Installing ScyllaHide (x64dbg) To Hide Your Debugger (Patreon)

In this tutorial we will install and configure ScyllaHide for use with x32dbg and x64dbg. ScyllaHide is a powerful anti-anti-debug tool that can be used to hide x64dbg from malware during a debugging session. 

Before beginning this tutorial make sure you have followed our Dynamic Malware Analysis Lab Setup tutorial and that you are using your Windows10 FLARE-VM. If you are using a custom lab environment this tutorial may not be applicable. 

Download The Latest ScyllaHide Release

Navigate to the ScyllaHide GitHub page and click on the releases section.

Download the latest version of the ScyllaHide.7z file. 

‼️ The network adapter on your FLARE-VM should be disabled by default. We recommend leaving this disabled and downloading the ScyllaHide.7z to your host then dragging it into your VM (this will work with VMWare -- untested with VirtualBox). If you are having issues with this method you can temporarily enable your VM network adapter and download ScyllaHide.7z directly in your VM however we recommend the following precautions before:

• Restore the clean snapshot of your VM to ensure no malware is resident in the VM.
• Enable the VM network adapter.
• Download the ScyllaHide.7z file.
• Immediately disable the VM network adapter.

Once the ScyllaHide.7z file has been downloaded and is present on your VM double click it to open and view the contents. 

Install The ScyllaHide x64dbg Plugin

First locate the x64dbg application directory by clicking the Start menu and typing x64dbg. When the x64dbg application is visible in the menu right click on the application and select Open file location. 

This will open a directory with the x64dbg shortcut icon. Right click on the x64dbg shortcut icon and select Open file location. This will open the x64dbg directory. Open the Plugins folder in the directory.  

In the open ScyllaHide.7z navigate to the \x64dbg\x64\plugins directory and copy the contents of the directory into the open x64dbg Plugins folder. 

That is it! The ScyllaHide plugin has been installed for x64dbg. 

Now repeat the process with x32dbg, remember to copy the plugins from the \x64dbg\x32\plugins directory. Once this is complete both x64db and x32dbg will have access to the ScyllaHide plugin.

Using ScyllaHide In x64dbg

The ScyllaHide plugin can be accessed from the Plugins menu of x64db when the debugger is running. ScyllaHide comes with multiple different predefined profiled that can be used to hide the debugger from different types of anti-analysis checks. 

To ensure ScyllaHide has been installed correctly we will use a test program that can be downloaded from Malshare here: debugtest.exe. This program is not malware and has been developed to as a test to determined if the debugger can be detected using the IsDebuggerPresent API call.

• Download the debugtest.exe file from Malshare and rename it as debugtest.exe.
  
• Launch x32dbg -- debugtest.exe is a 32bit file.
  
• Open debugtest.exe in x32dbg with File -> Open. The FLARE-VM install of x32dbg automatically launches with elevated privileges so files cannot be dragged and dropped into the debugger.
  
• Enable the ScyllaHide Basic profile with Plugins -> ScyllaHide -> Load Profile -> Basic.
  

• Once the Basic profile is enabled click run to execute the file in the debugger.
  
• Click run again once the automatic breakpoint is reached on the entry point of the file.
  
• Navigate to the cmd window that is launched behind x32dbg and observe the output. It should read: No debugger found!
  
• Press enter in the cmd window to exit the program.

Now try loading the ScyllaHide Disabled profile to disable ScyllaHide and repeat the steps above and note that the debugger is now detected.

👋 Stay tuned for future tutorials where we use ScyllaHide to hide our debugger from live malware.