Problems with process debugged

[ghost]

Well. Only recently i noticed some changes in a file. (game) The interesting is that when u select him, and search for the modules, it says that the process was not found. I can post some photos...im high now but yeah it used to be the best tool inda world until i was traped.help master. How i can do is stop the process to make it readable. then i can dump almost of code. A long time ago i did the same thing and wasnt detected. worked like chamz But now the process looks like be unlinked from mem...deatached.. Im sure that this could tun on scylla more power. Could u understand what kind of trap is this

[nihilus]

Okey. If this isn't fixed "upstream" I wanna fix this. It is not fixed upstream yet? Do you know how to create a coredump? Well then email it t me. I will be back in EU in the beginning of December.

[ghost]

XANA_SCY.zip

1)When scyllahide was good , he dumped this ;D ! Notice, 3 functions with error ! 2)Scylla is having problems when esp is used.As i can see, something like with (xchg)?

Note : But as i can see now, scylla keep maintain your perfomance

Keeping on :

Now is hard to attach debugger. Yesterday i was using 0.7c and 've noticed that not only 'Scylla' was having problem to attach, but ImpREC. OllyDbg attachs easy, but when attach, i don't know, it uses RtlExitUserThread.

In debugger : Well, i guess the main dll is using RtlEUT_API when debugger is detected. Making me think it's under somefilter. RtlUnwind i was thinking.

Note 2 : When i hook using OllyDbg, i can't see the module list, pressing CTRL+G. It's empty. Yet using scylla DLL. ^^ Only threads, :o And checking this "c" output, i can't see the use of InterlockedExchange. Moving esp to register is hard uh !

Note 3 (Important) : Scylla can hook the program when started, at first time, and it hook, but IS DETTACHED! i believe the code auto-modify. The second time, we can't hook, return error on process handle. If i close my Scylla, and open again, i can hook the process, but it's dettached immediately! And well, Scylla also can't return the module list. Why ? ollydbg told me : pointer to handler. Well it's very crazy!

[ghost]

https://github.com/k0keoyo/try_exploit/tree/master/HEVD_Win10%26Win8/Stop_by_win8 (sorry no useful)

I don't understood. After searching so much ! I hope this can help

PS : @nihilus finally i understood what's hapenning ! ->

1)Scylla can't attach until we manually stop the proc ( Well, NtOpenProcess is returning : C0000022 -> STATUS_ACCESS_DENIED ) 2)If we do it, it can dump, but we go down with 'trap flag', now i see why my dump is full of shellcodes and emit code ! 3)Now i understood why it's crashing when i click in IAT auto search ! ^^ but no way to circumvent. ! don't have knowld. 4)It's a specify characteristic from an heuristic and recent themida version !

Thanks for the Scylla ! Tests perfomed in @Scyllav0.9.7.c can close this thread

my last research : http://www.textfiles.com/virus/adebgtut.txt