search

x64dbg / ScyllaHide

Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide
GNU General Public License v3.0
3.48k stars 434 forks source link

Fix PEBHider. WindowFlags |= 0x400. #128

Closed Steesha closed 3 years ago

Steesha commented 3 years ago

When windows explorer runs the application, it'll set PEB.ProcessParameters.WindowFlag |= 0x400. But ScyllaHide just set it to 0x1. So programs can check it and found the debugger.

Mattiwatti commented 3 years ago

When windows explorer runs the application, it'll set PEB.ProcessParameters.WindowFlag |= 0x400.

No, it doesn't. explorer.exe sets WindowFlags to 0x1 on every version of Windows I've tried, and this goes for all images regardless of whether they have a console or GUI subsystem type. See also #99 where this was originally reported and fixed.

If you can show me the condition that will make explorer.exe append 0x400 to the window flags, this PR can be merged assuming the ORing with 0x400 only happens when this condition applies. But currently it is simply incorrect.

Steesha commented 3 years ago

AntiDebug.zip ok, you can try this program. it reads the PEB windowFlag to checkDebugger.

Mattiwatti commented 3 years ago

You must have misunderstood me when I said

If you can show me the condition that will make explorer.exe append 0x400 to the window flags, [...]

A satisfactory response for example would be any of the following: A. A description of said condition so that I can reproduce it myself. B. Source code of a program that shows (WindowFlags & 0x400) != 0 when compiled and run. C. A comment to the extent of "oops, looks like I was wrong" followed by closing the PR.

A satisfactory response is NOT: D. Posting a VMProtected executable that supposedly proves your claim, with no further explanation or source code other than "it reads the window flags from the PEB" (uh yes, I would hope so, given that that's what you claim ScyllaHide is changing incorrectly?).

Because I have neither the time nor the inclination to prove that your file isn't malware, I've simply removed it. FWIW, I ran it in an isolated VM and it crashed. So whatever it is did nothing to help your claim either way.

Steesha commented 3 years ago

A. It sets the window flags OR 0x400 when Subsystem(in Optional Header) is 2(WINDOWS_GUI). You can write a program and set subsystem=2, run it and use debugger to attach it. (i'm sorry that uploading a vmprotected program that wrote by other) My PR is not complete for this solution, so when you see and solve it, close the PR. UP)(FPO XO291MN0`S8XA{K

Mattiwatti commented 3 years ago

Thanks for the clarification. Unfortunately I already tried this as it was the most likely explanation, but I could not reproduce the added 0x400 (on multiple machines). There must be some additional factor at play for this to happen.