ScyllaHide icon indicating copy to clipboard operation
ScyllaHide copied to clipboard

Published 20 hours ago verified publisher icon x64dbg

The address is not a valid memory location

Open UnlimitedChild opened this issue 4 years ago • 8 comments

Hi,

snapshot_2020-10-29_00-29.zip

Breakpoint at 0000000000401000 (entry breakpoint) set! No such breakpoint "LdrInitializeThunk" DLL Loaded: 00007FFEA0760000 C:\Windows\System32\ntdll.dll DLL Loaded: 0000000000510000 C:\Windows\System32\kernel32.dll DLL Loaded: 0000000000750000 C:\Windows\System32\KernelBase.dll [ScyllaHide] Loaded VA for NtUserBlockInput = 0x00007FFE9DD37F30 [ScyllaHide] Loaded VA for NtUserQueryWindow = 0x00007FFE9DD31290 [ScyllaHide] Loaded VA for NtUserBuildHwndList = 0x00007FFE9DD31410 [ScyllaHide] Loaded VA for NtUserFindWindowEx = 0x00007FFE9DD31E10 [ScyllaHide] Loaded VA for NtUserGetClassName = 0x00007FFE9DD31FB0 [ScyllaHide] Loaded VA for NtUserInternalGetWindowText = 0x00007FFE9DD31CD0 System breakpoint reached! INT3 breakpoint "entry breakpoint" at <28.vmp.EntryPoint> (0000000000401000)!

---------------------------
Invalid address!
---------------------------
The address 00007FFE9DD31410 is not a valid memory location...
---------------------------
OK   
---------------------------
---------------------------
Invalid address!
---------------------------
The address 00007FFE9DD31FB0 is not a valid memory location...
---------------------------
OK   
---------------------------

UnlimitedChild avatar Oct 30 '20 16:10 UnlimitedChild

Is it crashing x64dbg? If so, please upload your minidump.

mrexodia avatar Oct 30 '20 19:10 mrexodia

Is it crashing x64dbg? If so, please upload your minidump.

no, in the log it is enough to click on the address, then a message box appears .. [ScyllaHide] Loaded VA for NtUserBuildHwndList = 0x00007FFE9DD31410 The address 00007FFE9DD31410 is not a valid memory location...

UnlimitedChild avatar Oct 30 '20 21:10 UnlimitedChild

Looks like an issue in ScyllaHide.

My guess is that there is something funny going on in your process. 0000000000510000 seems like an unlikely base for kernel32. Probably something touched your loaded modules list or similar in the PEB.

mrexodia avatar Oct 30 '20 21:10 mrexodia

Hi mrexodia,

original files... https://www.upload.ee/files/12457136/XOR_28.7z.html

in the attached file all protection is disabled, the file is not packed, all options in ScyllaHide and ScyllaHide profile are disabled.

UnlimitedChild avatar Oct 31 '20 09:10 UnlimitedChild

Sorry I haven't looked at this yet, this issue flew under my radar because I didn't get an email due to it being transferred from the x64dbg repo. Can you reupload the file please? It seems to be gone from the file host.

Mattiwatti avatar Feb 03 '21 18:02 Mattiwatti

Sorry I haven't looked at this yet, this issue flew under my radar because I didn't get an email due to it being transferred from the x64dbg repo. Can you reupload the file please? It seems to be gone from the file host.

Hi Mattiwatti,

https://www.upload.ee/files/12855630/XOR_28.7z.html

UnlimitedChild avatar Feb 08 '21 13:02 UnlimitedChild

I can't reproduce this I'm afraid. Can you show your ScyllaHide settings, as well as say what OS you are using?

I have to agree with @mrexodia that your image bases for kernel32.dll and kernelbase.dll look way off. Are you sure there isn't some other program or plugin messing with your process(es)?

Mattiwatti avatar Feb 09 '21 11:02 Mattiwatti

Hi Mattiwatti,

the same result I get on the version without all plugins. Even if the profile is disabled. My windows version - Win 10 1909 18363.418, nod antivirus is present in the system.

Invalid address! The address 00007FFDC7687F30 is not a valid memory location... OK

UnlimitedChild avatar Feb 11 '21 16:02 UnlimitedChild