ScyllaHide icon indicating copy to clipboard operation
ScyllaHide copied to clipboard

Published 20 hours ago verified publisher icon x64dbg

Error [ScyllaHide] Failed to find user32.dll/win32u.dll syscalls!

Open x-github3r opened this issue 5 years ago • 16 comments

ERROR with disabled profile when loading any EXE file to odbg110 OS: WIN7 X32

x-github3r avatar Dec 18 '19 21:12 x-github3r

I can't reproduce this here using Windows 7 x86 and OllyDbg 1.10. Are you using the latest version of ScyllaHide? And can you verify whether this also happens when using a stock .ini file and no plugins (other than ScyllaHide)?

Mattiwatti avatar Dec 21 '19 20:12 Mattiwatti

Latest version of ScyllaHide....................YES Only ScyllaHide.dll, HookLibraryx86.dll and scylla_hide.ini all in Plugin Folder....................YES Profile Disabled....................YES UDD Folder Empty....................YES Tested with Configured and Default odbg110 INI File....................YES ERROR....................YES

x-github3r avatar Dec 22 '19 09:12 x-github3r

Is there anything in the log file? The error you are seeing means that User32Loader::FindSyscalls() is failing, which shouldn't really happen. One unlikely but possible reason I can think of is perhaps if the debugger is running in compatibility mode for e.g. Windows 2000/XP/2003. That would cause the error, but with a line in the log file (except for Windows 2000 since it would cause OsBuildNumber to be less than 2600).

Short of that I can't really think of anything that would cause this, so if compatibility mode is not the cause then you'll have to step through this function yourself, seeing as I can't reproduce the issue.

Mattiwatti avatar Dec 22 '19 19:12 Mattiwatti

Starting from 14 Jan 2020 Windows 7 was retired and officially obsoleted by MS... almost 10 years!

greenozon avatar Jan 16 '20 16:01 greenozon

I have similar issue with ScyllaHide and x32dbg on Windows7 build 7601 x86. [ScyllaHide] Failed to find user32.dll/win32u.dll and messagebox "DetourCreateRemote->ReadProcessMemory Failed"

My problem was solved by installing KB3020369 and KB3125574. Screenshot_win7x86-lab_2020-04-28_15:58:06 scylla_hide.log

av-gantimurov avatar Apr 28 '20 13:04 av-gantimurov

similar issue on windows7. os environment: virtualbox, Microsoft Windows [版本 6.1.7601] x32dbg version: snapshot_2020-06-22_14-20 ScyllaHide version: ScyllaHide_2020-01-25_17-17

scylla_hide.log:

2020.06.26 04:20:45 ERROR: Failed to find user32.dll/win32u.dll syscalls!
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> _NtSetInformationThread 777FF99C _NtQuerySystemInformation 777FFDA0 _NtQueryInformationProcess 777FFAC8 _NtSetInformationProcess 777FFB18 _NtQueryObject 777FF9E8
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> _NtYieldExecution 777FFF2C _NtGetContextThread 77800C20 _NtSetContextThread 77801910 _KiUserExceptionDispatcher 777F0134 _NtContinue 777FFEE0
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> _NtClose 777FF9D0 _NtDuplicateObject 777FFE34 _NtSetDebugFilterState 77801928 _NtCreateThread 777FFFF4 _NtCreateThreadEx 77800894 _NtQuerySystemTime 7780011C _NtQueryPerformanceCounter 777FFD20 _NtResumeThread 77800058
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtSetInformationThread
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtQuerySystemInformation
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtQueryInformationProcess
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtSetInformationProcess
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtQueryObject
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtYieldExecution
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtGetContextThread
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtSetContextThread
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtClose
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtDuplicateObject
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtCreateThreadEx
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtSetDebugFilterState
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking KiUserExceptionDispatcher
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtContinue
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtQuerySystemTime at 7780011C
2020.06.26 04:20:45 DEBUG: ApplyNtdllHook -> Hooking NtQueryPerformanceCounter
2020.06.26 04:20:45 DEBUG: ApplyKernel32Hook -> Using Kernelbase 75AD0000 instead of kernel32 76FB0000
2020.06.26 04:20:45 DEBUG: ApplyKernel32Hook -> _GetTickCount 75AD8C96 _GetTickCount64 75AD8CCF _GetLocalTime 75AD8B39 _GetSystemTime 75AD8BE7 _OutputDebugStringA 75AE2510
2020.06.26 04:20:45 DEBUG: ApplyKernel32Hook -> Hooking GetLocalTime
2020.06.26 04:20:45 DEBUG: ApplyKernel32Hook -> Hooking GetSystemTime
2020.06.26 04:20:45 DEBUG: ApplyKernel32Hook -> Hooking OutputDebugStringA
2020.06.26 04:20:45 DEBUG: ApplyUserHook -> HookedNtUserBlockInput 00031A9B HookedNtUserFindWindowEx 00031AF3 HookedNtUserBuildHwndList 00031BCE HookedNtUserBuildHwndList_Eight 00031C11 HookedNtUserQueryWindow 00031C57
2020.06.26 04:20:45 DEBUG: ApplyUserHook -> _NtUserBlockInput 00000000 _NtUserFindWindowEx 00000000 _NtUserBuildHwndList 00000000 _NtUserQueryWindow 00000000
2020.06.26 04:20:45 DEBUG: ApplyUserHook -> Hooking NtUserBlockInput
2020.06.26 04:20:52 ERROR: Failed to write hook dll data

After enable the Windows Update and update as many as possible, ScyllaHide works. It is ridiculous every time when debug a program i have to spawn a vm windows7 and spend several days to update it first. May be we have to address the exact KB depended by ScyllaHide, even more replace the related library to which ScyllaHide refers with others.

xujintao avatar Jun 25 '20 20:06 xujintao

are there any news about this? looks like there is a problem only with WIN 7 SP1, cause @av-gantimurov wrote, after update to SP2 with KB3125574 it fixed dont want to update my windows to SP2

uragan1987 avatar Jul 16 '20 00:07 uragan1987

so, i got the first problem, LOAD_LIBRARY_SEARCH_SYSTEM32 dont work without KB2533623 so LoadLibraryExW() get always pointer 0x00000000 after install KB2533623, i got a pointer from user32.dll and bug is fixed https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa check the 0x00000800 LOAD_LIBRARY_SEARCH_SYSTEM32 informations

maybe fix it with checking at "systeminfo" for KB2533623 is installed?

uragan1987 avatar Jul 16 '20 11:07 uragan1987

The mentioned update KB2533623 is very old, its from 2011

it does not solve the issue, as I"m having the similar one

Windows Update Standalone Installer

Update for Windows (KB2533623) is already installed on this computer.

OK

greenozon avatar Jul 16 '20 11:07 greenozon

do you have "Failed to find user32.dll/win32u.dll syscalls!" inside log?

KB2533623 fixed my issue, my system: Win 7 x64 Home Basic

uragan1987 avatar Jul 16 '20 11:07 uragan1987

Mine is x64 win7 Ultimate ed, SP1 with lots of KBs...

BTW, why do you think w7 has SP2? it was never released, the SP1 is the last service pack for W7 historically

PS I"ll find my logs/bugs later on

greenozon avatar Jul 16 '20 12:07 greenozon

yeah i know that win7 has no SP2, but most of information about KB3125574 tells that its the SP2 update thats cause i call it as SP2

uragan1987 avatar Jul 16 '20 12:07 uragan1987

Here are the logs (with my self addon printers)

2020.07.11 20:12:33 INFO: startInjection: C:\AI68\plugins\HookLibraryx64.dll
2020.07.11 20:12:33 DEBUG: ApplyNtdllHook -> _NtSetInformationThread 0000000076FD9950 _NtQuerySystemInformation 0000000076FD9BE0 _NtQueryInformationProcess 0000000076FD9A10 _NtSetInformationProcess 0000000076FD9A40 _NtQueryObject 0000000076FD9980
2020.07.11 20:12:33 DEBUG: ApplyNtdllHook -> _NtYieldExecution 0000000076FD9CE0 _NtGetContextThread 0000000076FDA550 _NtSetContextThread 0000000076FDADB0 _KiUserExceptionDispatcher 0000000076FDB5F0 _NtContinue 0000000076FD9CB0
2020.07.11 20:12:33 DEBUG: ApplyNtdllHook -> _NtClose 0000000076FD9970 _NtDuplicateObject 0000000076FD9C40 _NtSetDebugFilterState 0000000076FDADC0 _NtCreateThread 0000000076FD9D60 _NtCreateThreadEx 0000000076FDA300 _NtQuerySystemTime 0000000076FD9E20 _NtQueryPerformanceCounter 0000000076FD9B90 _NtResumeThread 0000000076FD9DA0
2020.07.11 20:12:33 DEBUG: ApplyHook: ApplyNtdllHook -> 1
2020.07.11 20:12:33 DEBUG: ApplyKernel32Hook -> hKernel 0000000076E50000, hKernelbase 000007FEFD060000, remoteK32 0000000000000000, remoteKBase 0000000000000000
2020.07.11 20:12:33 DEBUG: ApplyKernel32Hook -> isKernel32Hooked = FALSE
2020.07.11 20:12:33 DEBUG: ApplyHook: ApplyKernel32Hook -> 0
2020.07.11 20:12:33 DEBUG: ApplyHook: ApplyUserHook -> 0
2020.07.11 20:12:33 ERROR: Failed to write hook dll data, bStartHooking 0, bWpm 1, gle 299

Now, here is some interesting info on the gle (GetLastError) 299:

https://stackoverflow.com/questions/12122323/readprocessmemory-fails-on-some-pages-getlasterror-299

greenozon avatar Jul 16 '20 12:07 greenozon

whats your debugging tool? ive used x32dbg

can you try with last x64dbg/x32dbg and skyllahide plugin, if it works with it, then your debbuging tool plugin is bad else download sources from skylla and add before every return a log information, with all information you need, to get the bug. best you can start with ScyllaHide/Scylla/User32Loader.cpp

uragan1987 avatar Jul 16 '20 13:07 uragan1987

Mine is old good IDA6.8 x32 :)

download sources from skylla and add before every return a log information, with all information you need, to get the bug.

thats what I did already, the logs in my post are from self-compiled one

greenozon avatar Jul 16 '20 14:07 greenozon

has this issue ever been resolved? having the same error on windows 7 ultimate x64 with ollydbg

Aholicknight avatar Jan 29 '22 03:01 Aholicknight