Skip to content

ScyllaHide - Usermode Anti-Anti-Debug Cheatsheet

ScyllaHide - Usermode Anti-Anti-Debug Cheatsheet

ScyllaHide is an advanced open-source usermode anti-anti-debug library for Windows (x86/x64). Malware and commercial packers detect debuggers through a well-known set of API calls and flags; ScyllaHide hooks those functions so they return “no debugger present,” letting an analyst debug protected code without tripping its evasion. It ships as a plugin for x64dbg, IDA, and OllyDbg, and can also run standalone by injecting into a target.

For authorized malware analysis and software research only. ScyllaHide is a defensive-research tool; use it on samples and software you are permitted to analyze.

Installation

MethodHow
x64dbgDrop the plugin DLLs into x64dbg/plugins/
IDACopy the IDA plugin into IDA’s plugins/ folder
Standalone (injector)Use InjectorCLIx64.exe / InjectorGUI.exe
Sourcebuild from the x64dbg/ScyllaHide repo
VerifyPlugin menu appears in the debugger

What It Hides

TechniqueScyllaHide counters
IsDebuggerPresentReturns false
CheckRemoteDebuggerPresentReports no debugger
PEB BeingDebugged flagCleared
NtGlobalFlagNormalized
NtQueryInformationProcessProcessDebugPort/Flags spoofed
Heap flagsNormalized
NtSetInformationThread (HideFromDebugger)Blocked
Timing checks (GetTickCount, rdtsc)Optionally mitigated
OutputDebugString / hardware breakpointsHandled/hidden

Using the Plugin (x64dbg)

StepAction
Open targetLoad the packed/protected binary in x64dbg
OptionsPlugins → ScyllaHide → Options
Pick a profileChoose or tune a hook profile
Attach hooksEnable before running past anti-debug checks
RunContinue execution; checks now pass

Profiles

ProfileUse
Preset templatesCommon packers (e.g. VMProtect, Themida-style)
CustomToggle individual hooks for a stubborn target
Save/loadPersist a profile per sample/packer

Standalone Injection

# Inject ScyllaHide into an already-running (or spawned) process
InjectorCLIx64.exe <pid|path> HookLibraryx64.dll <profile>
OptionPurpose
Spawn vs attachStart the target under ScyllaHide or attach later
Hook libraryThe DLL that installs the hooks
ProfileWhich anti-debug hooks to apply

Typical Unpacking Workflow

ScyllaHide is usually one piece of an unpacking toolkit alongside its sibling tools.

ToolRole
ScyllaHideDefeat anti-debug so you can run to the OEP
x64dbgDebug and reach the Original Entry Point
ScyllaRebuild the Import Address Table, dump the PE
Detect It EasyIdentify the packer / verify the unpacked file
# Concept: unpack a protected sample
1. Load sample in x64dbg with ScyllaHide enabled
2. Run past the packer stub to the OEP (anti-debug is neutralized)
3. Dump the process and rebuild the IAT with Scylla
4. Verify the dump with Detect It Easy
AspectScyllaHideTitanHideManual patching
LayerUsermode hooksKernel-mode driverPer-check patches
CoverageBroad API setKernel-level stealthOnly what you patch
SetupPlugin/injectDriver installTedious
Best forEveryday RE debuggingDeeper stealth needsOne-off checks

Resources