search

x64dbg / ScyllaHide

Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide
GNU General Public License v3.0
3.49k stars 434 forks source link

support dnspy in the future? #88

Open anywhereyang opened 4 years ago

anywhereyang commented 4 years ago

some protector ( example vmp ) use win32 program to dynamic execute .net code . so we should use dnspy to debug or dump .net code in this case ,but dnspy antidebug is not strong!

Mattiwatti commented 4 years ago

Can you attach a sample (preferably non-malware) that shows such behaviour?

I looked at dnSpy briefly and it seems like a standalone program to me. It may be possible to recompile it as a library, but the bigger problem is it being written in .NET. You can call into native code from .NET, but the other way around (C code calling into .NET) is going to be a lot more difficult. I'm not sure I fully understand what you are proposing however, so please clarify if I have the wrong idea here.

anywhereyang commented 4 years ago

Some protectors (such as vmp) use win32 programs to dynamically execute .net code. In this case, we should use dnspy to debug or dump .net code, but the protector has anti-debugging and dnspy anti-anti-debug is not powerful, so dnspy cannot attach protected program.

For some reason I cannot provide a protected program。

dnspy is a .net Debugger, and is open source, If you provide a plugin for dnspy, and call C code in the plugin to anti anti-debug, then this problem can be solved

anywhereyang commented 4 years ago

What I want to express is "provide a plug-in for dnspy to make it anti anti-debugging"

graysuit commented 4 years ago

@Mattiwatti He means some malware uses API called IsDebuggerPresent to detect debuggers, And probably these malware will not run in DnSpy. Thus we can't see malware code in dnspy.

So he wants you to make same plugin for dnspy. Like ScyllaHide is for x64dbg.

So that anyone can take joy of ScyllaHide in dnspy as well.

mrexodia commented 4 years ago

You can use InjectorCLI @graysuit and just inject the ScyllaHide DLL.

graysuit commented 4 years ago

inject the ScyllaHide DLL into what ? dnspy ?

mrexodia commented 4 years ago

no, in the program you are debugging.

graysuit commented 4 years ago

@mrexodia Thanks I will try it, I have sent a email, Please check.

anywhereyang commented 4 years ago

@mrexodia

if inject ScyllaHide into dnspy only, the Dnspy not work well, because the dnspy call IsDebuggerPresent for debugging.