ScyllaHide icon indicating copy to clipboard operation
ScyllaHide copied to clipboard

Published 20 hours ago verified publisher icon x64dbg

How to get over kernel32.checkremotedebuggerpresent?

Open devimauz opened this issue 4 years ago • 6 comments

Looks like Debugger can't hide. Tested with x32dbg. What is the solution for it?

devimauz avatar Jan 19 '21 18:01 devimauz

It is working for me.

You need to have the NtQueryInformationProcess hook enabled in your profile for CheckRemoteDebuggerPresent to not see the debugger.

Mattiwatti avatar Jan 25 '21 10:01 Mattiwatti

It's enabled.

devimauz avatar Jan 25 '21 10:01 devimauz

Can you share the executable you're debugging? A screenshot of your ScyllaHide profile would also be helpful.

Mattiwatti avatar Jan 25 '21 11:01 Mattiwatti

maybe this is the target, latest vmprotect hxxp://media*fire.com/file/bi6bpm7g20gq0bq/MRT_V3.71.zip/file

seraluda avatar Jan 27 '21 04:01 seraluda

No, it's the newest obsidium.

On Wed, Jan 27, 2021, 05:06 seraluda [email protected] wrote:

maybe this is the target, latest vmprotect hxxp://media*fire.com/file/bi6bpm7g20gq0bq/MRT_V3.71.zip/file

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/x64dbg/ScyllaHide/issues/118#issuecomment-768009014, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUPEPWXEAM4GJXA5FH3TDLS36GMBANCNFSM4WJGQEWQ .

devimauz avatar Jan 27 '21 09:01 devimauz

I just tested Obsidium 1.7.0 build 12, the current version available for download on their website. Both x86 and x64 are working for me using x64dbg and the "Obsidium x86/x64" profile in ScyllaHide.

Please provide more details of what isn't working and/or an executable to reproduce this issue.

Mattiwatti avatar Feb 03 '21 17:02 Mattiwatti