Closed stonedreamforest closed 5 years ago
The process will be crash.
No, the process merely calls ExitProcess
because it detected a debugger.
Why does the process detect a debugger? Because WinDbg sets PEB->BeingDebugged after attaching. You can verify this by doing the following:
InjectorCLIx86.exe
(I'll name this PEBCLIx86.exe
here for clarity) and put it in another folder together with a new scylla_hide.ini
that contains only a profile named "Basic" that has the following options enabled:
PebBeingDebugged=1
PebHeapFlags=1
PebNtGlobalFlag=1
PebStartupInfo=1
The rest must be disabled so that no DLL will be injected. (You need a recent version of ScyllaHide for this, I only added this functionality a few days ago.)ConsoleApplication1.exe
.InjectorCLIx86.exe ConsoleApplication1.exe HookLibraryX86.dll
.ConsoleApplication1.exe
.PEBCLIx86.exe
you copied.g
in WinDbg and the program will work.If you omit step 5, the process will exit because WinDbg has set the BeingDebugged flag in the PEB and the program reads it. Note that x64dbg sets the PEB flag too, but because you have the x64dbg ScyllaHide plugin this is fixed automatically on attach.
Running the CLI twice is not actually necessary to get ScyllaHide to work with WinDbg, as long as you run the injector at the attach breakpoint. Is there something that requires you to run the CLI injector prematurely? Think about it: you are installing a debugger hider when there isn't even a debugger yet.
This is not a bug in the CLI injector because it does not have access to debug events like debugger plugins do and thus can't be notified of a process attach (besides, the CLI is stateless, it does not wait for events).
This works fine!
The process work fine
The process will be crash.
download file(
themida protector
): http://s000.tinyupload.com/index.php?file_id=05571394152688296504PWD:
123
CurrentProfile=
Themida x86