[ATTENTION ! - BEFORE YOU READ ANYTHING!]
The following article you're about to read, have been written with the mentality to help other fellow members that currently have a job as Malware Analyst and
are working hard everyday against Malwares in the wild, given that this forum is publicly available to anyone, this article is intended to be
used only as an educational resource and should NOT BE put to the test with any kind of Commerical Programs / Applications / Softwares
protected by Themida, Breaking / Circumventing the protection of Themida -itself- or by any kind of Commercial Program / Application / Software is something
totally unlawful and you could be hold accountable for your actions in a court.
The author of this article ('0xNOP') and/or the hosters of this Blog ('www.tuts4you.com') does not takes
any kind of responsibility towards anything that, you ('the reader'), might do with such content.
Given this term of agreement, you are the sole and only person responsible of your own actions. If you agree with this, you may continue reading, if not, I advise you to discontinue reading,
close this page and continue browsing the forums as usual. If you continue reading it means you are automatically accepting this terms of agreement.
Epilogue: Probably the method that I'm going to be covering here it's not rocket science for some geniuses in the scene, or some other may have already knew it. However this method is geared towards people that doesn't know this approach yet, So keep on reading to find out how I did it, and see if you knew the approach already! if you would like to skip the story reading and you want to TL;DR go to where it says in big red bold letters, [TUTORIAL], last but not least, Hope you enjoy it!
Story: Hello everyone! Here I am coming back form a recess
So I was working on a Themida protected DLL, and such DLL was getting hooked at runtime by the game Entrypoint (e.g. push <DLLName>; jmp &LoadLibraryA; If DLL was found -> Continue Exec. else Jmp to Exit) Alright till here everything was good... Now when I started digging in it, I saw that... when I attached x64dbg to the process, it was getting terminated! So I said.. probably the program is protected with something... So here's where it gets interesting... The game executable wasn't protected with anything! but that just one module... so I said.. pretty cool that a DLL detects if a debugger is being attached... probably by Themida's API Hooking and I kept on going thinking to myself what could be wrong... Not so long passed that I was getting aggravated with it, the impossibility to do something with the program really got me badly.
So I kept on going until I started digging out with Kernel Mode drivers.. Well to start off.. I didn't actually made my own driver, mainly because my current level of expertise is not that the one to create a 1337 driver, and second because I'm on a x64 system and it will be just a pain in the arse to build one and test one without PatchGuard making my life even more miserable... So I kept on looking for tools that could help me to achieve what I wanted, and found out about TitanHide, didn't worked... ScyllaHide, still was terminating the process on attach, even though I used the Themida preset! so I left ScyllaHide for later on because I know it works... I just had to know what to do in order to get that Anti-Anti-Attach done... well lastly I searched and searched until I got a treasure it's a program called PC Hunter, it's a very well done and handy tool that comes with a Kernel Driver that lets you access things that are hidden from our Ring 3 space... So I went on, did some magic (the one I'm going to explain further below) and LO AND BEHOLD! I crossed my fingers, made that look with the eyes almost closed, almost not wanting to look at the screen, and it finally worked! I couldn't believe I was attached to the program and it didn't showed "thread terminated: status DED!" xD so now I decided to share my happiness with the whole world.. or at least who ever reads this entry
0. CRITICAL STEP: Suspend your process at Startup! or after the troublesome Protected DLL loads!
To "suspend" a process after a specific DLL was loaded, I went and downloaded API Monitor, and went onto the API's and put a BP before DllMain call, that way when the offender DLL got called, the process was still being executed! the only difference is the DLL got loaded. It's one of my other "Quick and Dirty ways" of doing things Also since I'm working on x64DBG I used ScyllaHide to continue further progress... keep on reading to see how I executed everything.
1. Download PC Hunter (attached below for your convenience ;D) and extract it somewhere comfortable.
2. Open it up and you will see something like this:
3. At the navigation tabs shown above, select "Ring3 Hooks".
4. You will now have a view like this:
(if there is nothing hooked at the default loaded tab, which is "Message Hook" then you will have it empty just like me, otherwise if you got something hooked, make sure it's not a WM_KEYBOARD hooked, might be a malware xD also check on Ring0 Hooks.)
5. Click the "Process Hook" tab:
6. Now look for your process and right click its name and select "Scan" like so:
7. Now PC Hunter will scan the process for active hooks, and it will display them all in the list view at our right side:
8. Now just Right click and select Restore All... or if you had problems and/or your process exited/terminated abruptly while restoring all, just be selective and try one by one, I know it can be tedious, but at least it works... Most of the times you will be able to "Restore All".
Good, now we should have our process ready to continue loading... Now just remove all BP's at API Monitor (remember Step 0?) and resume execution... at this point your program should be running, normally.... Now Just go to x64DBG and in Plugins, go to ScyllaHide -> (remember to use Themida Preset) -> Attach to Process, and just use the little Pick Tool thingy, drag and drop it to your process and click attach!
If you followed up everything, you shall be at the DbgBreakIn on attach, just resume execution in x64DBG and viola! you have successfully bypassed the so Fearful, Themida's Anti-Attach!
Credits & References:
Rohitab: for making API Monitor a great tool.
XueTr: for making PC Hunter free.