Comments (3)
It took me a while to reproduce this, because at first I tried on Windows 10 (1903 to be precise) where it "just worked". On Windows 7 however, VMProtect's well-known manual syscalls kicked in because it has the syscall numbers hardcoded for that OS.
There is a bit of an issue here due to the fact that this is a DLL and not an EXE. The instrumentation callback in ScyllaHide is really only designed for regular executables. The problem with checking the return address against the loaded DLLs is that you'd have to whitelist specific system DLLs (not just ntdll) which gets messy quickly.
Regardless, I hacked something together that was "good enough" at least for this specific file, and the result was an access violation later on. The cause of this is VMProtect hiding its threads with NtSetInformationThread(ThreadHideFromDebugger)
, which unlike NtQueryInformationProcess(ProcessDebugObjectHandle)
is something the instrumentation callback can do nothing about, since it is called "after the fact" and there is no way to reverse the ThreadHideFromDebugger flag: it can only be set, not unset.
What worked for me after applying above mentioned hacks: the standard VMProtect profile in ScyllaHide with ThreadHideFromDebugger additionally selected in TitanHide. I didn't see any ProcessDebugObjectHandle queries, but those may have been caught by the instrumentation callback. In that case you will also need to check that flag in TitanHide.
from scyllahide.
Thanks a lot, it really works.
I'm very sorry that I distracted you.
I am very grateful to you.
I do not know whether to close the issues.
from scyllahide.
I'll leave the issue open: it is an issue in ScyllaHide because this DLL's protection can only be circumventend in combination with TitanHide. However I don't see any plausible way to fix this from user mode, so the issue will most likely remain open forever.
For people who don't want to disable PatchGuard/install a kernel mode driver, the best advice I can give is to run the latest version of Windows 10. VMProtect's syscall tables seem to be somewhat behind the times, at least right now.
from scyllahide.
Related Issues (20)
- ScyllaHide 2021-08-23_13-27-50 do not load on Windows XP Pro SP3 HOT 6
- Cant be installed on last version of x64dbg
- DbgUiRemoteBreakin not restored HOT 10
- InjectorCLIX86 does not work because it is unable to get the wow64cpu.dll base address HOT 3
- Game closes on any type of breakpoint. (Steam x64dbg) HOT 5
- crash with vmp3.5 (Ultra (Mutation + Virtualization)) HOT 8
- JobObjectBasicProcessIdList AntiDebug
- HandleTable AntiDebug
- ScyllaHide for Rider or Visual Studio HOT 2
- A confusing question when reading the InjectorCLI source code HOT 1
- not working with vmprotect 3.6 HOT 1
- Wow64Transition[0] != 0xEA HOT 3
- Create new release HOT 1
- Bypass detection on start
- HyperTech CrackProof
- Please add API Monitor and Cheat Engine to blacklisted process HOT 1
- [KillAntiAttach] NtContinue_FUNC_SIZE too short HOT 2
- Suggest VMProtect Heaven's Gate syscall Bypass trick. HOT 2
- DetourCreateRemote->ReadProcessMemory failed. (3) HOT 2
- DLL Injection doesn't work
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scyllahide.