DbgUiRemoteBreakin not restored

[lupier]

DbgUiRemoteBreakin does not recover even if the kill anti-attach option is enabled. API still hooked by protection > GetCurrentProcess > TerminateProcess.

[mrexodia]

It doesn't matter because the latest x64dbg doesn't execute this function on attach anymore.

[lupier]

I dont think so, when I switch from running x64dbg process to ida64 process with ollymigrate plugin, this API was called and > failure. So, where can I solve the problem - in the ida pro attachment code, in the scilla plugin or in the ollymigrate plugin? p.s. when I manually restore API (remove hook) all work as expected

[mrexodia]

I don’t know what other debuggers are doing. Likely the process has a thread running that keep overwriting the bytes so just nop that?

On Tue, 23 Nov 2021 at 14:31, lupier @.***> wrote:

I dont think so, when I switch from running x64dbg process to ida64 process with ollymigrate plugin, this API was called and > failure. So, where can I solve the problem - in the ida pro attachment code, in the scilla plugin or in the ollymigrate plugin?

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x64dbg/ScyllaHide/issues/135#issuecomment-976537478, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASYFGON7BFW7LKSWVXJ7LTUNOJSNANCNFSM5ITK3VLQ .

[lupier]

hook on the function establishes from protection once at the start and does not change anything else there. For me, there is no problem with scripting to restore the code and not worry about anything at all. I only created an error issue because I thought anti-attach checkbox covered all the options + DgbUiRemoteBreakin. If this is not a bug but feature, then I no longer have questions with this API. Regards

[mrexodia]

Nah don’t get me wrong it’s probably a bug, I was just trying to understand why it matters since x64dbg doesn’t execute that function :)

On Tue, 23 Nov 2021 at 19:07, lupier @.***> wrote:

hook on the function establishes from protection once at the start and does not change anything else there. For me, there is no problem with scripting to restore the code and not worry about anything at all. I only created an error issue because I thought anti-attach checkbox covered all the options + DgbUiRemoteBreakin. If this is not a bug but feature, then I no longer have questions with this API. Regards

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x64dbg/ScyllaHide/issues/135#issuecomment-976954130, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASYFGIZVKSNKKEW2UKTEX3UNPJ5BANCNFSM5ITK3VLQ .

[lupier]

My work chain: x64dbg > Ollymigrate plugin > IDA64. IDA64 failed at this API. This API is used by IDA Pro when trying to get a migrating process. Perhaps we misunderstood each other a little. For me, the question is not whether the API is used in x64dbg, but that scyllahide does not remove protection hook from the API, and the API is not some random one like Beep from kernel32, but a function that is described in some anti-debugging research. The logic is that API is used in anti-debugging, why is it ignored then with anti-attach? And the fact that the scylla connects to the processes differently is great, except that the standard attachment of another debugger to the process will lead to termination of the process.

[mrexodia]

There is no misunderstanding at all. I agree with you that this should work, here is the relevant code for you to debug why it's not working for you: https://github.com/x64dbg/ScyllaHide/blob/2276f1477132e99c96f31552bce7b4d2925fb918/PluginGeneric/Injector.cpp#L720

[lupier]

Ok, what I found: 1) many places where WriteProcessMemory calls in a whole plugin not checked to be BOOL 2) the ApplyAntiAntiAttach function is never called fully, since the checks carried out in the function prologue in compiled dp32 binary do not allow branching even to OpenProcess>GetModuleHandleW>GetProcAddress>VirtualProtectEx etc. sequence p.s. not sure (I'm not familiar with C++) but maybe problem is here https://github.com/x64dbg/ScyllaHide/blob/2276f1477132e99c96f31552bce7b4d2925fb918/PluginGeneric/Injector.cpp#L692-L699

[lupier]

Any progress on this bug?

[Mattiwatti]

Not really I'm afraid, I remember running into this myself in the past (this was ages ago) and making an attempt to fix it, but as you can see I never did. From what I recall the code related to this was (still is) simply doing all kinds of things it really has no business doing, and the entire 'kill anti-attach' functionality should just be rewritten from scratch in order for it to be properly fixed or fixable.

I may have time to look into this again later this week, but don't hold your breath.