[plugin] ScyllaHideCE

[reverser69]

hi all

cheat engine is really stealthy in kernel mode but we still cant start a process using CE debug modules except for windows debugger (AFAIK) and that is detected easily.
i wanted to debug a game from entry point in CE environment and i couldn't, so decided to port ScyllaHide.

i really appreciate any information on how "break on entry" could be implemented in DBVM debugger.

[Link]

[Send]

Works great, came in handy with Soulmask. Thanks!

[Pandor]

For me it just crashes the target (any) the instance I attach the debugger with the plugin loaded.
not sure if related, but there is also this upstream bugreport:

[reverser69]

For me it just crashes the target (any) the instance I attach the debugger with the plugin loaded.
not sure if related, but there is also this upstream bugreport:

As you said "any target" there's absolutely something wrong with your setting because the comment above you, says he is using the plugin.
i recommend, tell CE to break on exceptions and uncheck all options in ScyllaHideCE window.
also try it with both "windows debugger" and "VEH debugger". overall, i need some leads on the matter to debug the issue.
i also read the issue on GitHub. i would appreciate if sunbeam tests the plugin with that game.

[SunBeam]

Some of the people testing this don't have the modicum of knowledge when it comes to understanding the PE file framework. They just test it out of the box without taking a single look at the exe: is it packed, protected, which protection, etc. They just test and go "working" or "not working". I bet very few of them have ever gotten rid of the SteamStub on a regular non-protected Steam game. Then they try to debug the game and it crashes their ass. Not to mention those who never check the debugger type in CE. "Windows Debugger" option will crash you 90% of the time.

I don't have Soulmask game. But like I said, look at the exe. If it has SteamStub use Steamless to get a clean exe. You then don't need any plugin. If it has something else, identify the protection (e.g.: for Themida there are several things you can do even without this plugin).

And lastly, "I tried it on my game and it crashes" equals 0 without specifying the game name so others too can test. I usually ignore such posts: if they didn't think of or had the time to mention that aspect, why should I waste my time pulling out their tongue? Nope, pass, enjoy your lives.

[Pandor]

For me it just crashes the target (any) the instance I attach the debugger with the plugin loaded.
not sure if related, but there is also this upstream bugreport:

As you said "any target" there's absolutely something wrong with your setting because the comment above you, says he is using the plugin.
i recommend, tell CE to break on exceptions and uncheck all options in ScyllaHideCE window.
also try it with both "windows debugger" and "VEH debugger". overall, i need some leads on the matter to debug the issue.
i also read the issue on GitHub. i would appreciate if sunbeam tests the plugin with that game.

Sorry about the late reply and the minimum of information.
I tried the plugin on a heavily modified (undetected) CE, and a out-of-the-box CE 7.5 running as admin, windows 11 23h2 (22635.4010) (everything in core isolation turned off).

The following jumps out in the log file:

Spoiler

Code: Select all

2024.08.22 10:49:16 DEBUG: ApplyUserHook -> Hooking NtUserBlockInput
2024.08.22 10:49:16 DEBUG: ApplyUserHook -> Hooking NtUserFindWindowEx
2024.08.22 10:49:16 DEBUG: ApplyUserHook -> Hooking NtUserBuildHwndList
2024.08.22 10:49:16 DEBUG: ApplyUserHook -> Hooking NtUserQueryWindow
2024.08.22 10:49:16 DEBUG: ApplyUserHook -> Hooking NtUserGetForegroundWindow
2024.08.22 10:49:16 INFO: Hook injection successful, image base 0000018F5B860000
2024.08.22 10:49:17 INFO: Loaded VA for NtUserBlockInput = 0x00007FF84ED98980
2024.08.22 10:49:17 INFO: Loaded VA for NtUserQueryWindow = 0x00007FF84ED91660
2024.08.22 10:49:17 INFO: Loaded VA for NtUserGetForegroundWindow = 0x00007FF84ED91B80
2024.08.22 10:49:17 INFO: Loaded VA for NtUserBuildHwndList = 0x00007FF84ED917E0
2024.08.22 10:49:17 INFO: Loaded VA for NtUserFindWindowEx = 0x00007FF84ED92180
2024.08.22 10:49:17 INFO: Loaded VA for NtUserGetClassName = 0x00007FF84ED92320
2024.08.22 10:49:17 INFO: Loaded VA for NtUserInternalGetWindowText = 0x00007FF84ED92040
2024.08.22 10:49:17 INFO: Loaded VA for NtUserGetThreadState = 0x00007FF84ED914A0
2024.08.22 10:49:17 DEBUG: ApplyNtdllHook -> _NtSetInformationThread 00007FF8511302D0 _NtQuerySystemInformation 00007FF8511307F0 _NtQueryInformationProcess 00007FF851130450 _NtSetInformationProcess 00007FF8511304B0 _NtQueryObject 00007FF851130330
2024.08.22 10:49:17 DEBUG: ApplyNtdllHook -> _NtYieldExecution 00007FF8511309F0 _NtGetContextThread 00007FF851132040 _NtSetContextThread 00007FF851133420 _KiUserExceptionDispatcher 00007FF8511341B0 _NtContinue 00007FF851130990
2024.08.22 10:49:17 DEBUG: ApplyNtdllHook -> _NtClose 00007FF851130310 _NtDuplicateObject 00007FF8511308B0 _NtSetDebugFilterState 00007FF851133440 _NtCreateThread 00007FF851130AF0 _NtCreateThreadEx 00007FF851131A00 _NtQuerySystemTime 00007FF851130C70 _NtQueryPerformanceCounter 00007FF851130750 _NtResumeThread 00007FF851130B70
2024.08.22 10:49:17 DEBUG: ApplyNtdllHook -> _NtOpenFile 00007FF851130790 _NtCreateSection 00007FF851130A70 _NtMapViewOfSection 00007FF851130630
2024.08.22 10:49:17 DEBUG: ApplyNtdllHook -> Hooking NtSetInformationThread
2024.08.22 10:49:22 ERROR: Failed to write hook dll data

The popup errors produced after attaching VEH debugger:
Error: NtSetInformationThread is already hooked!
Anti-Anti-Attach failed Access is denied.
and target process crashes.

This happens to any target, for example windows calc app.
Without the plugin loaded i can attach the VEH debugger no problem on a unprotected target.

*EDIT*
I set up a profile with all scyllahide settings disabled, and it attached withouth error.
It apears to be the NtSet and NtQuery hooks that are causing the issue in my case.Not sure why it would complain they are already hooked...

[reverser69]

The popup errors produced after attaching VEH debugger:
Error: NtSetInformationThread is already hooked!
Anti-Anti-Attach failed Access is denied.
and target process crashes.

This happens to any target, for example windows calc app.
Without the plugin loaded i can attach the VEH debugger no problem on a unprotected target.

*EDIT*
I set up a profile with all scyllahide settings disabled, and it attached withouth error.
It apears to be the NtSet and NtQuery hooks that are causing the issue in my case.Not sure why it would complain they are already hooked...

that's more like it; more info.
so looked into the source code and there was some issues.
the main challenge is the PEB->isBeingDebugged flag which is used internally by windows debugger and i don't want to make the UI complex either.
i tried to fix things but there are sure some issues left.
ill update the GitHub page as soon as i tidy up the code a little bit.

[reverser69]

...

And lastly, "I tried it on my game and it crashes" equals 0 without specifying the game name so others too can test. I usually ignore such posts: if they didn't think of or had the time to mention that aspect, why should I waste my time pulling out their tongue? Nope, pass, enjoy your lives.

i know what are you talking about and i don't expected you or any other member to change their perspective. but we must accept the fact that Cheat Engine attracts newcomers to the community and they are bound to act unprofessional. be it bug report, CE's UI, etc.
imagine you are playing a game, you just wanna have some more fun and Baaam, its protected. that eagerness only makes you ask irrationally.
the mutual understanding between newcomers and veterans is the only way of growing this community.

[reverser69]

updated the GitHub page.
tested it with several targets including al-khaser with no crash or freeze.

[Pandor]

Thx for putting in the effort to look into it. Much appreciated. +rep added.

*EDIT:
after grabbing your latest build unfortunately my test subject (windows calc) now crashes each time i try to execute "find out what accesses this address". i just quickly scan for some changed values, after entering some numbers, pick a random address, and F5.

Previously it would spit out a error as mentioned before when eighter of the NTSet or NTQuery hooks were selected when attaching debugger.
Now i get no error, but instant crash of the target app (same scyllahideCE settings that worked before).

nothing in the log, and disabling all scyllahideCE hooks, again doesn't crash the target. So in my case, now the problem moved itself and i get no clues as to where it might happen. unless i try to add every hook one at a time, until i find the culprit.

*EDIT2:
tried it on some small random apps i found on my drive, and it seems to be related to one or more of the DRx Protection options. Disabling all DRx Protection options, no crashes. enabling all, instant crash of any target app i tried. before the update, i had these enabled by default, and didn't have a problem there. Not claiming i need the options, or know exactly what they do, as it does say "enable only if you need it". But since that didnt give me trouble before, i thought idd let you know. Something might still be up.

[reverser69]

i did a quick testing and i THINK it's because the VEH mechanism uses exceptions to break, and the KiUserExceptionDispatch option also messes with that part. so disable that option when using VEH debugger module or select windows debugger. it seems to work fine with that option or hook KiUserExceptionDispatch manually and implement some filters in asm if possible.

and you said it didn't cause error in last version. i think this option was not getting applied. as ScyllaHide suspends all threads before inject and resumes them afterwards, this behavior is not compatible with cheat engine; so i fixed it. soon as the option is applied, it is causing problems.

it's also possible that your target is playing tricks if any other option crashes your game. PM me if its not a huge file to download.

[Pandor]

There really is no specific game or app. i was just trying on some small random unprotected apps like windows calc, some small gui frontends i had on my desktop (enabling/disabling checkboxes, looking for changed memory offsets, and then see what accesses them), etc. Just as a quick test. no real RE work.

Changing to windows debugger does indeed work. So it's indeed related to VEH i'll play around with your suggested fixes.
thanks again for your informative input and time. at least my rant got you to find some minor bugs, so it was not in vain.

Finaly got DBK and Titanhide driver working on my system thanks to EfiGuard 1.4, so i'm currently messing with that.
But always good to have options available. Appreciate your work.

[reverser69]

Feedbacks with pinpointed information are always welcome.
Happy debugging out there.