ScyllaHide - Usermode Anti-Anti-Debug Cheatsheet
ScyllaHide is an advanced open-source usermode anti-anti-debug library for Windows (x86/x64). Malware and commercial packers detect debuggers through a well-known set of API calls and flags; ScyllaHide hooks those functions so they return “no debugger present,” letting an analyst debug protected code without tripping its evasion. It ships as a plugin for x64dbg, IDA, and OllyDbg, and can also run standalone by injecting into a target.
For authorized malware analysis and software research only. ScyllaHide is a defensive-research tool; use it on samples and software you are permitted to analyze.
Installation
| Method | How |
|---|
| x64dbg | Drop the plugin DLLs into x64dbg/plugins/ |
| IDA | Copy the IDA plugin into IDA’s plugins/ folder |
| Standalone (injector) | Use InjectorCLIx64.exe / InjectorGUI.exe |
| Source | build from the x64dbg/ScyllaHide repo |
| Verify | Plugin menu appears in the debugger |
What It Hides
| Technique | ScyllaHide counters |
|---|
IsDebuggerPresent | Returns false |
CheckRemoteDebuggerPresent | Reports no debugger |
PEB BeingDebugged flag | Cleared |
NtGlobalFlag | Normalized |
NtQueryInformationProcess | ProcessDebugPort/Flags spoofed |
| Heap flags | Normalized |
NtSetInformationThread (HideFromDebugger) | Blocked |
Timing checks (GetTickCount, rdtsc) | Optionally mitigated |
OutputDebugString / hardware breakpoints | Handled/hidden |
Using the Plugin (x64dbg)
| Step | Action |
|---|
| Open target | Load the packed/protected binary in x64dbg |
| Options | Plugins → ScyllaHide → Options |
| Pick a profile | Choose or tune a hook profile |
| Attach hooks | Enable before running past anti-debug checks |
| Run | Continue execution; checks now pass |
Profiles
| Profile | Use |
|---|
| Preset templates | Common packers (e.g. VMProtect, Themida-style) |
| Custom | Toggle individual hooks for a stubborn target |
| Save/load | Persist a profile per sample/packer |
Standalone Injection
# Inject ScyllaHide into an already-running (or spawned) process
InjectorCLIx64.exe <pid|path> HookLibraryx64.dll <profile>
| Option | Purpose |
|---|
| Spawn vs attach | Start the target under ScyllaHide or attach later |
| Hook library | The DLL that installs the hooks |
| Profile | Which anti-debug hooks to apply |
Typical Unpacking Workflow
ScyllaHide is usually one piece of an unpacking toolkit alongside its sibling tools.
| Tool | Role |
|---|
| ScyllaHide | Defeat anti-debug so you can run to the OEP |
| x64dbg | Debug and reach the Original Entry Point |
| Scylla | Rebuild the Import Address Table, dump the PE |
| Detect It Easy | Identify the packer / verify the unpacked file |
# Concept: unpack a protected sample
1. Load sample in x64dbg with ScyllaHide enabled
2. Run past the packer stub to the OEP (anti-debug is neutralized)
3. Dump the process and rebuild the IAT with Scylla
4. Verify the dump with Detect It Easy
| Aspect | ScyllaHide | TitanHide | Manual patching |
|---|
| Layer | Usermode hooks | Kernel-mode driver | Per-check patches |
| Coverage | Broad API set | Kernel-level stealth | Only what you patch |
| Setup | Plugin/inject | Driver install | Tedious |
| Best for | Everyday RE debugging | Deeper stealth needs | One-off checks |
Resources