DbgUiRemoteBreakin not restored about scyllahide HOT 10 OPEN

It doesn't matter because the latest x64dbg doesn't execute this function on attach anymore.

from scyllahide.

I dont think so, when I switch from running x64dbg process to ida64 process with ollymigrate plugin, this API was called and > failure.
So, where can I solve the problem - in the ida pro attachment code, in the scilla plugin or in the ollymigrate plugin?
p.s. when I manually restore API (remove hook) all work as expected

from scyllahide.

from scyllahide.

hook on the function establishes from protection once at the start and does not change anything else there.
For me, there is no problem with scripting to restore the code and not worry about anything at all. I only created an error issue because I thought anti-attach checkbox covered all the options + DgbUiRemoteBreakin.
If this is not a bug but feature, then I no longer have questions with this API.
Regards

from scyllahide.

from scyllahide.

My work chain: x64dbg > Ollymigrate plugin > IDA64. IDA64 failed at this API.
This API is used by IDA Pro when trying to get a migrating process.
Perhaps we misunderstood each other a little.
For me, the question is not whether the API is used in x64dbg, but that scyllahide does not remove protection hook from the API, and the API is not some random one like Beep from kernel32, but a function that is described in some anti-debugging research.
The logic is that API is used in anti-debugging, why is it ignored then with anti-attach? And the fact that the scylla connects to the processes differently is great, except that the standard attachment of another debugger to the process will lead to termination of the process.

from scyllahide.

There is no misunderstanding at all. I agree with you that this should work, here is the relevant code for you to debug why it's not working for you:

from scyllahide.

Ok, what I found:

1. many places where WriteProcessMemory calls in a whole plugin not checked to be BOOL
2. the ApplyAntiAntiAttach function is never called fully, since the checks carried out in the function prologue in compiled dp32 binary do not allow branching even to OpenProcess>GetModuleHandleW>GetProcAddress>VirtualProtectEx etc. sequence
   p.s.
   not sure (I'm not familiar with C++) but maybe problem is here
   

   ScyllaHide/PluginGeneric/Injector.cpp

   Lines 692 to 699 in 2276f14

   	#define DbgBreakPoint_FUNC_SIZE 2
   	#ifdef _WIN64
   	#define DbgUiRemoteBreakin_FUNC_SIZE 0x42
   	#define NtContinue_FUNC_SIZE 11
   	#else
   	#define DbgUiRemoteBreakin_FUNC_SIZE 0x54
   	#define NtContinue_FUNC_SIZE 0x18
   	#endif

from scyllahide.

Any progress on this bug?

from scyllahide.

Not really I'm afraid, I remember running into this myself in the past (this was ages ago) and making an attempt to fix it, but as you can see I never did. From what I recall the code related to this was (still is) simply doing all kinds of things it really has no business doing, and the entire 'kill anti-attach' functionality should just be rewritten from scratch in order for it to be properly fixed or fixable.

I may have time to look into this again later this week, but don't hold your breath.

from scyllahide.