Comments (10)
It doesn't matter because the latest x64dbg doesn't execute this function on attach anymore.
from scyllahide.
I dont think so, when I switch from running x64dbg process to ida64 process with ollymigrate plugin, this API was called and > failure.
So, where can I solve the problem - in the ida pro attachment code, in the scilla plugin or in the ollymigrate plugin?
p.s. when I manually restore API (remove hook) all work as expected
from scyllahide.
from scyllahide.
hook on the function establishes from protection once at the start and does not change anything else there.
For me, there is no problem with scripting to restore the code and not worry about anything at all. I only created an error issue because I thought anti-attach checkbox covered all the options + DgbUiRemoteBreakin.
If this is not a bug but feature, then I no longer have questions with this API.
Regards
from scyllahide.
from scyllahide.
My work chain: x64dbg > Ollymigrate plugin > IDA64. IDA64 failed at this API.
This API is used by IDA Pro when trying to get a migrating process.
Perhaps we misunderstood each other a little.
For me, the question is not whether the API is used in x64dbg, but that scyllahide does not remove protection hook from the API, and the API is not some random one like Beep from kernel32, but a function that is described in some anti-debugging research.
The logic is that API is used in anti-debugging, why is it ignored then with anti-attach? And the fact that the scylla connects to the processes differently is great, except that the standard attachment of another debugger to the process will lead to termination of the process.
from scyllahide.
There is no misunderstanding at all. I agree with you that this should work, here is the relevant code for you to debug why it's not working for you:
ScyllaHide/PluginGeneric/Injector.cpp
Line 720 in 2276f14
from scyllahide.
Ok, what I found:
- many places where WriteProcessMemory calls in a whole plugin not checked to be BOOL
- the ApplyAntiAntiAttach function is never called fully, since the checks carried out in the function prologue in compiled dp32 binary do not allow branching even to OpenProcess>GetModuleHandleW>GetProcAddress>VirtualProtectEx etc. sequence
p.s.
not sure (I'm not familiar with C++) but maybe problem is here
ScyllaHide/PluginGeneric/Injector.cpp
Lines 692 to 699 in 2276f14
from scyllahide.
Any progress on this bug?
from scyllahide.
Not really I'm afraid, I remember running into this myself in the past (this was ages ago) and making an attempt to fix it, but as you can see I never did. From what I recall the code related to this was (still is) simply doing all kinds of things it really has no business doing, and the entire 'kill anti-attach' functionality should just be rewritten from scratch in order for it to be properly fixed or fixable.
I may have time to look into this again later this week, but don't hold your breath.
from scyllahide.
Related Issues (20)
- ScyllaHide 2021-08-23_13-27-50 do not load on Windows XP Pro SP3 HOT 6
- Cant be installed on last version of x64dbg
- InjectorCLIX86 does not work because it is unable to get the wow64cpu.dll base address HOT 3
- Game closes on any type of breakpoint. (Steam x64dbg) HOT 5
- crash with vmp3.5 (Ultra (Mutation + Virtualization)) HOT 8
- JobObjectBasicProcessIdList AntiDebug
- HandleTable AntiDebug
- ScyllaHide for Rider or Visual Studio HOT 2
- A confusing question when reading the InjectorCLI source code HOT 1
- not working with vmprotect 3.6 HOT 1
- Wow64Transition[0] != 0xEA HOT 3
- Create new release HOT 1
- Bypass detection on start
- HyperTech CrackProof
- Please add API Monitor and Cheat Engine to blacklisted process HOT 1
- [KillAntiAttach] NtContinue_FUNC_SIZE too short HOT 2
- Suggest VMProtect Heaven's Gate syscall Bypass trick. HOT 2
- DetourCreateRemote->ReadProcessMemory failed. (3) HOT 2
- DLL Injection doesn't work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scyllahide.