ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.
Debugger Hiding:
- PEB - BeingDebugged, NtGlobalFlag, Heap Flags
- NtSetInformationThread - ThreadHideFromDebugger
- NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation
- NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing
- NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing
- NtQueryObject - ObjectTypesInformation, ObjectTypeInformation
- NtYieldExecution
- NtSetDebugFilterState
- NtUserBuildHwndList - EnumWindows
- NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W
- NtUserQueryWindow
- NtClose
- NtCreateThreadEx
- BlockInput
- Remove Debug Privileges
- OutputDebugStringA - OutputDebugStringW
Timing Hooks:
- GetTickCount
- GetTickCount64
- GetLocalTime
- GetSystemTime
- NtQuerySystemTimeHook
- NtQueryPerformanceCounter
Special functions:
- Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing !
- Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware
Protecting and Stealthing DRx (Hardware Breakpoints):
- NtGetContextThread
- NtSetContextThread
- KiUserExceptionDispatcher (only x86)
- NtContinue (only x86)
Hooks:
- Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)
Recommended Comments
Create an account or sign in to comment