Themidie - /!\ For educational purposes only /!\
May 7, 2021 ยท View on GitHub
x64dbg plugin to bypass Themida 3.x Anti-Debugger / VM / Monitoring programs checks (64bits only)
- x64dbg
- DLL injection (LoadLibrary)
- Hooks (MinHook)
Usage
- Download the latest version of Themidie and extract Themidie.dll and Themidie.dp64 to x64dbg's plugins folder
- Download the latest version of ScyllaHide and extract HookLibraryx64.dll and ScyllaHideX64DBGPlugin.dp64 to x64dbg's plugins folder
- Start x64dbg, click on the plugins tab, go to ScyllaHide -> Options
- Disable everything, enable "Kill Anti-Attach" only and click on the "OK" button
- Go back to the plugins tab, go to Themidie -> Start, then select and open the executable that you want to debug
- When this MessageBox will apear, you will be able to attach x64dbg to the target process and debug it.
Hooks
Themidie hooks the following functions:
| Module | Function name |
|---|---|
| kernel32.dll | GetModuleHandleA |
| user32.dll | FindWindowA |
| Advapi32.dll | RegOpenKeyA |
| Advapi32.dll | RegQueryValueExA |
| ntdll.dll | NtSetInformationThread |
| ntdll.dll | NtQueryVirtualMemory |
Limitations
Themidie only works for x64 executables, tested on various Themida 3.x+ versions, Windows 10 2004, latest x64dbg and ScyllaHide versions.
Contact
Discord: VenTaz#8766