Hi,

I am fairly new to reversing so I am sorry for the dumb questions that I am about to ask.

I am trying to reverse this program which has IsDebuggerPresent and CheckRemoteDebuggerPresent to protect against debugging. I used the x32dbg and found that using the Obsidium profile will allow me to run the program without it picking up x32dbg. Now my main goal is to use ScyllaHide with other debugging software such as "Mega Dumper", "Smart assembly explorer", "dnSpy", and "fiddler".

I have looked through the manual so I did use the InjectorCLIx86.exe program to attach the HookLibraryx86.dll file onto the program I am trying to crack. However, this only allows me to open x32dbg debugger and all of the other debuggers I would like to use is still detected by the program.

If anyone could shed some light on what I am doing wrong or how I can fix this it is appreciated!

Dear all, i've this error using latest Scyllahide with x64dbg and latest build of Scyllahide, is only my problem or something is changed in detection ?

I'm trying to build this using VS2017, but having all KINDS of problems with PlatformToolset issues. I tried updating the project, but it just doesn't work. Can this project be built using VS2017, or do I need to create a Vista VM and install VS2015?

If i have checked NtQueryInformationProcess on ScyllaHide this caused Initialization error 4
https://i.imgur.com/IxufAZf.jpg
And if I delete
ntStat = STATUS_PORT_NOT_SET;
on HookedNtQueryInformationProcess in this code
else if (ProcessInformationClass == ProcessDebugObjectHandle)
{
*((HANDLE *)ProcessInformation) = 0;
ntStat = STATUS_PORT_NOT_SET;
}
i don't have this error and First chace exception on usign this function on x64dbg.

How to use it

i use it error：

The latest version 2017_3_3 is not working, when run an executable with scyllahide enabled it gives out of memory, .exe cannot initialize memory buffer !. the previous version breaks on EXCEPTION_ACCESS_VIOLATION.
I have noticed that the downloaded version .pdf files says it is version 1.4, but in the plugin-about window shows 1.2 !

Any help ?

I Can't Found The .p64 Plugin For IDA Pro. Only .plw (32) Bit Are Available... However If I rename the .plw to .p64 and then open the 64bit ida it givems me a fatal error...

Could you make the latest snapshot available please?
I'm getting an error when trying to download the 7z file (https://github.com/x64dbg/ScyllaHide/releases/download/snapshot/ScyllaHide_2017-03-03_15-29.7z).

Hello,

I was wondering why both Olly and x64dbg still require the NtApiCollection.ini though you wrote you got rid of it. A file / folder compare of the ScyllaHide_2019-05-23_00-18 and the ScyllaHide_2019-05-08_12-58 builds showed the reason - all binaries are identical:

https://imgur.com/OfJkJrA

The only files differing are the .ini and the .pdf (and the removed NtApi tool). So it's obvious that your new features / fixes can't work if you ship old binaries in your snapshots, please fix this if you've time. Thank you very much in advance.

Well the clicking the Apply button in the ScyllaHide/Options has no effect.
Clicking Ok works.

Please check & fix this.

TIA

ScyllaHide's ntdll.h and .lib's are the most complete that I know of. After searching extensively, I found that most ntdll libraries would rely on a bunch of calls to GetProcAddress in order to initialize the function pointers while ScyllaHide is able to call the Nt* functions directly, thanks to the provided .lib's.

I'm currently trying to implement a "custom" NtSuspendProcess where the function would also be able to skip the current thread:

#define OBJ_KERNEL_EXCLUSIVE           0x00010000L
#define OBJ_VALID_PRIVATE_ATTRIBUTES   0x00010000L
#define OBJ_ALL_VALID_ATTRIBUTES (OBJ_VALID_PRIVATE_ATTRIBUTES | OBJ_VALID_ATTRIBUTES)

void SuspendThreads(HANDLE procHandle, bool suspend, bool skipSelf){
    DWORD curThreadId = GetCurrentThreadId();
    HANDLE hThread = NULL;
    while(1) {
        NTSTATUS ntStat = NtGetNextThread(procHandle, hThread, STANDARD_RIGHTS_ALL, OBJ_ALL_VALID_ATTRIBUTES, 0, &hThread);
        if (!NT_SUCCESS(ntStat)) {
            break;
        }
        if (skipSelf && curThreadId == GetThreadId(hThread)) {
            continue;
        }
        if (suspend) {
            SuspendThread(hThread);
        } else {
            ResumeThread(hThread);
        }
    }
}

I really need to use NtGetNextThread because the CreateToolHelp32Snapshot + Thread32First/Next combination is just too slow for what I'm doing. From what I read, this function is available on Windows Vista onwards.

Would it be possible to add NtGetNextThread and NtGetNextProcess to the static libraries? Since they are already declared in ntdll.h, I thought it would be nice to have them included in the libraries as well.

At the moment, the following linker error is thrown:

Seeing this error on each start of Debugger (Ida, x32)

Details on env:
OS: W7 x64
Ida 6.8 x32
latest snapshot of bits from this repository
default settings in Options dialog

plugin report this bug，because the target process is already hooked

so just need parse local ntdll.dll forever, read target function bytes Then write into target process

x86dbg build (latest 18.11.2018)
scyllahide - ScyllaHide_2018-11-11_20-41
Windows 7 x86 SP1

Invalid disassembly or something else leads to invalid hook placement for KiFastSystemCall

1. before hooks
   
2. after DRx protection is on
   
   Hook placed at wrong addr.
3. new invalid KiFastSystemCall
   

x64dbg is already immune to find window attack. You can rename it to any name you like and it will use it as the title for every window. I don't know how to get NtUser* API set, but I don't need to set them either.

I just updated distorm to the latest version, and I thought it might be a good idea to try it out on a few different OSes first to see if I didn't break hooking anywhere. Well, the good news is, I don't think I did.
The bad news is that the x86 version of Windows 10 doesn't seem to like ScyllaHide (no matter the distorm version): if I enable any hook at all I am presented with

followed by

...followed by the first error again times the number of hooks enabled.

We already have some hacks for Windows 10 in place in RemoteHook.cpp, but those are for Wow64, where the syscalls go through a shared gate like this:

mov eax, 0Dh ; syscall number
mov edx, offset Wow64SystemServiceCall ; shared stub to do native syscall
call edx
retn 10h

On native x86 however, the syscall functions each have their own leaf function directly after the exported function (sometimes with nop/int 3 padding, usually not.) E.g.:

mov eax, 0Dh
call leaf_stub ; E8 03 00 00 00 (eip+8)
retn 10h
; optional padding
@leaf_stub:
mov edx, esp
sysenter
retn

This is clearly confusing DetourCreateRemoteNative32 which is looking for the old-style mov edx, KiFastSystemCall + call [edx] way of doing things. But what's really strange is that while the Wow64 syscalls have indeed changed with Windows 10, the native x86 ones have worked like this since Windows 8. Does really no one use x86 OSes anymore, or am I the only one having this issue?

Fixing the issue was not really a problem, I just worked around it by making HOOK_NATIVE work the same way on native x86 as on x64:

void * DetourCreateRemoteNative32(void * hProcess, void * lpFuncOrig, void * lpFuncDetour, bool createTramp, unsigned long * backupSize)
{
    if (scl::GetWindowsVersion() >= scl::OS_WIN_10 && !scl::IsWow64Process(hProcess))
        return DetourCreateRemote(hProcess, lpFuncOrig, lpFuncDetour, createTramp, backupSize);
  // otherwise continue as normal
}

But I'd kind of llike to know why I shouldn't just do this for any OS >= Win 8, as the exported syscall functions are literally byte for byte the same between them. Though I haven't tried SH on Windows 8 x86 yet. And can anyone reproduce this? I know there must be like, at least 3 people out there who use an x86 OS.

Which is better and more powerful, ScyllaHide or TitanHide?
Can I use them both together?
What else can I use together with ScyllaHide?

Every Time When I open That ScyllaHideIDASrvx64.exe or ScyllaHideIDASrvx86.exe It Give Me IDA_SERVER_EXCHANGE 648 == 645? This... Any Temporary Fix For It..?

I have created videos on a clean VM to highlight the error in detail.
The access violation error is seen only on 32-bit Windows 10 versions as can be clearly seen in the videos.

https://www48.zippyshare.com/v/2CgRVwbw/file.html - Videos Only
https://www95.zippyshare.com/v/gsS5HaXe/file.html - x96dbg with ScyllaHide used

Disabling BOTH NtQueryInformation Process and NtClose in ScyllaHide avoids this error...

• Tested on various version of 32-bit Windows 10 including Builds 1607-1809.
• Error consistently seen ONLY on the 32-bit versions of Windows.
• Videos show NO ERRORS on 64-bit Windows 10.
• Errors ONLY on 32-bit Windows 10.
• An archive containing the x96dbg along with the ScyllaHide used is attached.

Also want to add that I did check out the issue #32 here but it does not seem to provide a solution to my problem.
Further I also tried substituting the 2 changed files (ApplyHooking.cpp and ScyllaHideX64DBGPlugin.cpp) from branch 04b5e72 and re-compiling the Scyllahide for the present veriosn of x64dbg. Gives the same error on 32-bit Windows systems.

Recompiling various older versions of the ScyllaHide does not work either as the SysCall structures are different.

Without ScyllaHide, it is practically impossible to use the debugger on 32-bit platforms :(
I hope that a solution can found soon..
Thank you

EDIT:
I understand that 32-Bit Windows versions are still supported, especially the Windows 10 versions.
If anyone wants to help, kindly do not suggest "upgrading" to Windows 64-bit.
There are many programs and tools that work only on 32-bit versions and hence support for 32-bit Windows 10 at least is a must for us.

Thank you

https://forum.tuts4you.com/topic/40011-debugme-vmprotect-312-build-886-anti-debug-method-improved/#comment-192827

Affected functions:

• NtQuerySystemInformation
• NtQueryObject
• NtQueryInformationProcess

Basically in the kernel these functions put the ReturnLength = x after handling the rest so if we replace the actual result value where ReturnLength == ResultPointer it will return a different value.

Does anyone know what I have to add to the DLL?

The plugin outputs this screen error message when loading ( https://imgur.com/a/Witqj ).
I tried following the pdf instructions, but PDBReaderx86.exe outputs the following error code when running:
"
OS MajorVersion 6 MinorVersion 1
OS ID: 060101000109_x86

User32 Base 757D0000
SymFromName NtUserQueryWindow returned error : 126
126 - ERROR_MOD_NOT_FOUND - You must have a working internet connection to downl
oad missing PDB files!

SymFromName NtUserBuildHwndList returned error : 126
126 - ERROR_MOD_NOT_FOUND - You must have a working internet connection to downl
oad missing PDB files!

SymFromName NtUserFindWindowEx returned error : 126
126 - ERROR_MOD_NOT_FOUND - You must have a working internet connection to downl
oad missing PDB files!

SymFromName NtUserInternalGetWindowText returned error : 126
126 - ERROR_MOD_NOT_FOUND - You must have a working internet connection to downl
oad missing PDB files!

SymFromName NtUserGetClassName returned error : 126
126 - ERROR_MOD_NOT_FOUND - You must have a working internet connection to downl
oad missing PDB files!

Done!
"

I have tried to fix this with other debuggers aswell, but it seems like it's impossible for the file to download its content, maybe it is missing from the internet?
I tried running the program as administrator, but nothing worked. Is there somewhere else I can download this file instead?

Since you want to filter every enum type possible for this function :D

struct _SYSTEM_SESSION_PROCESS_INFORMATION
SystemSessionProcessInformation

https://wj32.org/wp/2009/04/25/ntquerysysteminformation-a-simple-way-to-bypass-rootkits-which-hide-processes-by-hooking/

I get the error C0000005 after a dll call, before the installation of the plug in I was getting the error at the start of the Module ntdll.dll, now I get the error after the call of a proprietary dll. I tried most of the options but every time I get the same error in the same location

OS: Windows 10 x64
Debugger: x64dbg (x86 version), "snapshot_2018-11-04_23-45".
ScyllaHide version: "ScyllaHide_2018-11-11_20-41"

Although these behaviors happen with multiple targets, the exact details seem to change.

So, I've attached two separate executables. DummyA.exe is as shown in the code below, DummyB.exe is with the MessageBoxA line uncommented.

When BlockInput (or NtUser* options) are checked:
DummyA - Does not crash but "DetourCreateRemoteNative32->ReadProcessMemory failed" pops up.
DummyB - Error does not pop up but the target crashes. Log of x64dbg posted below.

Both of these were tested with all Events unchecked.

#include <Windows.h>
#include <stdio.h>

int 
main(int ArgCount, char **Args)
{
    //MessageBoxA(NULL, "", "", MB_OK);
    return 0;
}

Debugging: C:\Users\Admin\Desktop\Dummy\build\DummyB.exe
Database file: D:\dev\tools\x64dbg\release\x32\db\DummyB.exe.dd32
Process Started: 00F20000 C:\Users\Admin\Desktop\Dummy\build\DummyB.exe
Skipping unsupported debug type IMAGE_DEBUG_TYPE_POGO in module dummyb.exe...
Did not find any supported debug types in module dummyb.exe!
DLL Loaded: 77E00000 C:\Windows\SysWOW64\ntdll.dll
DLL Unloaded: 00960000
DLL Unloaded: 76360000
DLL Unloaded: 00AD0000
DLL Loaded: 76360000 C:\Windows\SysWOW64\kernel32.dll
DLL Loaded: 74D10000 C:\Windows\SysWOW64\KernelBase.dll
DLL Loaded: 77B80000 C:\Windows\SysWOW64\user32.dll
DLL Loaded: 75A00000 C:\Windows\SysWOW64\win32u.dll
Thread 17E0 created, Entry: ntdll.77E4C8C0
DLL Loaded: 755C0000 C:\Windows\SysWOW64\gdi32.dll
DLL Loaded: 75A20000 C:\Windows\SysWOW64\gdi32full.dll
DLL Loaded: 74C90000 C:\Windows\SysWOW64\msvcp_win.dll
DLL Loaded: 75D30000 C:\Windows\SysWOW64\ucrtbase.dll
Thread 2880 created, Entry: ntdll.77E4C8C0
[ScyllaHide] Loaded RVA for user32.dll!NtUserQueryWindow = 0x0003D666
[ScyllaHide] Loaded RVA for user32.dll!NtUserBuildHwndList = 0x0003D55A
[ScyllaHide] Loaded RVA for user32.dll!NtUserFindWindowEx = 0x0003D854
[ScyllaHide] Hook Injection successful, Imagebase 005C0000
System breakpoint reached!
DLL Loaded: 75EB0000 C:\Windows\SysWOW64\imm32.dll
EXCEPTION_DEBUG_INFO:
dwFirstChance: 1
ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
ExceptionFlags: 00000000
ExceptionAddress: 00A20000
NumberParameters: 2
ExceptionInformation[00]: 00000008 DEP Violation
ExceptionInformation[01]: 00A20000 Inaccessible Address
First chance exception on 00A20000 (C0000005, EXCEPTION_ACCESS_VIOLATION)!

DummyA.zip
DummyB.zip

When selecting any profile in ScyllaHide
the following error occurs:
Windows 10 SysWowSpecialJmpAddress was not found

If you selected the VMProtect profile, then the above error will occur followed by the error message
Unknown syscall structure
and the debugger will crash.

• OS: Win10 x64 Enterprise LTSB (v1607)
• ScyllaHide: ScyllaHide_2016-08-30_12-57
• x64dbg: snapshot_2016-09-01_02-55 (produced on the 32-bit version of the debugger)
• The NtApiCollection.ini was updated with the required RVAs using the provided application PDBReaderx86.exe

minidump: (after selecting VMProtect profile)
http://rgho.st/private/8wDCkGgGp/0797d9ea3510c06ca745b3d2dcd49d56
password: asd123

Can't build Ida Pro 64 bit plugin (master branch, VS2017)
after opening up the BUILD_IDA_64BIT define, lots of old stuff was back to life..

preparing PR for it

Please note: ScyllaHide is not limited to these debuggers. You can use the standalone commandline version of ScyllaHide. You can inject ScyllaHide in any process debugged by any debugger.

But where is standalone commandline version? Did i miss something?

Hi, I do not know where to turn for help, so I am writing here.
A lot of time I can not run this application in debug mode.
This is openjdk which is protected from change, protected library jvm.dll.

PEiD has detected a low version of VMProtect, although this is most likely 3.3 ++
I have a lot of creakme version 3.2, and with them there are no problems, but with this version there.
Here is the link to the file "https://dropmefiles.com/Ntu1u"
I used dbg64, and plugins,ScyllaHide,TitanHide,SharpOD ver 0.6

The following options will crash x32dbg/x64dbg (exception bad alloc):

Tested on:

• Windows 10 x64 (1703)
• Windows 8.1 x64 (9600)

Hi, I use ScyllaTest_x86.exe and see that ScyllaHide OutputDebugStringA protection for OllyDbg 2.0 doesn't work.

This problem was mentioned in Twitter 4 years ago too: https://twitter.com/AshAbdalhalim/status/494700460838625280

• ConsoleApplication1.exe

int main() {
	std::cout << "Hello World!\n";
	while (1) {
		Sleep(1);
	}
	getchar();
}

usage:

InjectorCLIx86.exe ConsoleApplication1.exe c:\HookLibraryx86.dll nowait

The console applications will be crashes when i testing.

i think is thread(eip) Execute here：

77444FF0                   | jmp     dword ptr ds:[<Wow64Transition>]                                 |

and at this time ScyllaHide use WriteProcessMemory make it(ConsoleApplication1.exe) execute cpu instruction error

scylla_hide configuration file(png -> ini):

it can't even detect IsDebuggerPresent
or am i doing something wrong?

Sample source code using SetWinEventHook to detect x64dbg:

#include <Windows.h>

HWINEVENTHOOK hWinEventHook;

void CALLBACK HandleWinEvent(HWINEVENTHOOK hook, DWORD dEvent, HWND hwnd, LONG idObject, LONG idChild, 
                             DWORD dwEventThread, DWORD dwmsEventTime)
{
    if (!hwnd) {
        return;
    }
    HWND hwndCopy = hwnd;
    while (1) {
        HWND parentHwnd = GetParent(hwndCopy);
        if (!parentHwnd) {
            break;
        }
        hwndCopy = parentHwnd;
    }
    // Just checking the window title, but you could also use GetClassName to detect it
    WCHAR windowTitle[MAX_PATH];
    if (InternalGetWindowText(hwndCopy, windowTitle, sizeof(windowTitle))) {
        const wchar_t* result = wcsstr(windowTitle, L"x64dbg");
        const wchar_t* result2 = wcsstr(windowTitle, L"x32dbg");
        if (result || result2) {
            MessageBox(NULL, "Debugger detected!", NULL, NULL);
        }
    }
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
    switch(msg)
    {
        case WM_CLOSE:
            DestroyWindow(hwnd);
        break;
        case WM_DESTROY:
            PostQuitMessage(0);
        break;
        default:
            return DefWindowProc(hwnd, msg, wParam, lParam);
    }
    return 0;
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow) {
    hWinEventHook = SetWinEventHook(EVENT_MIN, EVENT_MAX, NULL, HandleWinEvent, 0, 0, WINEVENT_SKIPOWNPROCESS);
    MSG msg;
    BOOL bRet; 
    WNDCLASS wc = {};
    UNREFERENCED_PARAMETER(lpszCmdLine);
 
    if (!hPrevInstance) 
    { 
        wc.style = 0; 
        wc.lpfnWndProc = (WNDPROC) WndProc;
        wc.cbClsExtra = 0; 
        wc.cbWndExtra = 0; 
        wc.hInstance = hInstance; 
        //wc.hIcon = LoadIcon((HINSTANCE) NULL, IDI_APPLICATION); 
        //wc.hCursor = LoadCursor((HINSTANCE) NULL, IDC_ARROW); 
        //wc.hbrBackground = GetStockObject(WHITE_BRUSH); 
        wc.lpszMenuName =  "MainMenu"; 
        wc.lpszClassName = "MainWndClass"; 
 
        if (!RegisterClass(&wc)) 
            return FALSE; 
    }
 
    HWND hwndMain = CreateWindow("MainWndClass", "Sample", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 
                                 CW_USEDEFAULT, CW_USEDEFAULT, (HWND) NULL, (HMENU) NULL, hInstance, (LPVOID) NULL); 
 
    if (!hwndMain) 
        return FALSE; 
 
    ShowWindow(hwndMain, nCmdShow); 
    UpdateWindow(hwndMain); 
 
    while( (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0)
    { 
        if (bRet == -1)
        {
            // handle the error and possibly exit
        }
        else
        {
            TranslateMessage(&msg); 
            DispatchMessage(&msg); 
        }
    }
 
    return msg.wParam;
}

The detection happens as soon as you move the mouse over other windows. This sends events to the application with the HWND and you can check if its title is flagged or not.

You could counter this by hooking:

• NtUserInternalGetWindowText
• NtUserInternalGetWindowIcon
• NtUserGetClassName
• And pretty much any other function that could be used on the HWND for detection.

You could also hook NtUserSetWinEventHook to get the address of the WinEventProc callback and then hook it to erase the passed HWND. According to the documentation, it should be safe to erase it:

Type: HWND
Handle to the window that generates the event, or NULL if no window is associated with the event. For example, the mouse pointer is not associated with a window.

Full build version: 15063.rs2_release.170317-1834

Latest ScyllaHideRelease / x64dbg snapshot.

Exception (Tested with ScyllaTest_x64): https://i.imgur.com/5MYgfD5.png

Log from x64dbg: https://pastebin.com/Yx5Hsq1a

Input: http://prntscr.com/h2ptp6

as you see it's being detected (used your ScyllaTest_x86.exe)
http://prntscr.com/h2pt94

BTW, why is this option grayed out inside the Ollydbg v1?

A minor issue, but in my understanding would be nice to have,

http://prntscr.com/h2l9n2

To the right is an example of how it might look like :)
also it might help to inspect any dll in the future with just a single click in Explorer...

Windows 10 has a separate implementation for OutputDebugStringW rather than passing the string to OutputDebugStringA, quoting their note:

Important In the past, the operating system did not output Unicode strings via OutputDebugStringW and instead only output ASCII strings. To force OutputDebugStringW to correctly output Unicode strings, debuggers are required to call WaitForDebugEventEx to opt into the new behavior. On calling WaitForDebugEventEx, the operating system will know that the debugger supports Unicode and is specifically opting into receiving Unicode strings.

The plugin (if I'm not mistaken) currently supports OutputDebugStringA only.
This article (by ntquery) talks about this:
https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/

JIT debugging doesn't work with ScyllaHide as a plugin (even if you don't enable anti-attach stuff)

scylla_hide.log
Some Nt* WINAPI functions are not exported by a DLL, so it is necessary to get the function addresses from another source. The other source is the PDB file. The adresses can be resolved with the NtApiTool packaged in the release. It will download the PDB file from the Microsoft server to resolve the missing function addresses.

Ok. I executed PDBReader*.exe where it was(in the NtApiTool folder) , I didn't move it in the x64dbg directory. And it created some folders with some .pdb in them. What should I do now?

I must admit that I am ashamed of myself right know :(

Please, help.

23bit ver throughs an access denied exception on application load

So In "ApplyNtdllHook" HOOK_NATIVE_NOTRAMP is used to hook NtSetDebugFilterState. It uses "DetourCreateRemoteNative" which is "DetourCreateRemoteNative32". Which will always return 0 (trampoline) for no trampline hooks. Therefore "StartHooking" ends there and returns false and the other hooks are never hooked. Means if I want to use x32dbg with WIN32 build of scyllahide on 64bit system (w10), I am not able to.

• method 1：

use x64dbg+scyllahide
x64dbg attached process

The process work fine

• method 2：

InjectorCLIx86.exe test.exe c:\HookLibraryx86.dll nowait
windbg attached process

The process will be crash.

download file(themida protector):
http://s000.tinyupload.com/index.php?file_id=05571394152688296504

PWD:123

CurrentProfile=Themida x86

I've collected some issues I've seen on latest realese
00d846bc1dada7b456658867d2269698 *ScyllaHide_2017-10-19_21-11.7z
used against Olly v1.10

1. minor
   make version up to date, eg:
   http://prntscr.com/h088ll

2. issue related to selected profile of protector,
   details:
   in Olly2 whenever I choose some profile - it is selected in menu, eg:
   http://prntscr.com/h07wj6

but this simple case does not work in v1:
http://prntscr.com/h07x24 - no selection (of course after I've selected one of profiles)

3. also there is a visible bug in About menu: see the previos picture and find the "About" menu item,
   as you see it has some garbage @EnD - this might be dangerous! (eg memory corruption, etc)

Hello,

ScyllaHide Timing Hooks kernelbase.dll!GetLocalTime and kernelbase.dll!GetSystemTime cause ACCESS VIOLATION because of invalid memory de-reference. When the hook calls a copy of the original API which contain de-reference of relative to RIP memory location, most of the time this location does not exists.

In the case of GetSystemTime the dereferenced address is the address of the security cookie and a crash is guaranteed. In case of the GetLocalTime a global struct is de-referenced and if the address exists a crash can be sometimes avoided but the API leads to inaccurate results.

To reproduce the issues:

1. Debug any x64 application and enable Timing Hooks for GetSystemTime and GetLocalTime
2. Set a breakpoint on the hooked API in kernelbase.dll or kernel32.dll
3. Wait for the BP to hit one way or another and follow the hooks
4. Crash inside the call to HookDllData.dGetSystemTime(&OneSystemTime);

VS2013 upd5 over W7 SP1 x64

4	IntelliSense: static assertion failed with "Offset check"	c:\in\ScyllaHide-vs13or\3rdparty\ntdll\ntdll.h	3313	1	HookLibrary

error line in ntdll.h is this one:

static_assert(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8, "Offset check");

Windows SDK 7.1A used (originally shipped w/VS2013)

My gut feeling says that this is OS dependent issue, eg it might work on W8/W10...
could you wrap that line up into some #ifdef please?

Does the plugin have some version, (c) info, etc?

if yes - would be nice to keep it up to date
also would be nice to have the "built at" info in about dialog

The latest version causes x64dbg to crash !. try to load an executable, F9 to reach the entry point, in the Memory tab, search for a binary pattern. click on one of the found patterns and scroll up or down with mouse, then it will crash.

You need to compile for support with Ida 7.0

Hello,
According to https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide.pdf, I can use ScyllaHide to inject a DLL:

so does this means I can inject ANY dll into a process in a stealthy way even if it's not related to debugging?