 68 | 69 | if (cb_a) 70 | cb_a(stra.c_str()); 71 | 72 | if (file_.is_open()) 73 | { 74 | struct tm ltm; 75 | auto now = std::chrono::system_clock::now(); 76 | auto now_t = std::chrono::system_clock::to_time_t(now); 77 | localtime_s(<m, &now_t); 78 | file_ << std::put_time(<m, "%Y.%m.%d %H:%M:%S ") << prefix << ": " << stra << std::endl; 79 | file_.flush(); 80 | } 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /Scylla/Logger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | namespace scl { 7 | 8 | class Logger 9 | { 10 | public: 11 | typedef void(*LogCbA)(const char *msg); 12 | typedef void(*LogCbW)(const wchar_t *msg); 13 | 14 | enum Severity 15 | { 16 | Debug = 0, 17 | Info, 18 | Error, 19 | MaxSeverity 20 | }; 21 | 22 | static const wchar_t kFileName[]; 23 | 24 | Logger(); 25 | ~Logger(); 26 | 27 | bool SetLogFile(const wchar_t *filepath); 28 | 29 | void SetLogCb(Severity lvl, LogCbA cb) 30 | { 31 | cb_a_[lvl] = cb; 32 | } 33 | 34 | void SetLogCb(Severity lvl, LogCbW cb) 35 | { 36 | cb_w_[lvl] = cb; 37 | } 38 | 39 | void LogDebug(const wchar_t *fmt, ...); 40 | void LogInfo(const wchar_t *fmt, ...); 41 | void LogError(const wchar_t *fmt, ...); 42 | 43 | protected: 44 | void LogGeneric(const char *prefix, LogCbA cb_a, LogCbW cb_w, const wchar_t *fmt, va_list ap); 45 | 46 | private: 47 | LogCbA cb_a_[MaxSeverity]; 48 | LogCbW cb_w_[MaxSeverity]; 49 | std::ofstream file_; 50 | }; 51 | 52 | } 53 | -------------------------------------------------------------------------------- /Scylla/NtApiShim.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #ifndef FLG_HEAP_ENABLE_TAIL_CHECK 6 | #define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 7 | #endif 8 | 9 | #ifndef FLG_HEAP_ENABLE_FREE_CHECK 10 | #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 11 | #endif 12 | 13 | #ifndef FLG_HEAP_VALIDATE_PARAMETERS 14 | #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 15 | #endif 16 | 17 | #ifndef HEAP_SKIP_VALIDATION_CHECKS 18 | #define HEAP_SKIP_VALIDATION_CHECKS 0x10000000 19 | #endif 20 | 21 | #ifndef HEAP_VALIDATE_PARAMETERS_ENABLED 22 | #define HEAP_VALIDATE_PARAMETERS_ENABLED 0x40000000 23 | #endif 24 | 25 | #ifndef DBG_PRINTEXCEPTION_WIDE_C 26 | #define DBG_PRINTEXCEPTION_WIDE_C ((DWORD)0x4001000A) 27 | #endif 28 | 29 | typedef NTSTATUS(WINAPI *t_NtWow64QueryInformationProcess64)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); 30 | typedef NTSTATUS(WINAPI *t_NtWow64ReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, PVOID Buffer, ULONGLONG BufferSize, PULONGLONG NumberOfBytesRead); 31 | typedef NTSTATUS(WINAPI *t_NtWow64WriteVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress, LPCVOID Buffer, ULONGLONG BufferSize, PULONGLONG NumberOfBytesWritten); 32 | 33 | 34 | namespace scl 35 | { 36 | template 37 | struct UNICODE_STRING 38 | { 39 | union 40 | { 41 | struct 42 | { 43 | WORD Length; 44 | WORD MaximumLength; 45 | }; 46 | PTR dummy; 47 | }; 48 | PTR _Buffer; 49 | }; 50 | 51 | template 52 | struct CURDIR { 53 | UNICODE_STRING DosPath; 54 | PTR Handle; 55 | }; 56 | 57 | template 58 | struct PROCESS_BASIC_INFORMATION 59 | { 60 | DWORD ExitStatus; 61 | PTR PebBaseAddress; 62 | PTR AffinityMask; 63 | DWORD BasePriority; 64 | PTR UniqueProcessId; 65 | PTR InheritedFromUniqueProcessId; 66 | }; 67 | 68 | template 69 | struct RTL_USER_PROCESS_PARAMETERS { 70 | ULONG MaximumLength; 71 | ULONG Length; 72 | 73 | ULONG Flags; 74 | ULONG DebugFlags; 75 | 76 | PTR ConsoleHandle; 77 | ULONG ConsoleFlags; 78 | PTR StandardInput; 79 | PTR StandardOutput; 80 | PTR StandardError; 81 | 82 | CURDIR CurrentDirectory; 83 | UNICODE_STRING DllPath; 84 | UNICODE_STRING ImagePathName; 85 | UNICODE_STRING CommandLine; 86 | PTR Environment; 87 | 88 | ULONG StartingX; 89 | ULONG StartingY; 90 | ULONG CountX; 91 | ULONG CountY; 92 | ULONG CountCharsX; 93 | ULONG CountCharsY; 94 | ULONG FillAttribute; 95 | 96 | ULONG WindowFlags; 97 | ULONG ShowWindowFlags; 98 | UNICODE_STRING WindowTitle; 99 | UNICODE_STRING DesktopInfo; 100 | UNICODE_STRING ShellInfo; 101 | UNICODE_STRING RuntimeData; 102 | }; 103 | } 104 | -------------------------------------------------------------------------------- /Scylla/OsInfo.cpp: -------------------------------------------------------------------------------- 1 | #include "OsInfo.h" 2 | #include "Peb.h" 3 | 4 | /** 5 | * Operating system Version number 6 | * Windows 10 10.0* 7 | * Windows Server 2016 10.0* 8 | * Windows 8.1 6.3* 9 | * Windows Server 2012 R2 6.3* 10 | * Windows 8 6.2 11 | * Windows Server 2012 6.2 12 | * Windows 7 6.1 13 | * Windows Server 2008 R2 6.1 14 | * Windows Server 2008 6.0 15 | * Windows Vista 6.0 16 | * Windows Server 2003 R2 5.2 17 | * Windows Server 2003 5.2 18 | * Windows XP 64-Bit Edition 5.2 19 | * Windows XP 5.1 20 | * Windows 2000 5.0 21 | */ 22 | 23 | const SYSTEM_INFO *scl::GetNativeSystemInfo() 24 | { 25 | static SYSTEM_INFO si = { 0 }; 26 | static auto cached = false; 27 | 28 | if (!cached) 29 | { 30 | ::GetNativeSystemInfo(&si); 31 | cached = true; 32 | } 33 | 34 | return &si; 35 | } 36 | 37 | const RTL_OSVERSIONINFOEXW* scl::GetVersionExW() 38 | { 39 | static RTL_OSVERSIONINFOEXW osVerInfo = { 0 }; 40 | static auto cached = false; 41 | 42 | if (!cached) 43 | { 44 | osVerInfo.dwOSVersionInfoSize = sizeof(osVerInfo); 45 | RtlGetVersion((PRTL_OSVERSIONINFOW)&osVerInfo); 46 | auto peb = GetPebAddress(GetCurrentProcess()); 47 | if (peb) 48 | { 49 | osVerInfo.dwMajorVersion = peb->OSMajorVersion; 50 | osVerInfo.dwMinorVersion = peb->OSMinorVersion; 51 | } 52 | cached = true; 53 | } 54 | 55 | return &osVerInfo; 56 | } 57 | 58 | bool scl::IsWindows64() 59 | { 60 | #ifdef _WIN64 61 | return true; 62 | #else 63 | return (GetNativeSystemInfo()->wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64); 64 | #endif 65 | } 66 | 67 | bool scl::IsWow64Process(HANDLE hProcess) 68 | { 69 | auto fIsWow64 = FALSE; 70 | return ::IsWow64Process(hProcess, &fIsWow64) && (fIsWow64 == TRUE); 71 | } 72 | 73 | 74 | scl::eOsVersion scl::GetWindowsVersion() 75 | { 76 | static auto version = OS_UNKNOWN; 77 | 78 | if (version != OS_UNKNOWN) 79 | return version; 80 | 81 | version = OS_INVALID; 82 | 83 | const auto osVerInfo = GetVersionExW(); 84 | 85 | if (osVerInfo->dwMajorVersion == 5) 86 | { 87 | if (osVerInfo->dwMinorVersion == 0) 88 | { 89 | version = OS_WIN_2000; 90 | } 91 | else if (osVerInfo->dwMinorVersion == 1) 92 | { 93 | version = OS_WIN_XP; 94 | } 95 | else if (osVerInfo->dwMinorVersion == 2) 96 | { 97 | version = OS_WIN_XP64; 98 | } 99 | } 100 | else if (osVerInfo->dwMajorVersion == 6) 101 | { 102 | if (osVerInfo->dwMinorVersion == 0) 103 | { 104 | version = OS_WIN_VISTA; 105 | } 106 | else if (osVerInfo->dwMinorVersion == 1) 107 | { 108 | version = OS_WIN_7; 109 | } 110 | else if (osVerInfo->dwMinorVersion == 2) 111 | { 112 | version = OS_WIN_8; 113 | } 114 | else if (osVerInfo->dwMinorVersion == 3) 115 | { 116 | version = OS_WIN_81; 117 | } 118 | } 119 | else if (osVerInfo->dwMajorVersion == 10) { 120 | if (osVerInfo->dwMinorVersion == 0) { 121 | version = OS_WIN_10; 122 | } 123 | } 124 | 125 | return version; 126 | } 127 | 128 | const char *scl::GetWindowsVersionNameA() 129 | { 130 | switch (GetWindowsVersion()) 131 | { 132 | case OS_WIN_XP: 133 | return "Windows XP"; 134 | case OS_WIN_XP64: 135 | return "Windows XP 64 / Server 2003"; 136 | case OS_WIN_VISTA: 137 | return "Windows Vista / Server 2008"; 138 | case OS_WIN_7: 139 | return "Windows 7 / Server 2008 R2"; 140 | case OS_WIN_8: 141 | return "Windows 8 / Server 2012"; 142 | case OS_WIN_81: 143 | return "Windows 8.1 / Server 2012 R2"; 144 | case OS_WIN_10: 145 | return "Windows 10 / Server 2016"; 146 | default: 147 | return "Unknown Windows"; 148 | } 149 | } 150 | -------------------------------------------------------------------------------- /Scylla/OsInfo.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace scl 6 | { 7 | enum eOsVersion { 8 | OS_UNKNOWN, 9 | OS_INVALID, 10 | OS_WIN_2000, 11 | OS_WIN_XP, 12 | OS_WIN_XP64, 13 | OS_WIN_VISTA, 14 | OS_WIN_7, 15 | OS_WIN_8, 16 | OS_WIN_81, 17 | OS_WIN_10 18 | }; 19 | 20 | const SYSTEM_INFO *GetNativeSystemInfo(); 21 | const RTL_OSVERSIONINFOEXW* GetVersionExW(); 22 | 23 | bool IsWindows64(); 24 | bool IsWow64Process(HANDLE hProcess); 25 | eOsVersion GetWindowsVersion(); 26 | const char *GetWindowsVersionNameA(); 27 | } 28 | -------------------------------------------------------------------------------- /Scylla/Peb.cpp: -------------------------------------------------------------------------------- 1 | #include "Peb.h" 2 | #include 3 | #include 4 | #include "Util.h" 5 | 6 | scl::PEB *scl::GetPebAddress(HANDLE hProcess) 7 | { 8 | ::PROCESS_BASIC_INFORMATION pbi = { 0 }; 9 | 10 | auto status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), nullptr); 11 | 12 | return NT_SUCCESS(status) ? (PEB *)pbi.PebBaseAddress : nullptr; 13 | } 14 | 15 | /** 16 | * Get PEB64 address of WOW64 process. 17 | */ 18 | PVOID64 scl::GetPeb64Address(HANDLE hProcess) 19 | { 20 | #ifndef _WIN64 21 | PROCESS_BASIC_INFORMATION pbi = { 0 }; 22 | 23 | bool success = Wow64QueryInformationProcess64(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), nullptr); 24 | 25 | return success ? (PVOID64)pbi.PebBaseAddress : nullptr; 26 | #endif 27 | 28 | return nullptr; 29 | } 30 | 31 | std::shared_ptr scl::GetPeb(HANDLE hProcess) 32 | { 33 | auto peb_addr = GetPebAddress(hProcess); 34 | if (!peb_addr) 35 | return nullptr; 36 | 37 | auto peb = std::make_shared(); 38 | if (!ReadProcessMemory(hProcess, peb_addr, peb.get(), sizeof(PEB), nullptr)) 39 | return nullptr; 40 | 41 | return peb; 42 | } 43 | 44 | /** 45 | * @remark Use only real process handles. 46 | */ 47 | std::shared_ptr scl::Wow64GetPeb64(HANDLE hProcess) 48 | { 49 | #ifndef _WIN64 50 | auto peb64_addr = GetPeb64Address(hProcess); 51 | if (!peb64_addr) 52 | return nullptr; 53 | 54 | auto peb64 = std::make_shared(); 55 | 56 | if (Wow64ReadProcessMemory64(hProcess, peb64_addr, peb64.get(), sizeof(PEB64), nullptr)) 57 | return peb64; 58 | #endif 59 | 60 | return nullptr; 61 | } 62 | 63 | bool scl::SetPeb(HANDLE hProcess, const PEB *pPeb) 64 | { 65 | auto peb_addr = GetPebAddress(hProcess); 66 | if (!peb_addr) 67 | return false; 68 | 69 | return WriteProcessMemory(hProcess, peb_addr, pPeb, sizeof(*pPeb), nullptr) == TRUE; 70 | } 71 | 72 | /** 73 | * @remark Use only real process handles. 74 | */ 75 | bool scl::Wow64SetPeb64(HANDLE hProcess, const PEB64 *pPeb64) 76 | { 77 | #ifndef _WIN64 78 | auto peb64_addr = GetPeb64Address(hProcess); 79 | if (!peb64_addr) 80 | return false; 81 | 82 | return NT_SUCCESS(Wow64WriteProcessMemory64(hProcess, peb64_addr, pPeb64, sizeof(*pPeb64), nullptr)); 83 | #endif 84 | 85 | return false; 86 | } 87 | 88 | PVOID64 scl::Wow64GetModuleHandle64(HANDLE hProcess, const wchar_t* moduleName) 89 | { 90 | const auto Peb64 = Wow64GetPeb64(hProcess); 91 | if (Peb64 == nullptr) 92 | return nullptr; 93 | 94 | PEB_LDR_DATA64 LdrData64; 95 | if (!Wow64ReadProcessMemory64(hProcess, (PVOID64)Peb64->Ldr, &LdrData64, sizeof(LdrData64), nullptr)) 96 | return nullptr; 97 | 98 | PVOID64 DllBase = nullptr; 99 | const ULONG64 LastEntry = Peb64->Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList); 100 | LDR_DATA_TABLE_ENTRY64 Head; 101 | Head.InLoadOrderLinks.Flink = LdrData64.InLoadOrderModuleList.Flink; 102 | 103 | do 104 | { 105 | if (!Wow64ReadProcessMemory64(hProcess, (PVOID64)Head.InLoadOrderLinks.Flink, &Head, sizeof(Head), nullptr)) 106 | break; 107 | 108 | wchar_t* BaseDllName = (wchar_t*)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, Head.BaseDllName.MaximumLength); 109 | if (BaseDllName == nullptr || 110 | !Wow64ReadProcessMemory64(hProcess, (PVOID64)Head.BaseDllName.Buffer, BaseDllName, Head.BaseDllName.MaximumLength, nullptr)) 111 | break; 112 | 113 | if (_wcsicmp(moduleName, BaseDllName) == 0) 114 | { 115 | DllBase = (PVOID64)Head.DllBase; 116 | } 117 | 118 | RtlFreeHeap(RtlProcessHeap(), 0, BaseDllName); 119 | 120 | } while (Head.InLoadOrderLinks.Flink != LastEntry && DllBase == nullptr); 121 | 122 | return DllBase; 123 | } 124 | 125 | DWORD scl::GetHeapFlagsOffset(bool x64) 126 | { 127 | if (x64) 128 | { 129 | if (scl::GetWindowsVersion() >= scl::OS_WIN_VISTA) 130 | return 0x70; 131 | else 132 | return 0x14; 133 | } 134 | else 135 | { 136 | if (scl::GetWindowsVersion() >= scl::OS_WIN_VISTA) 137 | return 0x40; 138 | else 139 | return 0x0C; 140 | } 141 | } 142 | 143 | DWORD scl::GetHeapForceFlagsOffset(bool x64) 144 | { 145 | if (x64) 146 | { 147 | if (scl::GetWindowsVersion() >= scl::OS_WIN_VISTA) 148 | return 0x74; 149 | else 150 | return 0x18; 151 | } 152 | else 153 | { 154 | if (scl::GetWindowsVersion() >= scl::OS_WIN_VISTA) 155 | return 0x44; 156 | else 157 | return 0x10; 158 | } 159 | } 160 | -------------------------------------------------------------------------------- /Scylla/Peb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "NtApiShim.h" 7 | 8 | // 9 | // http://terminus.rewolf.pl/terminus/structures/ntdll/_PEB_combined.html 10 | // 11 | 12 | namespace scl { 13 | 14 | #pragma pack(push, 1) 15 | template 16 | struct _LIST_ENTRY_T 17 | { 18 | T Flink; 19 | T Blink; 20 | }; 21 | 22 | template 23 | struct _UNICODE_STRING_T 24 | { 25 | union 26 | { 27 | struct 28 | { 29 | WORD Length; 30 | WORD MaximumLength; 31 | }; 32 | T dummy; 33 | }; 34 | T Buffer; 35 | }; 36 | 37 | template 38 | struct _LDR_DATA_TABLE_ENTRY_T 39 | { 40 | _LIST_ENTRY_T InLoadOrderLinks; 41 | _LIST_ENTRY_T InMemoryOrderLinks; 42 | _LIST_ENTRY_T InInitializationOrderLinks; 43 | T DllBase; 44 | T EntryPoint; 45 | union 46 | { 47 | DWORD SizeOfImage; 48 | T dummy01; 49 | }; 50 | _UNICODE_STRING_T FullDllName; 51 | _UNICODE_STRING_T BaseDllName; 52 | DWORD Flags; 53 | WORD LoadCount; 54 | WORD TlsIndex; 55 | union 56 | { 57 | _LIST_ENTRY_T HashLinks; 58 | struct 59 | { 60 | T SectionPointer; 61 | T CheckSum; 62 | }; 63 | }; 64 | union 65 | { 66 | T LoadedImports; 67 | DWORD TimeDateStamp; 68 | }; 69 | T EntryPointActivationContext; 70 | T PatchInformation; 71 | _LIST_ENTRY_T ForwarderLinks; 72 | _LIST_ENTRY_T ServiceTagLinks; 73 | _LIST_ENTRY_T StaticLinks; 74 | T ContextInformation; 75 | T OriginalBase; 76 | _LARGE_INTEGER LoadTime; 77 | }; 78 | 79 | template 80 | struct _PEB_LDR_DATA_T 81 | { 82 | DWORD Length; 83 | DWORD Initialized; 84 | T SsHandle; 85 | _LIST_ENTRY_T InLoadOrderModuleList; 86 | _LIST_ENTRY_T InMemoryOrderModuleList; 87 | _LIST_ENTRY_T InInitializationOrderModuleList; 88 | T EntryInProgress; 89 | DWORD ShutdownInProgress; 90 | T ShutdownThreadId; 91 | 92 | }; 93 | 94 | template 95 | struct _PEB_T 96 | { 97 | union 98 | { 99 | struct 100 | { 101 | BYTE InheritedAddressSpace; 102 | BYTE ReadImageFileExecOptions; 103 | BYTE BeingDebugged; 104 | BYTE _SYSTEM_DEPENDENT_01; 105 | }; 106 | T dummy01; 107 | }; 108 | T Mutant; 109 | T ImageBaseAddress; 110 | T Ldr; 111 | T ProcessParameters; 112 | T SubSystemData; 113 | T ProcessHeap; 114 | T FastPebLock; 115 | T _SYSTEM_DEPENDENT_02; 116 | T _SYSTEM_DEPENDENT_03; 117 | T _SYSTEM_DEPENDENT_04; 118 | union 119 | { 120 | T KernelCallbackTable; 121 | T UserSharedInfoPtr; 122 | }; 123 | DWORD SystemReserved; 124 | DWORD _SYSTEM_DEPENDENT_05; 125 | T _SYSTEM_DEPENDENT_06; 126 | T TlsExpansionCounter; 127 | T TlsBitmap; 128 | DWORD TlsBitmapBits[2]; 129 | T ReadOnlySharedMemoryBase; 130 | T _SYSTEM_DEPENDENT_07; 131 | T ReadOnlyStaticServerData; 132 | T AnsiCodePageData; 133 | T OemCodePageData; 134 | T UnicodeCaseTableData; 135 | DWORD NumberOfProcessors; 136 | union 137 | { 138 | DWORD NtGlobalFlag; 139 | NGF dummy02; 140 | }; 141 | LARGE_INTEGER CriticalSectionTimeout; 142 | T HeapSegmentReserve; 143 | T HeapSegmentCommit; 144 | T HeapDeCommitTotalFreeThreshold; 145 | T HeapDeCommitFreeBlockThreshold; 146 | DWORD NumberOfHeaps; 147 | DWORD MaximumNumberOfHeaps; 148 | T ProcessHeaps; 149 | T GdiSharedHandleTable; 150 | T ProcessStarterHelper; 151 | T GdiDCAttributeList; 152 | T LoaderLock; 153 | DWORD OSMajorVersion; 154 | DWORD OSMinorVersion; 155 | WORD OSBuildNumber; 156 | WORD OSCSDVersion; 157 | DWORD OSPlatformId; 158 | DWORD ImageSubsystem; 159 | DWORD ImageSubsystemMajorVersion; 160 | T ImageSubsystemMinorVersion; 161 | union 162 | { 163 | T ImageProcessAffinityMask; 164 | T ActiveProcessAffinityMask; 165 | }; 166 | T GdiHandleBuffer[A]; 167 | T PostProcessInitRoutine; 168 | T TlsExpansionBitmap; 169 | DWORD TlsExpansionBitmapBits[32]; 170 | T SessionId; 171 | ULARGE_INTEGER AppCompatFlags; 172 | ULARGE_INTEGER AppCompatFlagsUser; 173 | T pShimData; 174 | T AppCompatInfo; 175 | UNICODE_STRING CSDVersion; 176 | T ActivationContextData; 177 | T ProcessAssemblyStorageMap; 178 | T SystemDefaultActivationContextData; 179 | T SystemAssemblyStorageMap; 180 | T MinimumStackCommit; 181 | }; 182 | #pragma pack(pop) 183 | 184 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY32; 185 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY64; 186 | 187 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA32; 188 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA64; 189 | 190 | typedef _PEB_T PEB32; 191 | typedef _PEB_T PEB64; 192 | 193 | #ifdef _WIN64 194 | typedef PEB64 PEB; 195 | #else 196 | typedef PEB32 PEB; 197 | #endif 198 | 199 | PEB *GetPebAddress(HANDLE hProcess); 200 | PVOID64 GetPeb64Address(HANDLE hProcess); 201 | 202 | std::shared_ptr GetPeb(HANDLE hProcess); 203 | std::shared_ptr Wow64GetPeb64(HANDLE hProcess); 204 | 205 | bool SetPeb(HANDLE hProcess, const PEB *pPeb); 206 | bool Wow64SetPeb64(HANDLE hProcess, const PEB64 *pPeb64); 207 | 208 | PVOID64 Wow64GetModuleHandle64(HANDLE hProcess, const wchar_t* moduleName); 209 | 210 | DWORD GetHeapFlagsOffset(bool x64); 211 | DWORD GetHeapForceFlagsOffset(bool x64); 212 | } 213 | -------------------------------------------------------------------------------- /Scylla/PebHider.cpp: -------------------------------------------------------------------------------- 1 | #include "PebHider.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define HEAP_VALIDATE_ALL_ENABLED 0x20000000 9 | #define HEAP_CAPTURE_STACK_BACKTRACES 0x08000000 10 | 11 | // Flags set by RtlDebugCreateHeap 12 | #define RTLDEBUGCREATEHEAP_HEAP_FLAGS (HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS) 13 | 14 | // Additional debug flags that may be set depending on NtGlobalFlags 15 | #define NTGLOBALFLAGS_HEAP_FLAGS (HEAP_DISABLE_COALESCE_ON_FREE | HEAP_FREE_CHECKING_ENABLED | HEAP_TAIL_CHECKING_ENABLED | \ 16 | HEAP_VALIDATE_ALL_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED | HEAP_CAPTURE_STACK_BACKTRACES) 17 | 18 | // The set of heap flags to clear is the union of flags set by RtlDebugCreateHeap and NtGlobalFlags 19 | #define HEAP_CLEARABLE_FLAGS (RTLDEBUGCREATEHEAP_HEAP_FLAGS | NTGLOBALFLAGS_HEAP_FLAGS) 20 | 21 | // Only a subset of possible flags passed to RtlCreateHeap persists into force flags 22 | #define HEAP_VALID_FORCE_FLAGS (HEAP_NO_SERIALIZE | HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY | HEAP_REALLOC_IN_PLACE_ONLY | \ 23 | HEAP_VALIDATE_PARAMETERS_ENABLED | HEAP_VALIDATE_ALL_ENABLED | HEAP_TAIL_CHECKING_ENABLED | \ 24 | HEAP_CREATE_ALIGN_16 | HEAP_FREE_CHECKING_ENABLED) 25 | 26 | // The set of force flags to clear is the intersection of valid force flags and the debug flags 27 | #define HEAP_CLEARABLE_FORCE_FLAGS (HEAP_CLEARABLE_FLAGS & HEAP_VALID_FORCE_FLAGS) 28 | 29 | bool scl::PebPatchProcessParameters(PEB* peb, HANDLE hProcess) 30 | { 31 | RTL_USER_PROCESS_PARAMETERS rupp; 32 | 33 | if (ReadProcessMemory(hProcess, (PVOID)peb->ProcessParameters, &rupp, sizeof(rupp), nullptr) == FALSE) 34 | return false; 35 | 36 | // Some debuggers manipulate StartUpInfo to start the debugged process and therefore can be detected... 37 | auto patch_size = (DWORD_PTR)&rupp.WindowFlags - (DWORD_PTR)&rupp.StartingX; 38 | ZeroMemory(&rupp.WindowFlags, patch_size); 39 | 40 | // https://github.com/x64dbg/ScyllaHide/issues/99 41 | rupp.WindowFlags = STARTF_USESHOWWINDOW; 42 | rupp.ShowWindowFlags = SW_SHOWNORMAL; 43 | 44 | // If the debugger used IFEO, the app doesn't need to know that 45 | rupp.Flags |= RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING; 46 | 47 | return (WriteProcessMemory(hProcess, (PVOID)peb->ProcessParameters, &rupp, sizeof(rupp), nullptr) == TRUE); 48 | } 49 | 50 | bool scl::Wow64Peb64PatchProcessParameters(PEB64* peb64, HANDLE hProcess) 51 | { 52 | #ifndef _WIN64 53 | scl::RTL_USER_PROCESS_PARAMETERS rupp; 54 | 55 | if (!scl::Wow64ReadProcessMemory64(hProcess, (PVOID64)peb64->ProcessParameters, (PVOID)&rupp, sizeof(rupp), nullptr)) 56 | return false; 57 | 58 | // Some debuggers manipulate StartUpInfo to start the debugged process and therefore can be detected... 59 | auto patch_size = (DWORD_PTR)&rupp.WindowFlags - (DWORD_PTR)&rupp.StartingX; 60 | ZeroMemory(&rupp.WindowFlags, patch_size); 61 | 62 | // https://github.com/x64dbg/ScyllaHide/issues/99 63 | rupp.WindowFlags = STARTF_USESHOWWINDOW; 64 | rupp.ShowWindowFlags = SW_SHOWNORMAL; 65 | 66 | // If the debugger used IFEO, the app doesn't need to know that 67 | rupp.Flags |= RTL_USER_PROCESS_PARAMETERS_IMAGE_KEY_MISSING; 68 | 69 | return Wow64WriteProcessMemory64(hProcess, (PVOID)peb64->ProcessParameters, &rupp, sizeof(rupp), nullptr); 70 | #endif 71 | 72 | return false; 73 | } 74 | 75 | bool scl::PebPatchHeapFlags(PEB* peb, HANDLE hProcess) 76 | { 77 | #ifdef _WIN64 78 | const auto is_x64 = true; 79 | #else 80 | const auto is_x64 = false; 81 | #endif 82 | 83 | std::vector heaps; 84 | heaps.resize(peb->NumberOfHeaps); 85 | 86 | if (ReadProcessMemory(hProcess, (PVOID)peb->ProcessHeaps, (PVOID)heaps.data(), heaps.size()*sizeof(PVOID), nullptr) == FALSE) 87 | return false; 88 | 89 | std::basic_string heap; 90 | heap.resize(0x100); // hacky 91 | for (DWORD i = 0; i < peb->NumberOfHeaps; i++) 92 | { 93 | if (ReadProcessMemory(hProcess, heaps[i], (PVOID)heap.data(), heap.size(), nullptr) == FALSE) 94 | return false; 95 | 96 | auto flags = (DWORD *)(heap.data() + scl::GetHeapFlagsOffset(is_x64)); 97 | auto force_flags = (DWORD *)(heap.data() + scl::GetHeapForceFlagsOffset(is_x64)); 98 | 99 | *flags &= ~HEAP_CLEARABLE_FLAGS; 100 | 101 | *force_flags &= ~HEAP_CLEARABLE_FORCE_FLAGS; 102 | 103 | if (WriteProcessMemory(hProcess, heaps[i], (PVOID)heap.data(), heap.size(), nullptr) == FALSE) 104 | return false; 105 | } 106 | 107 | return true; 108 | } 109 | 110 | bool scl::Wow64Peb64PatchHeapFlags(PEB64* peb, HANDLE hProcess) 111 | { 112 | std::vector heaps; 113 | heaps.resize(peb->NumberOfHeaps); 114 | 115 | if (scl::Wow64ReadProcessMemory64(hProcess, (PVOID64)peb->ProcessHeaps, (PVOID)heaps.data(), heaps.size()*sizeof(PVOID64), nullptr) == FALSE) 116 | return false; 117 | 118 | std::basic_string heap; 119 | heap.resize(0x100); // hacky 120 | for (DWORD i = 0; i < peb->NumberOfHeaps; i++) 121 | { 122 | if (Wow64ReadProcessMemory64(hProcess, (PVOID64)heaps[i], (PVOID)heap.data(), heap.size(), nullptr) == FALSE) 123 | return false; 124 | 125 | auto flags = (DWORD *)(heap.data() + scl::GetHeapFlagsOffset(true)); 126 | auto force_flags = (DWORD *)(heap.data() + scl::GetHeapForceFlagsOffset(true)); 127 | 128 | *flags &= ~HEAP_CLEARABLE_FLAGS; 129 | 130 | *force_flags &= ~HEAP_CLEARABLE_FORCE_FLAGS; 131 | 132 | if (Wow64WriteProcessMemory64(hProcess, (PVOID64)heaps[i], (PVOID)heap.data(), heap.size(), nullptr) == FALSE) 133 | return false; 134 | } 135 | 136 | return true; 137 | } 138 | -------------------------------------------------------------------------------- /Scylla/PebHider.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Peb.h" 4 | 5 | #define PEB_PATCH_BeingDebugged 0x00000001 6 | #define PEB_PATCH_NtGlobalFlag 0x00000002 7 | #define PEB_PATCH_HeapFlags 0x00000004 8 | #define PEB_PATCH_ProcessParameters 0x00000008 9 | #define PEB_PATCH_OsBuildNumber 0x00000010 10 | 11 | namespace scl 12 | { 13 | bool PebPatchProcessParameters(PEB* peb, HANDLE hProcess); 14 | bool Wow64Peb64PatchProcessParameters(PEB64* peb64, HANDLE hProcess); 15 | 16 | bool PebPatchHeapFlags(PEB* peb, HANDLE hProcess); 17 | bool Wow64Peb64PatchHeapFlags(PEB64* peb64, HANDLE hProcess); 18 | } 19 | -------------------------------------------------------------------------------- /Scylla/Resource.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace scl 6 | { 7 | class Handle 8 | { 9 | public: 10 | explicit Handle(HANDLE handle) : handle_(handle) {} 11 | ~Handle() 12 | { 13 | if (handle_ && (handle_ != INVALID_HANDLE_VALUE)) 14 | CloseHandle(handle_); 15 | } 16 | 17 | Handle(const Handle &other) = delete; 18 | Handle &operator=(const Handle &other) = delete; 19 | 20 | HANDLE get() const { return handle_; } 21 | 22 | private: 23 | HANDLE handle_; 24 | }; 25 | } 26 | -------------------------------------------------------------------------------- /Scylla/Scylla.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | -------------------------------------------------------------------------------- /Scylla/Settings.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | namespace scl 8 | { 9 | class Settings 10 | { 11 | public: 12 | struct Profile 13 | { 14 | BOOL dllNormal; 15 | BOOL dllStealth; 16 | BOOL dllUnload; 17 | BOOL hookGetLocalTime; 18 | BOOL hookGetSystemTime; 19 | BOOL hookGetTickCount; 20 | BOOL hookGetTickCount64; 21 | BOOL hookKiUserExceptionDispatcher; 22 | BOOL hookNtClose; 23 | BOOL hookNtContinue; 24 | BOOL hookNtCreateThreadEx; 25 | BOOL hookNtGetContextThread; 26 | BOOL hookNtQueryInformationProcess; 27 | BOOL hookNtQueryObject; 28 | BOOL hookNtQueryPerformanceCounter; 29 | BOOL hookNtQuerySystemInformation; 30 | BOOL hookNtQuerySystemTime; 31 | BOOL hookNtSetContextThread; 32 | BOOL hookNtSetDebugFilterState; 33 | BOOL hookNtSetInformationThread; 34 | BOOL hookNtSetInformationProcess; 35 | BOOL hookNtUserBlockInput; 36 | BOOL hookNtUserBuildHwndList; 37 | BOOL hookNtUserFindWindowEx; 38 | BOOL hookNtUserQueryWindow; 39 | BOOL hookNtUserGetForegroundWindow; 40 | BOOL hookNtYieldExecution; 41 | BOOL hookOutputDebugStringA; 42 | BOOL fixPebBeingDebugged; 43 | BOOL fixPebHeapFlags; 44 | BOOL fixPebNtGlobalFlag; 45 | BOOL fixPebStartupInfo; 46 | BOOL fixPebOsBuildNumber; 47 | BOOL preventThreadCreation; 48 | BOOL protectProcessId; 49 | BOOL removeDebugPrivileges; 50 | BOOL killAntiAttach; 51 | BOOL malwareRunpeUnpacker; 52 | BOOL handleExceptionPrint; 53 | BOOL handleExceptionRip; 54 | BOOL handleExceptionIllegalInstruction; 55 | BOOL handleExceptionInvalidLockSequence; 56 | BOOL handleExceptionNoncontinuableException; 57 | BOOL handleExceptionAssertionFailure; 58 | BOOL handleExceptionBreakpoint; 59 | BOOL handleExceptionGuardPageViolation; 60 | BOOL handleExceptionWx86Breakpoint; 61 | BOOL idaAutoStartServer; 62 | std::wstring idaServerPort; 63 | BOOL ollyBreakOnTls; 64 | BOOL ollyFixBugs; 65 | BOOL ollyRemoveEpBreak; 66 | BOOL ollySkipEpOutsideCode; 67 | BOOL ollyX64Fix; 68 | BOOL ollyAdvancedGoto; 69 | BOOL ollyIgnoreBadPeImage; 70 | BOOL ollySkipCompressedDoAnalyze; 71 | BOOL ollySkipCompressedDoNothing; 72 | BOOL ollySkipLoadDllDoLoad; 73 | BOOL ollySkipLoadDllDoNothing; 74 | BOOL ollyAdvancedInfobar; 75 | std::wstring ollyWindowTitle; 76 | }; 77 | 78 | static const wchar_t kFileName[]; 79 | 80 | void Load(const wchar_t *ini_file); 81 | bool Save() const; 82 | 83 | bool AddProfile(const wchar_t *name); 84 | void SetProfile(const wchar_t *name); 85 | 86 | 87 | const std::vector &profile_names() const 88 | { 89 | return profile_names_; 90 | } 91 | 92 | const std::wstring &profile_name() const 93 | { 94 | return profile_name_; 95 | } 96 | 97 | const Profile &opts() const 98 | { 99 | return profile_; 100 | } 101 | 102 | Profile &opts() 103 | { 104 | return profile_; 105 | } 106 | 107 | bool hook_dll_needed() const 108 | { 109 | return 110 | profile_.hookGetLocalTime || 111 | profile_.hookGetSystemTime || 112 | profile_.hookGetTickCount || 113 | profile_.hookGetTickCount64 || 114 | profile_.hookKiUserExceptionDispatcher || 115 | profile_.hookNtClose || 116 | profile_.hookNtContinue || 117 | profile_.hookNtCreateThreadEx || 118 | profile_.hookNtGetContextThread || 119 | profile_.hookNtQueryInformationProcess || 120 | profile_.hookNtQueryObject || 121 | profile_.hookNtQueryPerformanceCounter || 122 | profile_.hookNtQuerySystemInformation || 123 | profile_.hookNtQuerySystemTime || 124 | profile_.hookNtSetContextThread || 125 | profile_.hookNtSetDebugFilterState || 126 | profile_.hookNtSetInformationThread || 127 | profile_.hookNtSetInformationProcess || 128 | profile_.hookNtUserBlockInput || 129 | profile_.hookNtUserBuildHwndList || 130 | profile_.hookNtUserFindWindowEx || 131 | profile_.hookNtUserQueryWindow || 132 | profile_.hookNtUserGetForegroundWindow || 133 | profile_.hookNtYieldExecution || 134 | profile_.hookOutputDebugStringA || 135 | profile_.preventThreadCreation || 136 | profile_.malwareRunpeUnpacker; 137 | } 138 | 139 | protected: 140 | static void LoadProfile(const wchar_t *file, const wchar_t *name, Profile *profile); 141 | static bool SaveProfile(const wchar_t *file, const wchar_t *name, const Profile *profile); 142 | 143 | private: 144 | std::wstring ini_path_; 145 | std::vector profile_names_; 146 | std::wstring profile_name_; 147 | Profile profile_{}; 148 | }; 149 | } 150 | -------------------------------------------------------------------------------- /Scylla/User32Loader.cpp: -------------------------------------------------------------------------------- 1 | #include "User32Loader.h" 2 | #include "Win32kSyscalls.h" 3 | #include "Scylla/OsInfo.h" 4 | #include "Scylla/Logger.h" 5 | 6 | extern scl::Logger g_log; 7 | 8 | scl::User32Loader::User32Loader() : 9 | OsBuildNumber(NtCurrentPeb()->OSBuildNumber), 10 | NativeX86(!scl::IsWindows64() && !scl::IsWow64Process(NtCurrentProcess)), 11 | Win32kUserDll((PUCHAR)LoadLibraryExW(OsBuildNumber >= 14393 ? L"win32u.dll" : L"user32.dll", 12 | nullptr, DONT_RESOLVE_DLL_REFERENCES | LOAD_IGNORE_CODE_AUTHZ_LEVEL | 13 | (OsBuildNumber >= 6002 ? LOAD_LIBRARY_SEARCH_SYSTEM32 : 0))) 14 | { 15 | } 16 | 17 | scl::User32Loader::~User32Loader() 18 | { 19 | if (Win32kUserDll != nullptr) 20 | FreeLibrary((HMODULE)Win32kUserDll); 21 | } 22 | 23 | // Finds the requested user32/win32u syscalls by name for later retrieval with GetUserSyscallVa 24 | bool scl::User32Loader::FindSyscalls(const std::vector& syscallNames) 25 | { 26 | if (Win32kUserDll == nullptr) // Failed to load user32.dll or win32u.dll 27 | return false; 28 | if (OsBuildNumber < 2600) // Unsupported or unknown OS 29 | return false; 30 | 31 | if (OsBuildNumber >= 14393) 32 | { 33 | // On >= 10.0.14393.0 we can simply get the VAs from win32u.dll 34 | for (const auto& syscallName : syscallNames) 35 | { 36 | const ULONG_PTR syscallAddress = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, syscallName.c_str()); 37 | if (syscallAddress == 0) 38 | return false; 39 | FunctionNamesAndVas[syscallName] = syscallAddress; 40 | } 41 | return true; 42 | } 43 | 44 | // OS is < 14393. Get the syscall indices of the functions that we want the VAs of 45 | std::map functionNamesAndSyscallNums(FunctionNamesAndVas); 46 | for (const auto& syscallName : syscallNames) 47 | { 48 | const LONG syscallNum = GetUserSyscallIndex(syscallName); 49 | if (syscallNum == -1) 50 | return false; 51 | functionNamesAndSyscallNums[syscallName] = (ULONG_PTR)syscallNum; 52 | } 53 | 54 | // Find the VAs of the functions we want 55 | for (const auto& function : functionNamesAndSyscallNums) 56 | { 57 | const std::string syscallName = function.first; 58 | const ULONG_PTR syscallAddress = FindSyscallByIndex((ULONG)function.second); 59 | if (syscallAddress != 0) 60 | { 61 | FunctionNamesAndVas[syscallName] = syscallAddress; 62 | } 63 | else 64 | { 65 | g_log.LogError(L"Address of syscall %hs with index %u not found", 66 | syscallName.c_str(), (ULONG)functionNamesAndSyscallNums[syscallName]); 67 | return false; 68 | } 69 | } 70 | 71 | // Sanity check the NtUserBlockInput VA as this is an exported syscall 72 | const ULONG_PTR BlockInputVa = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, "BlockInput"); 73 | if (BlockInputVa == 0) 74 | return false; 75 | const bool check = GetUserSyscallVa("NtUserBlockInput") == BlockInputVa; 76 | if (!check) 77 | g_log.LogError(L"GetUserSyscallVa returned incorrect address 0x%p (expected 0x%p)!", GetUserSyscallVa("NtUserBlockInput"), BlockInputVa); 78 | 79 | return check; 80 | } 81 | 82 | // Returns the win32k syscall number for a function name 83 | LONG scl::User32Loader::GetUserSyscallIndex(const std::string& functionName) const 84 | { 85 | if (OsBuildNumber >= 14393) 86 | { 87 | const PUCHAR syscallAddress = (PUCHAR)GetProcAddress((HMODULE)Win32kUserDll, functionName.c_str()); 88 | if (syscallAddress == nullptr) 89 | return -1; 90 | for (PUCHAR address = syscallAddress; address < syscallAddress + 16; ++address) 91 | { 92 | if (address[0] == 0xB8 && address[1] != 0xD1) 93 | return *(PLONG)(address + 1) & 0xFFFF; 94 | } 95 | return -1; 96 | } 97 | 98 | ANSI_STRING searchFunctionName; 99 | RtlInitAnsiString(&searchFunctionName, (PSTR)functionName.c_str()); 100 | for (ULONG i = 0; i < ARRAYSIZE(Win32kSyscalls); ++i) 101 | { 102 | ANSI_STRING tableFunctionName = Win32kSyscalls[i].Name.ToAnsiString(); 103 | if (!RtlEqualString(&tableFunctionName, &searchFunctionName, TRUE)) 104 | continue; 105 | return Win32kSyscalls[i].GetSyscallIndex(OsBuildNumber, NativeX86); 106 | } 107 | return -1; 108 | } 109 | 110 | // Scans user32.dll and returns the VA of the function that performs the syscall with the given index 111 | ULONG_PTR scl::User32Loader::FindSyscallByIndex(LONG win32kSyscallIndex) const 112 | { 113 | const PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(Win32kUserDll); 114 | const PIMAGE_SECTION_HEADER codeSection = IMAGE_FIRST_SECTION(NtHeaders); 115 | const PUCHAR start = Win32kUserDll + codeSection->VirtualAddress; 116 | const PUCHAR end = Win32kUserDll + codeSection->VirtualAddress + codeSection->SizeOfRawData - 16; 117 | 118 | // Find the syscall pattern for this OS + architecture 119 | for (PUCHAR address = start; address < end; ++address) 120 | { 121 | if (address[0] != 0xB8 || (*(PLONG)(address + 1) & 0xFFFF) != win32kSyscallIndex) // mov eax, 122 | continue; 123 | 124 | bool isSyscall = false; 125 | #ifdef _WIN64 126 | // For native x64 syscalls 'mov eax, ' is always preceded by 'mov r10, rcx' 127 | if (address[-3] == 0x4C && address[-2] == 0x8B && address[-1] == 0xD1) 128 | { 129 | isSyscall = true; 130 | address -= 3; // Backtrack to first mov 131 | } 132 | #else 133 | if (NativeX86) 134 | { 135 | // Native x86, old style: mov edx, 7FFE0300h, call [edx] 136 | if (address[5] == 0xBA && address[6] == 0x00 && address[7] == 0x03 && address[8] == 0xFE && 137 | address[9] == 0x7F && address[10] == 0xFF && address[11] == 0x12) 138 | isSyscall = true; 139 | // Win 8+ native x86: call leaf_sub, retn X. leaf_sub: mov edx, esp, sysenter, retn 140 | else if (address[5] == 0xE8 && address[9] == 0x00 && (address[10] == 0xC2 || address[10] == 0xC3)) 141 | { 142 | ULONG i = 0; 143 | for ( ; i < 12; ++i) 144 | { 145 | if (address[11 + i] == 0x8B) 146 | break; 147 | } 148 | if (address[11 + i] == 0x8B && address[11 + i + 1] == 0xD4 && address[11 + i + 2] == 0x0F && 149 | address[11 + i + 3] == 0x34 && address[11 + i + 4] == 0xC3) 150 | isSyscall = true; 151 | } 152 | } 153 | else 154 | { 155 | if ( 156 | // Wow64, old style: lea edx, [esp+4] / mov ecx, XXXX, call fs:0C0h 157 | ((address[5] == 0x8D || address[10] == 0x8D) && (address[5] == 0xB9 || address[9] == 0xB9)) 158 | || 159 | // Win 8/8.1 Wow64: call fs:0C0h 160 | (address[5] == 0x64 && address[6] == 0xFF && address[7] == 0x15 && address[8] == 0xC0 && 161 | address[9] == 0x00 && address[10] == 0x00 && address[11] == 0x00) 162 | || 163 | // Win 10 Wow64: mov edx, offset Wow64SystemServiceCall, call edx, retn 164 | (address[5] == 0xBA && address[10] == 0xFF && address[11] == 0xD2 && (address[12] == 0xC2 || address[12] == 0xC3)) 165 | ) 166 | { 167 | isSyscall = true; 168 | } 169 | } 170 | #endif 171 | if (isSyscall) 172 | return (ULONG_PTR)address; 173 | } 174 | return 0; 175 | } 176 | -------------------------------------------------------------------------------- /Scylla/User32Loader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | namespace scl 9 | { 10 | class User32Loader 11 | { 12 | public: 13 | User32Loader(); 14 | ~User32Loader(); 15 | 16 | bool FindSyscalls(const std::vector& syscallNames); 17 | 18 | ULONG_PTR GetUserSyscallVa(const std::string& functionName) const { return FunctionNamesAndVas.at(functionName); } 19 | LONG GetUserSyscallIndex(const std::string& functionName) const; 20 | 21 | private: 22 | ULONG_PTR FindSyscallByIndex(LONG win32kSyscallIndex) const; 23 | 24 | const USHORT OsBuildNumber; 25 | const bool NativeX86; 26 | const PUCHAR Win32kUserDll; // win32u.dll if OsBuildNumber >= 14393, user32.dll otherwise 27 | 28 | std::map FunctionNamesAndVas; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /Scylla/Util.cpp: -------------------------------------------------------------------------------- 1 | #include "Util.h" 2 | #include 3 | #include "NtApiShim.h" 4 | 5 | std::wstring scl::fmtw(const wchar_t *fmt, ...) 6 | { 7 | va_list ap; 8 | 9 | va_start(ap, fmt); 10 | auto str = vfmtw(fmt, ap); 11 | va_end(ap); 12 | 13 | return str; 14 | } 15 | 16 | std::wstring scl::vfmtw(const wchar_t *fmt, va_list ap) 17 | { 18 | va_list vap; 19 | 20 | va_copy(vap, ap); 21 | auto size = ::_vsnwprintf(nullptr, 0, fmt, vap); 22 | va_end(vap); 23 | 24 | std::wstring wstr; 25 | wstr.resize(size); 26 | 27 | va_copy(vap, ap); 28 | ::_vsnwprintf(&wstr[0], wstr.size(), fmt, vap); 29 | va_end(vap); 30 | 31 | return wstr; 32 | } 33 | 34 | std::wstring scl::GetModuleFileNameW(HMODULE hModule) 35 | { 36 | std::wstring wstrFileName; 37 | DWORD copied = 0; 38 | do { 39 | wstrFileName.resize(wstrFileName.size() + MAX_PATH); 40 | copied = ::GetModuleFileNameW(hModule, &wstrFileName[0], (DWORD)wstrFileName.size()); 41 | } while (copied >= wstrFileName.size()); 42 | 43 | wstrFileName.resize(copied); 44 | return wstrFileName; 45 | } 46 | 47 | std::wstring scl::FormatMessageW(DWORD dwErrnum) 48 | { 49 | wchar_t *wszBuffer = nullptr; 50 | 51 | ::FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS, 52 | nullptr, dwErrnum, MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), (LPWSTR)&wszBuffer, 0, nullptr); 53 | 54 | std::wstring wstrError; 55 | if (wszBuffer) { 56 | wstrError = wszBuffer; 57 | wstrError.resize(wstrError.size() - 1); // remove trailing \n 58 | ::LocalFree(wszBuffer); 59 | } 60 | else 61 | { 62 | wstrError = L""; 63 | } 64 | 65 | return wstrError; 66 | } 67 | 68 | std::wstring scl::GetWindowTextW(HWND hWnd) 69 | { 70 | std::wstring wstr; 71 | auto len = ::GetWindowTextLengthW(hWnd) + 1; 72 | wstr.resize(len); 73 | ::GetWindowTextW(hWnd, &wstr[0], len); 74 | return wstr; 75 | } 76 | 77 | std::wstring scl::GetDlgItemTextW(HWND hDlg, int nIDDlgItem) 78 | { 79 | return GetWindowTextW(::GetDlgItem(hDlg, nIDDlgItem)); 80 | } 81 | 82 | bool scl::FileExistsW(const wchar_t *wszPath) 83 | { 84 | auto dwAttrib = ::GetFileAttributesW(wszPath); 85 | 86 | return (dwAttrib != INVALID_FILE_ATTRIBUTES) && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY); 87 | } 88 | 89 | bool scl::GetFileDialogW(wchar_t *buffer, DWORD buffer_size) 90 | { 91 | OPENFILENAMEW sOpenFileName = { 0 }; 92 | const wchar_t szFilterString[] = L"DLL \0*.dll\0\0"; 93 | const wchar_t szDialogTitle[] = L"ScyllaHide"; 94 | 95 | buffer[0] = 0; 96 | 97 | sOpenFileName.lStructSize = sizeof(sOpenFileName); 98 | sOpenFileName.lpstrFilter = szFilterString; 99 | sOpenFileName.lpstrFile = buffer; 100 | sOpenFileName.nMaxFile = buffer_size; 101 | sOpenFileName.Flags = OFN_FILEMUSTEXIST | OFN_PATHMUSTEXIST | OFN_LONGNAMES | OFN_EXPLORER | OFN_HIDEREADONLY; 102 | sOpenFileName.lpstrTitle = szDialogTitle; 103 | 104 | return (TRUE == GetOpenFileNameW(&sOpenFileName)); 105 | } 106 | 107 | 108 | std::vector scl::IniLoadSectionNames(const wchar_t *file) 109 | { 110 | std::wstring buf; 111 | DWORD ret = 0; 112 | while (((DWORD)buf.size() - ret) < 3) { 113 | buf.resize(buf.size() + MAX_PATH); 114 | ret = ::GetPrivateProfileSectionNamesW(&buf[0], (DWORD)buf.size(), file); 115 | } 116 | 117 | std::vector sections; 118 | auto data = buf.c_str(); 119 | for (; data[0]; data += lstrlenW(data) + 1) { 120 | sections.push_back(data); 121 | } 122 | 123 | return sections; 124 | } 125 | 126 | std::wstring scl::IniLoadString(const wchar_t *file, const wchar_t *section, const wchar_t *key, const wchar_t *default_value) 127 | { 128 | std::wstring buf; 129 | DWORD ret = 0; 130 | 131 | while (((DWORD)buf.size() - ret) < 3) { 132 | buf.resize(buf.size() + MAX_PATH); 133 | ret = ::GetPrivateProfileStringW(section, key, default_value, &buf[0], (DWORD)buf.size(), file); 134 | } 135 | buf.resize(ret); 136 | 137 | return buf; 138 | } 139 | 140 | bool scl::IniSaveString(const wchar_t *file, const wchar_t *section, const wchar_t *key, const wchar_t *value) 141 | { 142 | return WritePrivateProfileStringW(section, key, value, file) == TRUE; 143 | } 144 | 145 | std::wstring_convert> &scl::wstr_conv() 146 | { 147 | static std::wstring_convert> conv; 148 | return conv; 149 | } 150 | 151 | bool scl::Wow64QueryInformationProcess64(HANDLE hProcess, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength) 152 | { 153 | auto _NtWow64QueryInformationProcess64 = (t_NtWow64QueryInformationProcess64)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWow64QueryInformationProcess64"); 154 | if (!_NtWow64QueryInformationProcess64) 155 | return false; 156 | 157 | return NT_SUCCESS(_NtWow64QueryInformationProcess64(hProcess, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength)); 158 | } 159 | 160 | bool scl::Wow64ReadProcessMemory64(HANDLE hProcess, PVOID64 address, PVOID buffer, ULONGLONG buffer_size, PULONGLONG bytes_read) 161 | { 162 | #ifndef _WIN64 163 | auto _NtWow64ReadVirtualMemory64 = (t_NtWow64ReadVirtualMemory64)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWow64ReadVirtualMemory64"); 164 | if (_NtWow64ReadVirtualMemory64) 165 | { 166 | return NT_SUCCESS(_NtWow64ReadVirtualMemory64(hProcess, address, buffer, buffer_size, bytes_read)); 167 | } 168 | else if ((((DWORD64)address + buffer_size) < (DWORD)(-1)) && (buffer_size <= (DWORD)(-1))) 169 | { 170 | SIZE_T bytes_read32 = 0; 171 | auto ret = ReadProcessMemory(hProcess, (PVOID)(ULONG)(ULONG64)address, buffer, (SIZE_T)buffer_size, &bytes_read32); 172 | if (bytes_read) 173 | *bytes_read = bytes_read32; 174 | return ret == TRUE; 175 | } 176 | #endif 177 | 178 | return false; 179 | } 180 | 181 | bool scl::Wow64WriteProcessMemory64(HANDLE hProcess, PVOID64 address, LPCVOID buffer, ULONGLONG buffer_size, PULONGLONG bytes_written) 182 | { 183 | #ifndef _WIN64 184 | auto _NtWow64WriteVirtualMemory64 = (t_NtWow64WriteVirtualMemory64)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtWow64WriteVirtualMemory64"); 185 | if (_NtWow64WriteVirtualMemory64) 186 | { 187 | return NT_SUCCESS(_NtWow64WriteVirtualMemory64(hProcess, address, buffer, buffer_size, bytes_written)); 188 | } 189 | else if ((((DWORD64)address + buffer_size) < (DWORD)(-1)) && (buffer_size <= (DWORD)(-1))) 190 | { 191 | SIZE_T bytes_written32 = 0; 192 | auto ret = WriteProcessMemory(hProcess, (PVOID)(ULONG)(ULONG64)(address), buffer, (SIZE_T)buffer_size, &bytes_written32); 193 | if (bytes_written) 194 | *bytes_written = bytes_written32; 195 | return ret == TRUE; 196 | } 197 | #endif 198 | 199 | return false; 200 | } 201 | -------------------------------------------------------------------------------- /Scylla/Util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "Resource.h" 10 | #include "NtApiShim.h" 11 | 12 | namespace scl 13 | { 14 | std::wstring fmtw(const wchar_t *fmt, ...); 15 | std::wstring vfmtw(const wchar_t *fmt, va_list ap); 16 | 17 | std::wstring GetModuleFileNameW(HMODULE hModule = nullptr); 18 | 19 | std::wstring FormatMessageW(DWORD dwErrnum); 20 | 21 | std::wstring GetWindowTextW(HWND hWnd); 22 | std::wstring GetDlgItemTextW(HWND hDlg, int nIDDlgItem); 23 | 24 | bool FileExistsW(const wchar_t *wszPath); 25 | 26 | bool GetFileDialogW(wchar_t *buffer, DWORD buffer_size); 27 | 28 | std::vector IniLoadSectionNames(const wchar_t *file); 29 | 30 | std::wstring IniLoadString(const wchar_t *file, const wchar_t *section, const wchar_t *key, const wchar_t *default_value); 31 | 32 | bool IniSaveString(const wchar_t *file, const wchar_t *section, const wchar_t *key, const wchar_t *value); 33 | 34 | template 35 | VALUE_TYPE IniLoadNum(const wchar_t *file, const wchar_t *section, const wchar_t *key, VALUE_TYPE default_value) 36 | { 37 | static_assert((BASE == 8) || (BASE == 10) || (BASE == 16), "invalid base"); 38 | 39 | std::wstringstream ss; 40 | 41 | if (BASE == 8) 42 | ss << std::oct; 43 | else if (BASE == 16) 44 | ss << std::hex; 45 | 46 | std::wstring default_value_str; 47 | ss << default_value; 48 | ss >> default_value_str; 49 | ss.str(L""); 50 | ss.clear(); 51 | 52 | VALUE_TYPE value; 53 | ss << IniLoadString(file, section, key, default_value_str.c_str()); 54 | ss >> value; 55 | return value; 56 | } 57 | 58 | template 59 | bool IniSaveNum(const wchar_t *file, const wchar_t *section, const wchar_t *key, VALUE_TYPE value) 60 | { 61 | static_assert((BASE == 8) || (BASE == 10) || (BASE == 16), "invalid base"); 62 | 63 | std::wstringstream ss; 64 | 65 | if (BASE == 8) 66 | ss << std::oct; 67 | else if (BASE == 16) 68 | ss << std::hex; 69 | 70 | ss << value; 71 | 72 | return IniSaveString(file, section, key, ss.str().c_str()); 73 | } 74 | 75 | std::wstring_convert> &wstr_conv(); 76 | 77 | bool Wow64QueryInformationProcess64(HANDLE hProcess, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); 78 | 79 | bool Wow64ReadProcessMemory64(HANDLE hProcess, PVOID64 address, PVOID buffer, ULONGLONG buffer_size, PULONGLONG bytes_read); 80 | bool Wow64WriteProcessMemory64(HANDLE hProcess, PVOID64 address, LPCVOID buffer, ULONGLONG buffer_size, PULONGLONG bytes_written); 81 | }; 82 | -------------------------------------------------------------------------------- /Scylla/Version.cpp: -------------------------------------------------------------------------------- 1 | #include "Version.h" 2 | 3 | void scl::ShowAboutBox(HWND hWnd) 4 | { 5 | MessageBoxW(hWnd, 6 | SCYLLA_HIDE_NAME_W L" Plugin v" SCYLLA_HIDE_VERSION_STRING_W L" (" TEXT(__DATE__) L")\n\n" 7 | L"Copyright (C) 2014-" COMPILE_YEAR_W L" Aguila / cypher\n\n" 8 | L"Special thanks to:\n" 9 | L"- What for his POISON assembler source code\n" 10 | L"- waliedassar for his blog posts\n" 11 | L"- Peter Ferrie for his Anti-Debug PDFs\n" 12 | L"- MaRKuS-DJM for OllyAdvanced assembler source code\n" 13 | L"- Steve Micallef for his IDA SDK doc\n" 14 | L"- Authors of PhantOm and StrongOD\n" 15 | L"- Tuts4You, Exetools, Exelab community for testing\n" 16 | L"- last but not least deepzero & mr.exodia for tech chats", 17 | SCYLLA_HIDE_NAME_W L" Plugin", MB_ICONINFORMATION); 18 | } 19 | -------------------------------------------------------------------------------- /Scylla/Version.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "../SCMRevGen/scmrev.h" 4 | 5 | #define STRA(x) #x 6 | #define STRW(x) L#x 7 | 8 | #define STR_HELPERA(x) STRA(x) 9 | #define STR_HELPERW(x) STRW(x) 10 | 11 | #define SCYLLA_HIDE_VERSION_MAJOR 1 12 | #define SCYLLA_HIDE_VERSION_MINOR 4 13 | #define SCYLLA_HIDE_VERSION_PATCH GIT_VERSION_NUMBER 14 | 15 | #define SCYLLA_HIDE_NAME_A "ScyllaHide" 16 | #define SCYLLA_HIDE_NAME_W L"ScyllaHide" 17 | 18 | #define SCYLLA_HIDE_VERSION_STRING_A STR_HELPERA(SCYLLA_HIDE_VERSION_MAJOR) "." STR_HELPERA(SCYLLA_HIDE_VERSION_MINOR) "." STR_HELPERA(SCYLLA_HIDE_VERSION_PATCH) "-" GIT_SHORT_HASH_A 19 | #define SCYLLA_HIDE_VERSION_STRING_W STR_HELPERW(SCYLLA_HIDE_VERSION_MAJOR) L"." STR_HELPERW(SCYLLA_HIDE_VERSION_MINOR) L"." STR_HELPERW(SCYLLA_HIDE_VERSION_PATCH) L"-" GIT_SHORT_HASH_W 20 | 21 | namespace scl 22 | { 23 | void ShowAboutBox(HWND hWnd); 24 | } 25 | -------------------------------------------------------------------------------- /Scylla/VersionPatch.cpp: -------------------------------------------------------------------------------- 1 | #include "VersionPatch.h" 2 | 3 | #define STR(x) #x 4 | #define VERSTR(x) STR(x) 5 | #define FAKE_VERSION_WCHAR L"" VERSTR(FAKE_VERSION) 6 | 7 | bool NtVirtualProtect(HANDLE hProcess, PVOID Address, SIZE_T Size, ULONG NewProtect, PULONG OldProtect) 8 | { 9 | PVOID BaseAddress = Address; 10 | SIZE_T RegionSize = Size; 11 | return NT_SUCCESS(NtProtectVirtualMemory(hProcess, &BaseAddress, &RegionSize, NewProtect, OldProtect)); 12 | } 13 | 14 | void PatchFixedFileInfoVersion(HANDLE hProcess, PVOID Address, ULONG Size) 15 | { 16 | BOOL found = FALSE; 17 | PUCHAR P; 18 | for (P = (PUCHAR)Address; P < (PUCHAR)Address + Size; ++P) 19 | { 20 | if (*(PDWORD)P == 0xFEEF04BD) // VS_FIXEDFILEINFO signature 21 | { 22 | found = TRUE; 23 | break; 24 | } 25 | } 26 | if (!found) 27 | { 28 | DbgPrint("Failed to find fixed version info signature in ntdll.dll VS_VERSION_INFO"); 29 | return; 30 | } 31 | 32 | P += 14; // Skip to FileVersion build number 33 | ULONG OldProtect; 34 | if (NtVirtualProtect(hProcess, P, 10, PAGE_READWRITE, &OldProtect)) 35 | { 36 | WORD Version = FAKE_VERSION; 37 | NtWriteVirtualMemory(hProcess, P, &Version, 2, nullptr); // FileVersion 38 | NtWriteVirtualMemory(hProcess, P + 8, &Version, 2, nullptr); // ProductVersion 39 | NtVirtualProtect(hProcess, P, 10, OldProtect, &OldProtect); 40 | } 41 | else 42 | { 43 | DbgPrint("VirtualProtectEx failed on ntdll"); 44 | } 45 | } 46 | 47 | void PatchVersionString(HANDLE hProcess, PVOID Address, ULONG Size, const WCHAR* Property) 48 | { 49 | // VS_VERSIONINFO is a mess to navigate because it is a nested struct of variable size with (grand)children all of variable sizes 50 | // See: https://docs.microsoft.com/en-gb/windows/win32/menurc/vs-versioninfo 51 | // Instead of finding VS_VERSIONINFO -> StringFileInfo[] -> StringTable[] -> String (-> WCHAR[]) properly, just do it the memcmp way 52 | size_t propertyLen = (wcslen(Property) + 1) * 2; 53 | PUCHAR P = (PUCHAR)Address; 54 | BOOL found = FALSE; 55 | for (; P < (PUCHAR)Address + Size - propertyLen; ++P) 56 | { 57 | if (memcmp(P, Property, propertyLen) == 0) 58 | { 59 | found = TRUE; 60 | break; 61 | } 62 | } 63 | if (!found) 64 | { 65 | DbgPrint("Failed to find %ws in ntdll.dll VS_VERSION_INFO", Property); 66 | return; 67 | } 68 | 69 | // Skip to the version number and discard extra nulls 70 | P += propertyLen; 71 | while (*(PWCHAR)P == L'\0') 72 | { 73 | P += sizeof(WCHAR); 74 | } 75 | 76 | // P now points at e.g. 6.1.xxxx.yyyy or 10.0.xxxxx.yyyy. Skip the major and minor version numbers to get to the build number xxxx 77 | const ULONG Skip = NtCurrentPeb()->OSMajorVersion >= 10 ? 5 * sizeof(WCHAR) : 4 * sizeof(WCHAR); 78 | P += Skip; 79 | 80 | // Write a new bogus build number 81 | WCHAR NewBuildNumber[] = FAKE_VERSION_WCHAR; 82 | ULONG OldProtect; 83 | if (NtVirtualProtect(hProcess, P, sizeof(NewBuildNumber) - sizeof(WCHAR), PAGE_READWRITE, &OldProtect)) 84 | { 85 | SIZE_T NumWritten; 86 | NtWriteVirtualMemory(hProcess, P, NewBuildNumber, sizeof(NewBuildNumber) - sizeof(WCHAR), &NumWritten); 87 | NtVirtualProtect(hProcess, P, sizeof(NewBuildNumber) - sizeof(WCHAR), OldProtect, &OldProtect); 88 | } 89 | } 90 | 91 | void ApplyNtdllVersionPatch(HANDLE hProcess, PVOID Ntdll) 92 | { 93 | // Get the resource data entry for VS_VERSION_INFO 94 | LDR_RESOURCE_INFO ResourceIdPath; 95 | ResourceIdPath.Type = (ULONG_PTR)RT_VERSION; 96 | ResourceIdPath.Name = VS_VERSION_INFO; 97 | ResourceIdPath.Language = MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL); 98 | PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry = nullptr; 99 | NTSTATUS Status = LdrFindResource_U(Ntdll, &ResourceIdPath, 3, &ResourceDataEntry); 100 | if (!NT_SUCCESS(Status)) 101 | { 102 | DbgPrint("Failed to find VS_VERSION_INFO resource in ntdll.dll: %08X", Status); 103 | return; 104 | } 105 | 106 | // Get the address and size of VS_VERSION_INFO 107 | PVOID Address = nullptr; 108 | ULONG Size = 0; 109 | Status = LdrAccessResource(Ntdll, ResourceDataEntry, &Address, &Size); 110 | if (!NT_SUCCESS(Status)) 111 | { 112 | DbgPrint("Failed to obtain size of VS_VERSION_INFO resource in ntdll.dll: %08X", Status); 113 | return; 114 | } 115 | if (Address == nullptr || Size == 0) 116 | { 117 | DbgPrint("VS_VERSION_INFO resource in ntdll.dll has size zero"); 118 | return; 119 | } 120 | 121 | PatchFixedFileInfoVersion(hProcess, Address, Size); 122 | PatchVersionString(hProcess, Address, Size, L"FileVersion"); 123 | PatchVersionString(hProcess, Address, Size, L"ProductVersion"); 124 | } 125 | -------------------------------------------------------------------------------- /Scylla/VersionPatch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | // Used for PEB OsBuildNumber patch and NTDLL version resource patches. 6 | #define FAKE_VERSION 1337 7 | 8 | void ApplyNtdllVersionPatch(HANDLE hProcess, PVOID Ntdll); 9 | -------------------------------------------------------------------------------- /Scylla/scylla.debug.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Disabled 7 | MultiThreadedDebug 8 | 9 | 10 | -------------------------------------------------------------------------------- /Scylla/scylla.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | $(SolutionDir)build\Intermediate\$(Configuration)\$(PlatformName)\$(ProjectName)\ 6 | $(SolutionDir)build\$(Configuration)\$(PlatformName)\ 7 | 8 | 9 | false 10 | 11 | 12 | 13 | Level3 14 | NotUsing 15 | $(SolutionDir);$(SolutionDir)3rdparty;$(SolutionDir)3rdparty\idasdk\include; 16 | WIN32_NO_STATUS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 17 | Caret 18 | true 19 | true 20 | false 21 | ProgramDatabase 22 | true 23 | true 24 | false 25 | 26 | /Gw /Zc:threadSafeInit- %(AdditionalOptions) 27 | 28 | 29 | $(SolutionDir)3rdparty;$(SolutionDir)3rdparty\idasdk\lib;$(OutDir) 30 | Scylla.lib;ntdll\ntdll_$(PlatformShortName).lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 31 | DebugFull 32 | /NOVCFEATURE /NOCOFFGRPINFO /PDBALTPATH:%_PDB% %(AdditionalOptions) 33 | 34 | 35 | 36 | 37 | WINVER=0x0501;_WIN32_WINNT=0x0501;NTDDI_VERSION=0x05010000;%(PreprocessorDefinitions) 38 | WINVER=0x0601;_WIN32_WINNT=0x0601;NTDDI_VERSION=0x06010000;%(PreprocessorDefinitions) 39 | 40 | 41 | 5.1 42 | 6.1 43 | 5.01 44 | 6.01 45 | true 46 | 47 | 48 | 49 | 50 | WINVER=0x0502;_WIN32_WINNT=0x0502;NTDDI_VERSION=0x05020000;%(PreprocessorDefinitions) 51 | WINVER=0x0601;_WIN32_WINNT=0x0601;NTDDI_VERSION=0x06010000;%(PreprocessorDefinitions) 52 | 53 | 54 | 5.2 55 | 6.1 56 | 5.02 57 | 6.01 58 | 59 | 60 | 61 | 62 | $(IntDir) 63 | 64 | 65 | $(OutDir) 66 | 67 | 68 | -------------------------------------------------------------------------------- /Scylla/scylla.release.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | MaxSpeed 7 | Speed 8 | true 9 | MultiThreaded 10 | Default 11 | false 12 | 13 | 14 | true 15 | true 16 | true 17 | 18 | 19 | -------------------------------------------------------------------------------- /ScyllaHideGenericPlugin/ScyllaHideGenericPlugin.cpp: -------------------------------------------------------------------------------- 1 | #include "ScyllaHideGenericPlugin.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "..\PluginGeneric\Injector.h" 9 | 10 | struct HookStatus 11 | { 12 | HookStatus() 13 | : ProcessId(0), 14 | bHooked(false), 15 | specialPebFix(false) 16 | { 17 | } 18 | 19 | DWORD ProcessId; 20 | bool bHooked; 21 | bool specialPebFix; 22 | }; 23 | 24 | typedef void(__cdecl * t_AttachProcess)(DWORD dwPID); 25 | 26 | #ifdef _WIN64 27 | const WCHAR g_scyllaHideDllFilename[] = L"HookLibraryx64.dll"; 28 | #else 29 | const WCHAR g_scyllaHideDllFilename[] = L"HookLibraryx86.dll"; 30 | #endif 31 | 32 | scl::Settings g_settings; 33 | scl::Logger g_log; 34 | std::wstring g_scyllaHideDllPath; 35 | std::wstring g_scyllaHideIniPath; 36 | 37 | HOOK_DLL_DATA g_hdd; 38 | 39 | //globals 40 | static HMODULE hNtdllModule = 0; 41 | static std::unordered_map hookStatusMap; 42 | 43 | static void LogCallback(const wchar_t *msg) 44 | { 45 | _putws(msg); 46 | } 47 | 48 | DLL_EXPORT void ScyllaHideDebugLoop(const DEBUG_EVENT* DebugEvent) 49 | { 50 | auto pid = DebugEvent->dwProcessId; 51 | auto status = HookStatus(); 52 | auto found = hookStatusMap.find(pid); 53 | if (found == hookStatusMap.end()) 54 | hookStatusMap[pid] = status; 55 | else 56 | status = hookStatusMap[pid]; 57 | 58 | if (g_settings.opts().fixPebHeapFlags) 59 | { 60 | if (status.specialPebFix) 61 | { 62 | StartFixBeingDebugged(status.ProcessId, false); 63 | status.specialPebFix = false; 64 | } 65 | 66 | if (DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule) 67 | { 68 | StartFixBeingDebugged(status.ProcessId, true); 69 | status.specialPebFix = true; 70 | } 71 | } 72 | 73 | switch (DebugEvent->dwDebugEventCode) 74 | { 75 | case CREATE_PROCESS_DEBUG_EVENT: 76 | { 77 | status.ProcessId = DebugEvent->dwProcessId; 78 | status.bHooked = false; 79 | ZeroMemory(&g_hdd, sizeof(HOOK_DLL_DATA)); 80 | 81 | if (DebugEvent->u.CreateProcessInfo.lpStartAddress == NULL) 82 | { 83 | //ATTACH 84 | if (g_settings.opts().killAntiAttach) 85 | { 86 | if (!ApplyAntiAntiAttach(status.ProcessId)) 87 | { 88 | g_log.LogError(L"Anti-Anti-Attach failed"); 89 | } 90 | } 91 | } 92 | 93 | break; 94 | } 95 | 96 | case LOAD_DLL_DEBUG_EVENT: 97 | { 98 | if (status.bHooked) 99 | { 100 | startInjection(status.ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), false); 101 | } 102 | 103 | break; 104 | } 105 | 106 | case EXCEPTION_DEBUG_EVENT: 107 | { 108 | switch (DebugEvent->u.Exception.ExceptionRecord.ExceptionCode) 109 | { 110 | case STATUS_BREAKPOINT: 111 | { 112 | if (!status.bHooked) 113 | { 114 | ReadNtApiInformation(&g_hdd); 115 | 116 | status.bHooked = true; 117 | startInjection(status.ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true); 118 | } 119 | 120 | break; 121 | } 122 | } 123 | 124 | break; 125 | } 126 | } 127 | 128 | hookStatusMap[pid] = status; 129 | } 130 | 131 | DLL_EXPORT void ScyllaHideReset() 132 | { 133 | ZeroMemory(&g_hdd, sizeof(HOOK_DLL_DATA)); 134 | hookStatusMap.clear(); 135 | } 136 | 137 | DLL_EXPORT void ScyllaHideInit(const WCHAR* Directory, LOGWRAPPER Logger, LOGWRAPPER ErrorLogger) 138 | { 139 | hNtdllModule = GetModuleHandleW(L"ntdll.dll"); 140 | 141 | std::wstring wstrPath; 142 | 143 | if (Directory) 144 | { 145 | wstrPath = Directory; 146 | if (wstrPath.back() != L'\\') 147 | wstrPath += L'\\'; 148 | } else 149 | { 150 | wstrPath = scl::GetModuleFileNameW(); 151 | wstrPath.resize(wstrPath.find_last_of(L'\\') + 1); 152 | } 153 | 154 | g_scyllaHideDllPath = wstrPath + g_scyllaHideDllFilename; 155 | g_scyllaHideIniPath = wstrPath + scl::Settings::kFileName; 156 | 157 | auto log_file = wstrPath + scl::Logger::kFileName; 158 | g_log.SetLogFile(log_file.c_str()); 159 | 160 | auto log_cb = Logger ? Logger : LogCallback; 161 | auto log_err_cb = ErrorLogger ? ErrorLogger : LogCallback; 162 | g_log.SetLogCb(scl::Logger::Info, log_cb); 163 | g_log.SetLogCb(scl::Logger::Error, log_err_cb); 164 | 165 | g_settings.Load(g_scyllaHideIniPath.c_str()); 166 | } 167 | -------------------------------------------------------------------------------- /ScyllaHideGenericPlugin/ScyllaHideGenericPlugin.h: -------------------------------------------------------------------------------- 1 | #ifndef SCYLLAHIDE_GENERIC_PLUGIN_H 2 | #define SCYLLAHIDE_GENERIC_PLUGIN_H 3 | 4 | #include 5 | 6 | #ifdef SCYLLAHIDEGENERICPLUGIN_EXPORTS 7 | #define DLL_EXPORT extern "C" __declspec(dllexport) 8 | #else 9 | #define DLL_EXPORT extern "C" __declspec(dllimport) 10 | #endif 11 | 12 | typedef void(__cdecl * LOGWRAPPER)(const wchar_t *msg); 13 | 14 | DLL_EXPORT void ScyllaHideInit(const WCHAR* Directory = NULL, LOGWRAPPER Logger = NULL, LOGWRAPPER ErrorLogger = NULL); 15 | DLL_EXPORT void ScyllaHideReset(); 16 | DLL_EXPORT void ScyllaHideDebugLoop(const DEBUG_EVENT* DebugEvent); 17 | 18 | #endif //SCYLLAHIDE_GENERIC_PLUGIN_H 19 | -------------------------------------------------------------------------------- /ScyllaHideGenericPlugin/ScyllaHideGenericPlugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hpp;hxx;hm;inl;inc;xsd 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/IdaServerClient.cpp: -------------------------------------------------------------------------------- 1 | #include "IdaServerClient.h" 2 | #include 3 | #include 4 | #include 5 | 6 | #include "..\ScyllaHideIDAServer\IdaServerExchange.h" 7 | #include "..\PluginGeneric\Injector.h" 8 | 9 | #pragma comment (lib, "Ws2_32.lib") 10 | 11 | extern scl::Settings g_settings; 12 | 13 | 14 | SOCKET serverSock = INVALID_SOCKET; 15 | WSADATA wsaData; 16 | 17 | IDA_SERVER_EXCHANGE idaExchange = {0}; 18 | extern wchar_t DllPathForInjection[MAX_PATH]; 19 | 20 | bool StartWinsock() 21 | { 22 | bool isWinsockUp = true; 23 | 24 | int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 25 | if (iResult != 0) 26 | { 27 | isWinsockUp = false; 28 | } 29 | 30 | return isWinsockUp; 31 | } 32 | 33 | bool SendInjectToServer(unsigned long ProcessId) 34 | { 35 | return SendEventToServer(inject_dll, ProcessId); 36 | } 37 | 38 | bool SendEventToServer(unsigned long notif_code, unsigned long ProcessId) 39 | { 40 | idaExchange.notif_code = notif_code; 41 | idaExchange.ProcessId = ProcessId; 42 | 43 | idaExchange.EnablePebBeingDebugged = g_settings.opts().fixPebBeingDebugged; 44 | idaExchange.EnablePebHeapFlags = g_settings.opts().fixPebHeapFlags; 45 | idaExchange.EnablePebNtGlobalFlag = g_settings.opts().fixPebNtGlobalFlag; 46 | idaExchange.EnablePebStartupInfo = g_settings.opts().fixPebStartupInfo; 47 | idaExchange.EnablePebOsBuildNumber = g_settings.opts().fixPebOsBuildNumber; 48 | idaExchange.EnableOutputDebugStringHook = g_settings.opts().hookOutputDebugStringA; 49 | idaExchange.EnableNtSetInformationThreadHook = g_settings.opts().hookNtSetInformationThread; 50 | idaExchange.EnableNtQueryInformationProcessHook = g_settings.opts().hookNtQueryInformationProcess; 51 | idaExchange.EnableNtQuerySystemInformationHook = g_settings.opts().hookNtQuerySystemInformation; 52 | idaExchange.EnableNtQueryObjectHook = g_settings.opts().hookNtQueryObject; 53 | idaExchange.EnableNtYieldExecutionHook = g_settings.opts().hookNtYieldExecution; 54 | idaExchange.EnableNtCloseHook = g_settings.opts().hookNtClose; 55 | idaExchange.EnableNtCreateThreadExHook = g_settings.opts().hookNtCreateThreadEx; 56 | idaExchange.EnablePreventThreadCreation = g_settings.opts().preventThreadCreation; 57 | 58 | idaExchange.EnableNtGetContextThreadHook = g_settings.opts().hookNtGetContextThread; 59 | idaExchange.EnableNtSetContextThreadHook = g_settings.opts().hookNtSetContextThread; 60 | idaExchange.EnableNtContinueHook = g_settings.opts().hookNtContinue; 61 | idaExchange.EnableKiUserExceptionDispatcherHook = g_settings.opts().hookKiUserExceptionDispatcher; 62 | idaExchange.EnableNtSetInformationProcessHook = g_settings.opts().hookNtSetInformationProcess; 63 | idaExchange.EnableMalwareRunPeUnpacker = g_settings.opts().malwareRunpeUnpacker; 64 | 65 | idaExchange.EnableGetTickCountHook = g_settings.opts().hookGetTickCount; 66 | idaExchange.EnableGetTickCount64Hook = g_settings.opts().hookGetTickCount64; 67 | idaExchange.EnableGetLocalTimeHook = g_settings.opts().hookGetLocalTime; 68 | idaExchange.EnableGetSystemTimeHook = g_settings.opts().hookGetSystemTime; 69 | idaExchange.EnableNtQuerySystemTimeHook = g_settings.opts().hookNtQuerySystemTime; 70 | idaExchange.EnableNtQueryPerformanceCounterHook = g_settings.opts().hookNtQueryPerformanceCounter; 71 | 72 | idaExchange.EnableNtUserBlockInputHook = g_settings.opts().hookNtUserBlockInput; 73 | idaExchange.EnableNtUserFindWindowExHook = g_settings.opts().hookNtUserFindWindowEx; 74 | idaExchange.EnableNtUserBuildHwndListHook = g_settings.opts().hookNtUserBuildHwndList; 75 | idaExchange.EnableNtUserQueryWindowHook = g_settings.opts().hookNtUserQueryWindow; 76 | idaExchange.EnableNtUserGetForegroundWindowHook = g_settings.opts().hookNtUserGetForegroundWindow; 77 | idaExchange.EnableNtSetDebugFilterStateHook = g_settings.opts().hookNtSetDebugFilterState; 78 | idaExchange.DllInjectNormal = g_settings.opts().dllNormal; 79 | idaExchange.DllInjectStealth = g_settings.opts().dllStealth; 80 | idaExchange.UnloadDllAfterInjection = g_settings.opts().dllUnload; 81 | 82 | wcscpy_s(idaExchange.DllPathForInjection, DllPathForInjection); 83 | 84 | 85 | int iResult = send(serverSock, (char*)&idaExchange, (int)sizeof(IDA_SERVER_EXCHANGE), 0); 86 | if (iResult == SOCKET_ERROR) 87 | { 88 | //printf("send failed with error: %d\n", WSAGetLastError()); 89 | return false; 90 | } 91 | 92 | idaExchange.result = RESULT_FAILED; 93 | 94 | iResult = recv(serverSock, (char*)&idaExchange, (int)sizeof(IDA_SERVER_EXCHANGE), 0); 95 | 96 | if (iResult == sizeof(IDA_SERVER_EXCHANGE)) 97 | { 98 | if (idaExchange.result == RESULT_SUCCESS) 99 | { 100 | return true; 101 | } 102 | } 103 | 104 | return false; 105 | } 106 | 107 | void CloseServerSocket() 108 | { 109 | closesocket(serverSock); 110 | serverSock = INVALID_SOCKET; 111 | } 112 | 113 | bool ConnectToServer(const char * host, const char * port) 114 | { 115 | int iResult; 116 | struct addrinfo *result = NULL, 117 | *ptr = NULL, 118 | hints; 119 | 120 | ZeroMemory( &hints, sizeof(hints) ); 121 | hints.ai_family = AF_UNSPEC; 122 | hints.ai_socktype = SOCK_STREAM; 123 | hints.ai_protocol = IPPROTO_TCP; 124 | 125 | // Resolve the server address and port 126 | iResult = getaddrinfo(host, port, &hints, &result); 127 | if ( iResult != 0 ) 128 | { 129 | //printf("getaddrinfo failed with error: %d\n", iResult); 130 | return false; 131 | } 132 | 133 | // Attempt to connect to an address until one succeeds 134 | for(ptr=result; ptr != NULL ;ptr=ptr->ai_next) 135 | { 136 | 137 | // Create a SOCKET for connecting to server 138 | serverSock = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); 139 | if (serverSock == INVALID_SOCKET) 140 | { 141 | //printf("socket failed with error: %ld\n", WSAGetLastError()); 142 | return false; 143 | } 144 | 145 | // Connect to server. 146 | iResult = connect( serverSock, ptr->ai_addr, (int)ptr->ai_addrlen); 147 | if (iResult == SOCKET_ERROR) 148 | { 149 | closesocket(serverSock); 150 | serverSock = INVALID_SOCKET; 151 | continue; 152 | } 153 | else 154 | { 155 | break; 156 | } 157 | } 158 | 159 | freeaddrinfo(result); 160 | 161 | if (serverSock == INVALID_SOCKET) 162 | { 163 | //printf("Unable to connect to server!\n"); 164 | return false; 165 | } 166 | else 167 | { 168 | return true; 169 | } 170 | } 171 | 172 | //input: tcp:port=5000,server=localhost 173 | //OR 174 | //input: IP 175 | //IDA v6 BUG!!!!!!! 176 | bool GetHost(char * input, char * output) 177 | { 178 | char * t = strstr(input, "server="); 179 | if (t) 180 | { 181 | t += 7; 182 | strcpy(output, t); 183 | } 184 | else 185 | { 186 | strcpy(output, input); 187 | } 188 | 189 | return true; 190 | } 191 | -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/IdaServerClient.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | bool StartWinsock(); 4 | bool ConnectToServer(const char * host, const char * port); 5 | bool SendEventToServer(unsigned long notif_code, unsigned long ProcessId); 6 | void CloseServerSocket(); 7 | bool GetHost(char * input, char * output); 8 | bool SendInjectToServer(unsigned long ProcessId); 9 | -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.rc -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | 16.0 15 | {A94B6222-ABEF-41A0-BE48-06801157AAA5} 16 | Win32Proj 17 | ScyllaHideIDAProPlugin 18 | 10.0 19 | 20 | 21 | 22 | DynamicLibrary 23 | true 24 | Unicode 25 | v142 26 | false 27 | false 28 | 14.27.29110 29 | 30 | 31 | DynamicLibrary 32 | false 33 | true 34 | Unicode 35 | v142 36 | false 37 | false 38 | 14.27.29110 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | false 58 | .plw 59 | 60 | 61 | false 62 | .plw 63 | 64 | 65 | 66 | WIN32;_DEBUG;_WINDOWS;__NT__;__IDP__;%(PreprocessorDefinitions) 67 | 68 | 69 | Windows 70 | 71 | 72 | 73 | 74 | WIN32;NDEBUG;_WINDOWS;__NT__;__IDP__;%(PreprocessorDefinitions) 75 | 76 | 77 | Windows 78 | false 79 | true 80 | true 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/ScyllaHideIDAProPlugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 6 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 14 | h;hpp;hxx;hm;inl;inc;xsd 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | 47 | 48 | Resource Files 49 | 50 | 51 | 52 | 53 | Header Files 54 | 55 | 56 | Header Files 57 | 58 | 59 | Header Files 60 | 61 | 62 | Header Files 63 | 64 | 65 | Header Files 66 | 67 | 68 | Header Files 69 | 70 | 71 | Header Files 72 | 73 | 74 | Header Files 75 | 76 | 77 | Header Files 78 | 79 | 80 | 81 | 82 | Resource Files 83 | 84 | 85 | Resource Files 86 | 87 | 88 | Resource Files 89 | 90 | 91 | -------------------------------------------------------------------------------- /ScyllaHideIDAProPlugin/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideIDAProPlugin/resource.h -------------------------------------------------------------------------------- /ScyllaHideIDAServer/Icon.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideIDAServer/Icon.rc -------------------------------------------------------------------------------- /ScyllaHideIDAServer/IdaServerExchange.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define IDA_SERVER_DEFAULT_PORT_TEXT "1337" 4 | #define IDA_SERVER_DEFAULT_PORT 1337 5 | 6 | enum server_dbg_notification_t 7 | { 8 | dbg_null = 0, 9 | 10 | // debugger low-level event notifications (see IDD.HPP for details). 11 | 12 | dbg_process_start, // Parameter: const debug_event_t *event 13 | // This event notification is also an asynchronous 14 | // function result notification for start_process() ! 15 | 16 | dbg_process_exit, // Parameter: const debug_event_t *event 17 | // This event notification is also an asynchronous 18 | // function result notification for exit_process() ! 19 | 20 | dbg_process_attach, // Parameter: const debug_event_t *event 21 | // This event notification is also an asynchronous 22 | // function result notification for attach_process() ! 23 | 24 | dbg_process_detach, // Parameter: const debug_event_t *event 25 | // This event notification is also an asynchronous 26 | // function result notification for detach_process() ! 27 | 28 | dbg_thread_start, // Parameter: const debug_event_t *event 29 | 30 | dbg_thread_exit, // Parameter: const debug_event_t *event 31 | 32 | dbg_library_load, // Parameter: const debug_event_t *event 33 | 34 | dbg_library_unload, // Parameter: const debug_event_t *event 35 | 36 | dbg_information, // Parameter: const debug_event_t *event 37 | 38 | dbg_exception, // Parameters: const debug_event_t *event 39 | // int *warn = -1 40 | // Return (in *warn): 41 | // -1 - to display an exception warning dialog 42 | // if the process is suspended. 43 | // 0 - to never display an exception warning dialog. 44 | // 1 - to always display an exception warning dialog. 45 | 46 | // debugger high-level event notifications 47 | 48 | dbg_suspend_process, // The process is now suspended. 49 | // Parameter: const debug_event_t *event 50 | // This event notification is also an asynchronous 51 | // function result notification for suspend_process() ! 52 | 53 | dbg_bpt, // A user defined breakpoint was reached. 54 | // Parameters: thid_t tid 55 | // ea_t bptea 56 | // int *warn = -1 57 | // Return (in *warn): 58 | // -1 - to display a breakpoint warning dialog 59 | // if the process is suspended. 60 | // 0 - to never display a breakpoint warning dialog. 61 | // 1 - to always display a breakpoint warning dialog. 62 | 63 | dbg_trace, // A step occured (one instruction was executed). This event 64 | // notification is only generated if step tracing is enabled. 65 | // Parameters: thid_t tid 66 | // ea_t ip 67 | // Returns: 1-do not log this trace event; 0-log it 68 | 69 | dbg_request_error, // An error occured during the processing of a request. 70 | // Parameters: ui_notification_t failed_command 71 | // dbg_notification_t failed_dbg_notification 72 | 73 | dbg_step_into, // Parameter: const debug_event_t *event 74 | 75 | dbg_step_over, // Parameter: const debug_event_t *event 76 | 77 | dbg_run_to, // Parameter: const debug_event_t *event 78 | 79 | dbg_step_until_ret, // Parameter: const debug_event_t *event 80 | 81 | dbg_bpt_changed, // Breakpoint has been changed 82 | 83 | inject_dll 84 | }; 85 | 86 | #define RESULT_SUCCESS 1 87 | #define RESULT_FAILED 0 88 | 89 | typedef struct _IDA_SERVER_EXCHANGE 90 | { 91 | unsigned long result; 92 | unsigned long notif_code; //server_dbg_notification_t 93 | unsigned long ProcessId; 94 | 95 | unsigned char EnablePebBeingDebugged; 96 | unsigned char EnablePebHeapFlags; 97 | unsigned char EnablePebNtGlobalFlag; 98 | unsigned char EnablePebStartupInfo; 99 | unsigned char EnablePebOsBuildNumber; 100 | 101 | unsigned char EnableOutputDebugStringHook; 102 | 103 | unsigned char EnableNtSetInformationThreadHook; 104 | unsigned char EnableNtQuerySystemInformationHook; 105 | unsigned char EnableNtQueryInformationProcessHook; 106 | unsigned char EnableNtSetInformationProcessHook; 107 | unsigned char EnableNtQueryObjectHook; 108 | unsigned char EnableNtYieldExecutionHook; 109 | unsigned char EnableNtCloseHook; 110 | unsigned char EnableMalwareRunPeUnpacker; 111 | 112 | unsigned char EnablePreventThreadCreation; 113 | unsigned char EnableNtCreateThreadExHook; 114 | 115 | //Protect and Hide Hardware Breakpoints 116 | unsigned char EnableNtGetContextThreadHook; 117 | unsigned char EnableNtSetContextThreadHook; 118 | unsigned char EnableNtContinueHook; 119 | unsigned char EnableKiUserExceptionDispatcherHook; 120 | 121 | unsigned char EnableNtUserBlockInputHook; 122 | unsigned char EnableNtUserQueryWindowHook; 123 | unsigned char EnableNtUserGetForegroundWindowHook; 124 | unsigned char EnableNtUserBuildHwndListHook; 125 | unsigned char EnableNtUserFindWindowExHook; 126 | unsigned char EnableNtSetDebugFilterStateHook; 127 | 128 | unsigned char EnableGetTickCountHook; 129 | unsigned char EnableGetTickCount64Hook; 130 | unsigned char EnableGetLocalTimeHook; 131 | unsigned char EnableGetSystemTimeHook; 132 | unsigned char EnableNtQuerySystemTimeHook; 133 | unsigned char EnableNtQueryPerformanceCounterHook; 134 | 135 | unsigned char DllInjectStealth; 136 | unsigned char DllInjectNormal; 137 | unsigned char UnloadDllAfterInjection; 138 | wchar_t DllPathForInjection[300]; 139 | } IDA_SERVER_EXCHANGE; -------------------------------------------------------------------------------- /ScyllaHideIDAServer/ScyllaHideIDAServer.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hpp;hxx;hm;inl;inc;xsd 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | 64 | 65 | Resource Files 66 | 67 | 68 | 69 | 70 | Resource Files 71 | 72 | 73 | -------------------------------------------------------------------------------- /ScyllaHideIDAServer/idaserver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment (lib, "Ws2_32.lib") 9 | #pragma comment (lib, "Mswsock.lib") 10 | #pragma comment (lib, "AdvApi32.lib") 11 | 12 | BOOL startWinsock(); 13 | void startListen(); 14 | void handleClient( SOCKET ClientSocket ); 15 | 16 | 17 | -------------------------------------------------------------------------------- /ScyllaHideIDAServer/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideIDAServer/resource.h -------------------------------------------------------------------------------- /ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.rc -------------------------------------------------------------------------------- /ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | 16.0 15 | {79774D44-ED2A-4FD2-9224-40AF0A590410} 16 | Win32Proj 17 | ScyllaHideOlly1Plugin 18 | 10.0 19 | 20 | 21 | 22 | DynamicLibrary 23 | true 24 | Unicode 25 | v142 26 | false 27 | false 28 | 14.27.29110 29 | 30 | 31 | DynamicLibrary 32 | false 33 | true 34 | Unicode 35 | v142 36 | false 37 | false 38 | 14.27.29110 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | false 58 | 59 | 60 | false 61 | false 62 | 63 | 64 | 65 | WIN32;_DEBUG;_WINDOWS;_USRDLL;SCYLLAHIDEOLLY1PLUGIN_EXPORTS;OLLY1;%(PreprocessorDefinitions) 66 | 67 | 68 | Windows 69 | 70 | 71 | 72 | 73 | WIN32;NDEBUG;_WINDOWS;_USRDLL;SCYLLAHIDEOLLY1PLUGIN_EXPORTS;OLLY1;%(PreprocessorDefinitions) 74 | 75 | 76 | Windows 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | -------------------------------------------------------------------------------- /ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 6 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 14 | h;hpp;hxx;hm;inl;inc;xsd 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | Source Files 47 | 48 | 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | Header Files 79 | 80 | 81 | 82 | 83 | Resource Files 84 | 85 | 86 | 87 | 88 | Resource Files 89 | 90 | 91 | Resource Files 92 | 93 | 94 | Resource Files 95 | 96 | 97 | -------------------------------------------------------------------------------- /ScyllaHideOlly1Plugin/olly1patches.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #pragma pack(push) 5 | #include 6 | #pragma pack(pop) 7 | 8 | #define ADDR_TYPE_RVA 2 9 | #define ADDR_TYPE_OFFSET 3 10 | 11 | void fixBadPEBugs(); 12 | void fixForegroundWindow(); 13 | void fixX64Bug(); 14 | void fixFPUBug(); 15 | void patchEPOutsideCode(); 16 | void hookOllyBreakpoints(); 17 | void fixSprintfBug(); 18 | DWORD _stdcall removeEPBreak(LPVOID lpParam); 19 | void ReadTlsAndSetBreakpoints(DWORD dwProcessId, LPVOID baseofImage); 20 | void advcancedCtrlG(); 21 | bool advancedCtrlG_handleGotoExpression(int addrType); 22 | void fixBadPEImage(); 23 | void skipCompressedCode(); 24 | void skipLoadDll(); 25 | void fixNTSymbols(); 26 | void fixFaultyHandleOnExit(); 27 | void hookOllyWindowProcs(); 28 | 29 | //hooks 30 | void handleBreakpoints(); 31 | void handleSprintf(); 32 | void advancedCtrlG_WMINIT(); 33 | void advancedCtrlG_WMCOMMAND(); 34 | void advancedCtrlG_Save(); 35 | void hookedOllyWindowProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam); 36 | -------------------------------------------------------------------------------- /ScyllaHideOlly1Plugin/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideOlly1Plugin/resource.h -------------------------------------------------------------------------------- /ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.rc -------------------------------------------------------------------------------- /ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | 16.0 15 | {9EEA6D78-4E74-47B9-8746-B8754B15525D} 16 | Win32Proj 17 | ScyllaHideOlly2Plugin 18 | 10.0 19 | 20 | 21 | 22 | DynamicLibrary 23 | true 24 | Unicode 25 | v142 26 | false 27 | false 28 | 14.27.29110 29 | 30 | 31 | DynamicLibrary 32 | false 33 | true 34 | Unicode 35 | v142 36 | false 37 | false 38 | 14.27.29110 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | false 58 | 59 | 60 | false 61 | false 62 | false 63 | 64 | 65 | 66 | WIN32;_DEBUG;_WINDOWS;OLLY2;%(PreprocessorDefinitions) 67 | /J %(AdditionalOptions) 68 | 69 | 70 | Windows 71 | 72 | 73 | 74 | 75 | WIN32;NDEBUG;_WINDOWS;OLLY2;%(PreprocessorDefinitions) 76 | /J %(AdditionalOptions) 77 | 78 | 79 | Windows 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 6 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 14 | h;hpp;hxx;hm;inl;inc;xsd 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | Source Files 44 | 45 | 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | 79 | 80 | Resource Files 81 | 82 | 83 | 84 | 85 | Resource Files 86 | 87 | 88 | Resource Files 89 | 90 | 91 | Resource Files 92 | 93 | 94 | -------------------------------------------------------------------------------- /ScyllaHideOlly2Plugin/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideOlly2Plugin/resource.h -------------------------------------------------------------------------------- /ScyllaHideTEPlugin/ScyllaHideTEPlugin.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "..\PluginGeneric\Injector.h" 9 | 10 | #ifndef DLL_EXPORT 11 | #define DLL_EXPORT __declspec(dllexport) 12 | #endif 13 | 14 | #ifdef _WIN64 15 | const WCHAR g_scyllaHideDllFilename[] = L"HookLibraryx64.dll"; 16 | #else 17 | const WCHAR g_scyllaHideDllFilename[] = L"HookLibraryx86.dll"; 18 | #endif 19 | 20 | scl::Settings g_settings; 21 | scl::Logger g_log; 22 | std::wstring g_scyllaHideDllPath; 23 | std::wstring g_scyllaHideIniPath; 24 | 25 | HOOK_DLL_DATA g_hdd; 26 | 27 | bool bHooked; 28 | DWORD ProcessId; 29 | 30 | static void LogCallback(const wchar_t *msg) 31 | { 32 | } 33 | 34 | static bool SetDebugPrivileges() 35 | { 36 | TOKEN_PRIVILEGES Debug_Privileges; 37 | bool retVal = false; 38 | 39 | if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Debug_Privileges.Privileges[0].Luid)) 40 | { 41 | HANDLE hToken = 0; 42 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) 43 | { 44 | Debug_Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 45 | Debug_Privileges.PrivilegeCount = 1; 46 | 47 | retVal = AdjustTokenPrivileges(hToken, FALSE, &Debug_Privileges, 0, NULL, NULL) != FALSE; 48 | 49 | CloseHandle(hToken); 50 | } 51 | } 52 | 53 | return retVal; 54 | } 55 | 56 | extern "C" DLL_EXPORT void TitanDebuggingCallBack(LPDEBUG_EVENT debugEvent, int CallReason) 57 | { 58 | switch(CallReason) 59 | { 60 | case UE_PLUGIN_CALL_REASON_EXCEPTION: 61 | { 62 | switch(debugEvent->dwDebugEventCode) 63 | { 64 | case CREATE_PROCESS_DEBUG_EVENT: 65 | { 66 | ProcessId=debugEvent->dwProcessId; 67 | bHooked = false; 68 | ZeroMemory(&g_hdd, sizeof(HOOK_DLL_DATA)); 69 | break; 70 | } 71 | 72 | case LOAD_DLL_DEBUG_EVENT: 73 | { 74 | if (bHooked) 75 | { 76 | startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), false); 77 | } 78 | break; 79 | } 80 | case EXCEPTION_DEBUG_EVENT: 81 | { 82 | switch(debugEvent->u.Exception.ExceptionRecord.ExceptionCode) 83 | { 84 | case STATUS_BREAKPOINT: 85 | { 86 | if (!bHooked) 87 | { 88 | ReadNtApiInformation(&g_hdd); 89 | 90 | bHooked = true; 91 | startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true); 92 | } 93 | break; 94 | } 95 | 96 | } 97 | 98 | break; 99 | } 100 | 101 | } 102 | } 103 | break; 104 | } 105 | } 106 | 107 | extern "C" DLL_EXPORT bool TitanRegisterPlugin(char* szPluginName, DWORD* titanPluginMajorVersion, DWORD* titanPluginMinorVersion) 108 | { 109 | if(titanPluginMajorVersion && titanPluginMinorVersion) 110 | { 111 | *titanPluginMajorVersion = SCYLLA_HIDE_VERSION_MAJOR; 112 | *titanPluginMinorVersion = SCYLLA_HIDE_VERSION_MINOR; 113 | strncpy_s(szPluginName, sizeof(SCYLLA_HIDE_NAME_A), SCYLLA_HIDE_NAME_A, _TRUNCATE); 114 | return true; 115 | } 116 | return false; 117 | } 118 | 119 | BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD dwReason, LPVOID lpReserved) 120 | { 121 | if (dwReason == DLL_PROCESS_ATTACH) 122 | { 123 | auto wstrPath = scl::GetModuleFileNameW(hInstDll); 124 | wstrPath.resize(wstrPath.find_last_of(L'\\') + 1); 125 | 126 | g_scyllaHideDllPath = wstrPath + g_scyllaHideDllFilename; 127 | g_scyllaHideIniPath = wstrPath + scl::Settings::kFileName; 128 | 129 | auto log_file = wstrPath + scl::Logger::kFileName; 130 | g_log.SetLogFile(log_file.c_str()); 131 | g_log.SetLogCb(scl::Logger::Info, LogCallback); 132 | g_log.SetLogCb(scl::Logger::Error, LogCallback); 133 | 134 | g_settings.Load(g_scyllaHideIniPath.c_str()); 135 | 136 | SetDebugPrivileges(); 137 | } 138 | return TRUE; 139 | } 140 | -------------------------------------------------------------------------------- /ScyllaHideTEPlugin/ScyllaHideTEPlugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hpp;hxx;hm;inl;inc;xsd 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | -------------------------------------------------------------------------------- /ScyllaHideX64DBGPlugin/Ghost-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideX64DBGPlugin/Ghost-icon.png -------------------------------------------------------------------------------- /ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.rc -------------------------------------------------------------------------------- /ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hpp;hxx;hm;inl;inc;xsd 7 | 8 | 9 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 10 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | Source Files 35 | 36 | 37 | Source Files 38 | 39 | 40 | Source Files 41 | 42 | 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | Header Files 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | 70 | 71 | Resource Files 72 | 73 | 74 | 75 | 76 | Resource Files 77 | 78 | 79 | Resource Files 80 | 81 | 82 | Resource Files 83 | 84 | 85 | Resource Files 86 | 87 | 88 | -------------------------------------------------------------------------------- /ScyllaHideX64DBGPlugin/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/x64dbg/ScyllaHide/baa5c8e853ace2bee752631f27fdfe5b271d92f6/ScyllaHideX64DBGPlugin/resource.h -------------------------------------------------------------------------------- /ScyllaTest/ScyllaTest.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /changelog.txt: -------------------------------------------------------------------------------- 1 | Version 1.x 2 | - All Plugins: Patch PEB64 under Wow64. 3 | - All Plugins: Patch Flags in RTL_USER_PROCESS_PARAMETERS. 4 | - Application for testing ScyllaHide features. 5 | 6 | Version 1.3 7 | - IDA Plugin: Removed attaching support due to IDA SDK bugs 8 | - Other Plugins: Improved Anti-Anti-Attach + 64bit support 9 | 10 | Version 1.2 11 | - All Plugins: New attach dialog with crosshair/bullseye window finder. 12 | - All Plugins: Tooltips with information (unfinished). 13 | - Olly v1 Plugin: Fix for faulty handle bug 14 | - Olly v1 Plugin: Fix for NT symbol path bug added to "Fix Olly Bugs", thanks to redblkjck 15 | 16 | Version 1.1 17 | - Added "thanks" to About 18 | - Added kill anti-attach (for x86 only) 19 | - Olly v1 Plugin: Advanced CTRL+G 20 | - Olly v1 Plugin: Skip "compressed code" message 21 | - Olly v1 Plugin: Ignore bad PE image (WinUPack) 22 | - Olly v1 Plugin: Skip "Load DLL" message 23 | 24 | Version 1.0 25 | 26 | - added sprintf %s Olly1 bugfix to "Fix Olly bugs" 27 | - x64dbg 32/64bit plugins https://github.com/x64dbg/x64dbg 28 | - fixed alignment bug 64bit 29 | 30 | Version 0.9 31 | 32 | - All plugins use separate scylla_hide.ini now. ini is interchangeable between plugins ! 33 | (ini section in ollydbg.ini now deprecated !) 34 | - Load/Save ini profiles in Olly1&2 and IDA plugin 35 | - RunPE malware unpacker 36 | - NtSetInformationProcess Hook in GUI 37 | 38 | Version 0.8 39 | 40 | - Olly v1 Plugin: option "Skip EP outside of code message" 41 | - Fix for NtSetInformationProcess -> ProcessHandleTracing 42 | - All plugins: Update-Check 43 | - Timing Hooks: GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter 44 | - "Remove Debug Privileges" added 45 | 46 | Version 0.7 47 | 48 | - IDA 64bit plugin 49 | - IDA 32/64bit remote server 50 | - IDA DLL Injection 51 | - IDA option to start x64 server automatically 52 | 53 | Version 0.6 54 | 55 | - IDA 32bit plugin 56 | 57 | Version 0.5 58 | 59 | - NtCreateThreadEx hook 60 | - Prevent Thread creation 61 | (special hook for some protectors like Execryptor. Only use this if you know what you do) 62 | - Split Hide PEB into 4 options (ini option PEB now deprecated) 63 | - Inject DLL option added (2 methods) 64 | - Replaced Olly2 dialog 65 | - Improved "Break on TLS" 66 | 67 | Version 0.4 68 | 69 | - Olly v1/v2 Plugins: Apply hooks without restarting 70 | - Olly v1 Plugin: Added "Break on TLS" 71 | 72 | Version 0.3 73 | 74 | - Fix for Olly plugins caption reset 75 | - Fix STARTUPINFO structure, GetStartupInfoA/W 76 | - Resume/Suspend all Threads in Thread window 77 | - x64 compatibility mode for Olly1 78 | - fix PE-Bugs for Olly1 79 | - fix FPU-Bug for Olly1 80 | - split "Protect DRx" into its options (ini option ProtectDRx now deprecated) 81 | - Fix PEB Patch bug, now Themida works on WinXP 82 | 83 | Version 0.2 84 | 85 | Warning: Since this version, ScyllaHide is not compatbile with Stealth64! You need to remove the Stealth64 plugin. 86 | 87 | - Stealth hooks for 32-bit targets to defeat protectors like Themida 88 | - Olly Plugin: Change olly caption 89 | - Olly v1 Plugin: Remove EP One-Shot Breakpoint for VMProtect 90 | 91 | Version 0.1 92 | 93 | - Init 94 | -------------------------------------------------------------------------------- /release.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | setlocal enableextensions 3 | setlocal enabledelayedexpansion 4 | 5 | @rem build release 6 | 7 | cd %~dp0 8 | 9 | @rem We still support Windows XP in our release builds, and probably will continue to do so for the foreseeable future. 10 | @rem This is controlled by the following env var. Because we don't expect that regular users will want to target XP in their 11 | @rem private local builds, in the normal case (opening VS) this will not be set and the minimum target version is Windows 7. 12 | @rem If you want to make such a "release build", but without XP support and the toolchain requirements that come with it, 13 | @rem call this with USE_XP_TOOLCHAIN set to FALSE 14 | @rem 15 | @rem 'TRUE' is the default value so that if a commit or PR breaks XP compatibility, it will be caught by Github Actions because it runs this build as a CI step. 16 | @rem 17 | @rem The most important (probably not installed on your machine) requirement to build with XP support enabled is *VS2019* with the latest *14.27* VC++ toolchain. 18 | @rem The installer calls this the "16.7 toolchain", the compiler/CRT files themselves are versioned "14.27". 19 | if "%USE_XP_TOOLCHAIN%"=="" ( 20 | set USE_XP_TOOLCHAIN=TRUE 21 | ) 22 | 23 | set PROGRAMFILES32=%PROGRAMFILES(x86)% 24 | if not exist "%PROGRAMFILES(x86)%" set PROGRAMFILES32=%PROGRAMFILES% 25 | 26 | set VSWHERE=%PROGRAMFILES32%\Microsoft Visual Studio\Installer\vswhere.exe 27 | if not exist "%VSWHERE%" ( 28 | echo VS2017/VS2019 installation directory does not exist, or the vswhere.exe tool is missing. 29 | exit /b 30 | ) 31 | 32 | @rem Test if the vswhere tool is actually up to date enough to understand -find syntax (the one on Appveyor isn't) 33 | "%VSWHERE%" -nologo -latest -requires Microsoft.Component.MSBuild -find MSBuild\**\Bin\MSBuild.exe 1>nul 2>&1 34 | if not %ERRORLEVEL%==0 ( 35 | @rem Fetch some version that gets it 36 | echo Fetching vswhere.exe... 37 | curl -O -L https://github.com/microsoft/vswhere/releases/download/3.1.1/vswhere.exe 1>nul 38 | set VSWHERE=vswhere.exe 39 | ) 40 | set MSBUILD= 41 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -nologo -latest -requires Microsoft.Component.MSBuild -find MSBuild\**\Bin\MSBuild.exe`) do ( 42 | set MSBUILD=%%i 43 | ) 44 | set XPTOOLCHAIN_INSTALLED= 45 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -nologo -version [16.0^,17^) -requires Microsoft.VisualStudio.Component.VC.14.27.x86.x64`) do ( 46 | set XPTOOLCHAIN_INSTALLED=%%i 47 | ) 48 | set VS2019INSTALLDIR= 49 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -nologo -version [16.0^,17^) -property installationPath`) do ( 50 | set VS2019INSTALLDIR=%%i 51 | ) 52 | set VS2019SETUP= 53 | for /f "usebackq tokens=*" %%i in (`"%VSWHERE%" -nologo -version [16.0^,17^) -property properties_setupEngineFilePath`) do ( 54 | set VS2019SETUP=%%i 55 | ) 56 | del vswhere.exe 1>nul 2>&1 57 | 58 | if "%MSBUILD%"=="" ( 59 | echo Failed to find MSBuild installation directory. 60 | exit /b 61 | ) 62 | @rem Alternatively if github continues to fuck this up, we can curl the latest VS2019 setup from the hardcoded URL https://aka.ms/vs/16/release/vs_enterprise.exe 63 | if "%USE_XP_TOOLCHAIN%"=="TRUE" ( 64 | if "%VS2019INSTALLDIR%"=="" ( 65 | echo XP toolchain build was requested, but VS2019 install dir could not be found. Set USE_XP_TOOLCHAIN to something other than TRUE if you don't actually need it. 66 | exit /b 67 | ) 68 | if "%XPTOOLCHAIN_INSTALLED%"=="" ( 69 | if "%VS2019SETUP%"=="" ( 70 | echo XP toolchain build was requested, but VS2019 setup.exe could not be found. Set USE_XP_TOOLCHAIN to something other than TRUE if you don't actually need it. 71 | exit /b 72 | ) 73 | echo Sorry buddy, but you need some more VS stuff. Installing it for you now, don't worry. We're gonna take care of this for ya... 74 | @rem Despite '--quiet', this command is not actually quiet. AT ALL. Redirect stdout spam 75 | "%VS2019SETUP%" modify --installPath "%VS2019INSTALLDIR%" --add "Microsoft.VisualStudio.Component.VC.14.27.x86.x64" --add "Microsoft.VisualStudio.Component.VC.14.27.MFC" --add "Microsoft.VisualStudio.Component.VC.14.27.ATL" --norestart --force --quiet 1>nul 76 | if not %ERRORLEVEL%==0 ( 77 | echo Installation failed! 78 | exit /b 79 | ) 80 | echo Installation successful. 81 | ) 82 | @rem Finally, ascend to 14.27 toolchain environment 83 | call "%VS2019INSTALLDIR%\VC\Auxiliary\Build\vcvarsall.bat" amd64 -vcvars_ver=14.27 84 | ) 85 | 86 | "%MSBUILD%" /m /property:Configuration=Release,Platform=Win32 87 | if not %ERRORLEVEL%==0 exit /b 88 | 89 | "%MSBUILD%" /m /property:Configuration=Release,Platform=x64 90 | if not %ERRORLEVEL%==0 exit /b 91 | 92 | rmdir /S /Q Release 93 | xcopy /S /Y ConfigCollection Release\ 94 | 95 | @rem Release structure 96 | mkdir Release\x64dbg\x32\plugins 97 | mkdir Release\x64dbg\x64\plugins 98 | mkdir Release\Olly1 99 | mkdir Release\Olly2 100 | mkdir Release\TitanEngine 101 | mkdir Release\Generic 102 | mkdir Release\IDA 103 | 104 | copy /y /b build\Release\Win32\ScyllaHideGenericPluginx86.dll Release\Generic\ 105 | copy /y /b build\Release\x64\ScyllaHideGenericPluginx64.dll Release\Generic\ 106 | copy /y /b build\Release\Win32\ScyllaHideOlly1Plugin.dll Release\Olly1\ 107 | copy /y /b build\Release\Win32\ScyllaHideOlly2Plugin.dll Release\Olly2\ 108 | copy /y /b build\Release\Win32\ScyllaHideTEPluginx86.dll Release\TitanEngine\ 109 | copy /y /b build\Release\x64\ScyllaHideTEPluginx64.dll Release\TitanEngine\ 110 | copy /y /b build\Release\Win32\ScyllaHideX64DBGPlugin.dp32 Release\x64dbg\x32\plugins\ 111 | copy /y /b build\Release\x64\ScyllaHideX64DBGPlugin.dp64 Release\x64dbg\x64\plugins\ 112 | copy /y /b build\Release\Win32\ScyllaHideIDAProPlugin.plw Release\IDA\ 113 | 114 | xcopy /S /Y build\Release\Win32\*.exe Release\ 115 | xcopy /S /Y build\Release\x64\*.exe Release\ 116 | copy /y /b build\Release\Win32\HookLibraryx86.dll Release\ 117 | copy /y /b build\Release\x64\HookLibraryx64.dll Release\ 118 | 119 | copy /y /b Release\HookLibraryx64.dll Release\x64dbg\x64\plugins\ 120 | copy /y /b Release\HookLibraryx86.dll Release\x64dbg\x32\plugins\ 121 | copy /y /b Release\scylla_hide.ini Release\x64dbg\x64\plugins\ 122 | copy /y /b Release\scylla_hide.ini Release\x64dbg\x32\plugins\ 123 | 124 | copy /y /b Release\scylla_hide.ini Release\Olly1\ 125 | copy /y /b Release\HookLibraryx86.dll Release\Olly1\ 126 | 127 | copy /y /b Release\scylla_hide.ini Release\Olly2\ 128 | copy /y /b Release\HookLibraryx86.dll Release\Olly2\ 129 | 130 | copy /y /b Release\scylla_hide.ini Release\TitanEngine\ 131 | copy /y /b Release\HookLibraryx64.dll Release\TitanEngine\ 132 | copy /y /b Release\HookLibraryx86.dll Release\TitanEngine\ 133 | 134 | copy /y /b Release\scylla_hide.ini Release\Generic\ 135 | copy /y /b Release\HookLibraryx64.dll Release\Generic\ 136 | copy /y /b Release\HookLibraryx86.dll Release\Generic\ 137 | 138 | copy /y /b Release\scylla_hide.ini Release\IDA\ 139 | copy /y /b Release\HookLibraryx64.dll Release\IDA\ 140 | copy /y /b Release\HookLibraryx86.dll Release\IDA\ 141 | move Release\ScyllaHideIDAServer* Release\IDA\ 142 | 143 | exit 0 --------------------------------------------------------------------------------