Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DbgUiRemoteBreakin not restored #135

Open
lupier opened this issue Nov 23, 2021 · 10 comments
Open

DbgUiRemoteBreakin not restored #135

lupier opened this issue Nov 23, 2021 · 10 comments
Labels
bug

Comments

@lupier
Copy link

lupier commented Nov 23, 2021

DbgUiRemoteBreakin does not recover even if the kill anti-attach option is enabled.
API still hooked by protection > GetCurrentProcess > TerminateProcess.
Screenshot_103
@mrexodia
Copy link
Member

It doesn't matter because the latest x64dbg doesn't execute this function on attach anymore.

@lupier
Copy link
Author

lupier commented Nov 23, 2021
edited
Loading

I dont think so, when I switch from running x64dbg process to ida64 process with ollymigrate plugin, this API was called and > failure.
So, where can I solve the problem - in the ida pro attachment code, in the scilla plugin or in the ollymigrate plugin?
p.s. when I manually restore API (remove hook) all work as expected

@mrexodia
Copy link
Member

mrexodia commented Nov 23, 2021 via email

@lupier
Copy link
Author

lupier commented Nov 23, 2021

hook on the function establishes from protection once at the start and does not change anything else there.
For me, there is no problem with scripting to restore the code and not worry about anything at all. I only created an error issue because I thought anti-attach checkbox covered all the options + DgbUiRemoteBreakin.
If this is not a bug but feature, then I no longer have questions with this API.
Regards

@mrexodia
Copy link
Member

mrexodia commented Nov 23, 2021 via email

@lupier
Copy link
Author

lupier commented Nov 24, 2021

My work chain: x64dbg > Ollymigrate plugin > IDA64. IDA64 failed at this API.
This API is used by IDA Pro when trying to get a migrating process.
Perhaps we misunderstood each other a little.
For me, the question is not whether the API is used in x64dbg, but that scyllahide does not remove protection hook from the API, and the API is not some random one like Beep from kernel32, but a function that is described in some anti-debugging research.
The logic is that API is used in anti-debugging, why is it ignored then with anti-attach? And the fact that the scylla connects to the processes differently is great, except that the standard attachment of another debugger to the process will lead to termination of the process.

@mrexodia
Copy link
Member

There is no misunderstanding at all. I agree with you that this should work, here is the relevant code for you to debug why it's not working for you:

ScyllaHide/PluginGeneric/Injector.cpp

Line 720 in 2276f14

bool ApplyAntiAntiAttach(DWORD targetPid)

@lupier
Copy link
Author

lupier commented Nov 25, 2021
edited
Loading

Ok, what I found:

  1. many places where WriteProcessMemory calls in a whole plugin not checked to be BOOL
  2. the ApplyAntiAntiAttach function is never called fully, since the checks carried out in the function prologue in compiled dp32 binary do not allow branching even to OpenProcess>GetModuleHandleW>GetProcAddress>VirtualProtectEx etc. sequence
    p.s.
    not sure (I'm not familiar with C++) but maybe problem is here

    ScyllaHide/PluginGeneric/Injector.cpp

    Lines 692 to 699 in 2276f14

    #define DbgBreakPoint_FUNC_SIZE 2
    #ifdef _WIN64
    #define DbgUiRemoteBreakin_FUNC_SIZE 0x42
    #define NtContinue_FUNC_SIZE 11
    #else
    #define DbgUiRemoteBreakin_FUNC_SIZE 0x54
    #define NtContinue_FUNC_SIZE 0x18
    #endif

@mrexodia mrexodia added the bug label Nov 29, 2021
@lupier
Copy link
Author

lupier commented Apr 6, 2022

Any progress on this bug?

@Mattiwatti
Copy link
Member

Not really I'm afraid, I remember running into this myself in the past (this was ages ago) and making an attempt to fix it, but as you can see I never did. From what I recall the code related to this was (still is) simply doing all kinds of things it really has no business doing, and the entire 'kill anti-attach' functionality should just be rewritten from scratch in order for it to be properly fixed or fixable.

I may have time to look into this again later this week, but don't hold your breath.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lupier @mrexodia @Mattiwatti