Comments (3)
I think I found the problem regarding the error message.
I haven't looked too much into the ScyllaHide source, but I'm guessing hooks are done on the first break event?
If the module isn't loaded at the time of the break event (packed process, breaking on DLL Entry, etc), then you will get the error message.
The error message seems to be from not checking if GetModuleHandle/GetProcAddress succeeds before calling DetourCreateRemoteNative32.
I guess the only problem here is that the error message is kind of bad for the situation. So, I guess this is more of a feature request: Currently, there is a pop up for every failed hook, which is a bit spammy, and the message is a bit vague. It would be nice if it popped up only once with a list of the failed hooks.
As for the crash with DummyB, i'm not sure what the problem is there.
from scyllahide.
This seems to be ~three separate unrelated issues. I can reproduce DummyB crashing on all OSes, but DummyA only on Windows 10. For both, I can only reproduce the crash in WoW64 mode (possibly also native x86 but I have no installation on hand to try this). x64 versions of DummyA and DummyB work fine if, as you say, the module is loaded at the time the process starts. To summarize what I'm seeing:
- WoW64 syscall hooking, especially on Windows 10, is completely fucked (which syscall is being hooked specifically doesn't matter very much). This has been the case for a while now but I don't know if anyone is willing to fix to fix this. PRs are welcome of course.
- On Windows 10 (not precisely since RTM, but still a quite early Windows 10 release)
win32u.dll
addresses should be used rather than theuser32.dll
ones of previous OSes.win32u.dll
is essentially thentdll.dll
equivalent for Win32k syscalls in Windows 10 and is in\KnownDlls
so its virtual address is the same for all processes (strictly speaking probably only per container if we're using dirty Windows 10 technology anyway, but I'll settle for that.) - You're right that it's pretty hard to hook DLLs that are not yet loaded, and this is indeed the cause of the useless error. This is only really possibly a concern for
user32.dll
/win32u.dll
(if it's not statically linked). The proper fix here would be to delay these hooks until (if ever) these DLLs are loaded, not to skip them completely. But that would also be a lot more work, because we'd have to check on eachLOAD_DLL_DEBUG_EVENT
if a not-yet-hooked DLL is being loaded, and if yes, whether it should be hooked. As a band-aid you could also set a DLL breakpoint foruser32.dll
to reapply the ScyllaHide hooks when it loads. Not ideal, but how many real world (even obfuscated) executables do you really see that loaduser32.dll
dynamically? For a commercial protector it's not quite as simple as changing all static imports toLoadLibrary
calls, because the ntdll loader behaviour is very complex and has many subtle side effects which may affect the runtime behaviour of the program (e.g. the DLL load count and order). Though of course in most cases this will work fine and there is probably plenty of malware that does this thinking it's super clever.
I agree with you that the error message is both unhelpful and spammy. I'll see if I can come up with something better (and make it one-time). But the underlying issue is really trying to hook a DLL that isn't loaded. The first issue doesn't help either; I'm not sure if anyone actually understands the WoW64 syscall hook logic on Windows 10 given the huge pile of hacks collected over the years. If so, it's definitely not me :)
from scyllahide.
I kind of forgot about this issue, but it seems that due to various recent(ish) bugfixes this is now fully fixed. There have been a number of changes to improve or fix user32.dll/win32u.dll hooking (especially on Windows 10) as well as WOW64 hooks. So I can't say precisely when or how this was fixed, but it should be working now.
I was wrong about dynamically imported functions not being hooked by the way; at least the x64dbg plugin reinjects on every LOAD_DLL_DEBUG_EVENT
. So user32 hooks work as you would expect. There was another (now fixed) bug that was causing this.
from scyllahide.
Related Issues (20)
- ScyllaHide 2021-08-23_13-27-50 do not load on Windows XP Pro SP3 HOT 6
- Cant be installed on last version of x64dbg
- DbgUiRemoteBreakin not restored HOT 10
- InjectorCLIX86 does not work because it is unable to get the wow64cpu.dll base address HOT 3
- Game closes on any type of breakpoint. (Steam x64dbg) HOT 5
- crash with vmp3.5 (Ultra (Mutation + Virtualization)) HOT 8
- JobObjectBasicProcessIdList AntiDebug
- HandleTable AntiDebug
- ScyllaHide for Rider or Visual Studio HOT 2
- A confusing question when reading the InjectorCLI source code HOT 1
- not working with vmprotect 3.6 HOT 1
- Wow64Transition[0] != 0xEA HOT 3
- Create new release HOT 1
- Bypass detection on start
- HyperTech CrackProof
- Please add API Monitor and Cheat Engine to blacklisted process HOT 1
- [KillAntiAttach] NtContinue_FUNC_SIZE too short HOT 2
- Suggest VMProtect Heaven's Gate syscall Bypass trick. HOT 2
- DetourCreateRemote->ReadProcessMemory failed. (3) HOT 2
- DLL Injection doesn't work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scyllahide.