Process terminates on attach

[Schnappi]

Hello,I have stumbled on application I would like to debug. Since it's 64-bit app the OllyDbg is already out of the picture, so I thought I could use x64_dbg. When I try to attach to that process it starts loading all modules and then I get "Terminated: debugging stopped". I tried to play around with ScyllaHide to the point I enabled all options -> didn't help at all. Tried TitanHide -> nope. I also tried to suspend the process first, but it still terminates on attach.It also shows weird behavior when using Cheat Engine's debugger -> when I set breakpoint the application crashes with single-step or maybe breakpoint exception ( don't remember, but I can eventually check again ). So that would seem like the app always tries to handle breakpoints on it's own (Cheat Engine didn't even fire up).What's wrong? What can I do?Thank you for your help.

[Encrypto]

Perhaps try using Windbg? It could list some new information or at least indicate why x64_dbg isn't functioning as intentioned.

[Schnappi]

Seems like WinDbg closes the process too. As I have no idea how to work with WinDbg I can't really  pull much information out of it.

[mrexodia]

Hi,

Take a look at this blog, maybe your target hooks certain system APIs that get called when a debugger is attached. http://waleedassar.blogspot.nl/2011/12/debuggers-anti-attaching-techniques.html

Greetings

[Schnappi]

Thanks for the tip. Checked memory of DbgUiRemoteBreakin and it indeed seems to be modified. I kinda thought all this stuff is fixed by ScyllaHide etc . Anyways I tried to restore the bytes but seems like the app writes the hook like every 0.2s or something. Tried the Cheat Engine's "Find out what writes to this address" and it caused single step exception again. Well I'm gonna sleep on it and see if I can do something about this tricky process tomorrow.

[Aguila]

ScyllaHIde doesn't support Anti-Anti-Attach for x64 targets at the moment.

 

Changelog for v1.1:

Added kill anti-attach (for x86 only)

[Schnappi]

Alright I got it working. What I did: Suspend process, Restore modified instructions, attach debugger, resume process.

[Aguila]

Can you share the target? Some anti-cheat system?

[Schnappi]

Well there wasn't any other protection on the target I have noticed after the anti-attach. I haven't spent much time on it yet, so I can't tell, but general debugging seems to be working fine. Debugging also seems to be working even without ScyllaHide -> which introduced some bugs (like cannot pause process) so I disabled it. Target is a game and it's quite large so I doubt you would like to buy/download it just to see the protection. There is a loop like:do
Sleep(200)
VirtualProtect(some functions)
Overwrite
VirtualProtect(some functions, oldProt)
while(some_expression)I just inject my dll, that changes the loop to
do
Sleep(200)
NOPS
while(some_expression)
and then restores the bytes of NTDLL functions and then I attach.