Mattiwatti
commented
5 years ago The process will be crash.
No, the process merely calls ExitProcess because it detected a debugger.
Why does the process detect a debugger? Because WinDbg sets PEB->BeingDebugged after attaching. You can verify this by doing the following:
- Make a copy of
InjectorCLIx86.exe(I'll name thisPEBCLIx86.exehere for clarity) and put it in another folder together with a newscylla_hide.inithat contains only a profile named "Basic" that has the following options enabled:PebBeingDebugged=1PebHeapFlags=1PebNtGlobalFlag=1PebStartupInfo=1The rest must be disabled so that no DLL will be injected. (You need a recent version of ScyllaHide for this, I only added this functionality a few days ago.) - Launch
ConsoleApplication1.exe. - Run
InjectorCLIx86.exe ConsoleApplication1.exe HookLibraryX86.dll. - Start WinDbg and attach to
ConsoleApplication1.exe. - While at the attach breakpoint, run the
PEBCLIx86.exeyou copied. - Type
gin WinDbg and the program will work.
If you omit step 5, the process will exit because WinDbg has set the BeingDebugged flag in the PEB and the program reads it. Note that x64dbg sets the PEB flag too, but because you have the x64dbg ScyllaHide plugin this is fixed automatically on attach.
Running the CLI twice is not actually necessary to get ScyllaHide to work with WinDbg, as long as you run the injector at the attach breakpoint. Is there something that requires you to run the CLI injector prematurely? Think about it: you are installing a debugger hider when there isn't even a debugger yet.
This is not a bug in the CLI injector because it does not have access to debug events like debugger plugins do and thus can't be notified of a process attach (besides, the CLI is stateless, it does not wait for events).
stonedreamforest
The process work fine
The process will be crash.
download file(
themida protector): http://s000.tinyupload.com/index.php?file_id=05571394152688296504PWD:
123CurrentProfile=
Themida x86