The address is not a valid memory location

[UnlimitedChild]

Hi,

snapshot_2020-10-29_00-29.zip

Breakpoint at 0000000000401000 (entry breakpoint) set!
No such breakpoint "LdrInitializeThunk"
DLL Loaded: 00007FFEA0760000 C:\Windows\System32\ntdll.dll
DLL Loaded: 0000000000510000 C:\Windows\System32\kernel32.dll
DLL Loaded: 0000000000750000 C:\Windows\System32\KernelBase.dll
[ScyllaHide] Loaded VA for NtUserBlockInput = 0x00007FFE9DD37F30
[ScyllaHide] Loaded VA for NtUserQueryWindow = 0x00007FFE9DD31290
[ScyllaHide] Loaded VA for NtUserBuildHwndList = 0x00007FFE9DD31410
[ScyllaHide] Loaded VA for NtUserFindWindowEx = 0x00007FFE9DD31E10
[ScyllaHide] Loaded VA for NtUserGetClassName = 0x00007FFE9DD31FB0
[ScyllaHide] Loaded VA for NtUserInternalGetWindowText = 0x00007FFE9DD31CD0
System breakpoint reached!
INT3 breakpoint "entry breakpoint" at <28.vmp.EntryPoint> (0000000000401000)!

---------------------------
Invalid address!
---------------------------
The address 00007FFE9DD31410 is not a valid memory location...
---------------------------
OK   
---------------------------
---------------------------
Invalid address!
---------------------------
The address 00007FFE9DD31FB0 is not a valid memory location...
---------------------------
OK   
---------------------------

[mrexodia]

Is it crashing x64dbg? If so, please upload your minidump.

[UnlimitedChild]

Is it crashing x64dbg? If so, please upload your minidump.

no, in the log it is enough to click on the address, then a message box appears ..
[ScyllaHide] Loaded VA for NtUserBuildHwndList = 0x00007FFE9DD31410
The address 00007FFE9DD31410 is not a valid memory location...

[mrexodia]

Looks like an issue in ScyllaHide.

My guess is that there is something funny going on in your process. 0000000000510000 seems like an unlikely base for kernel32. Probably something touched your loaded modules list or similar in the PEB.

[UnlimitedChild]

Hi mrexodia,

original files...
https://www.upload.ee/files/12457136/XOR_28.7z.html

in the attached file all protection is disabled, the file is not packed, all options in ScyllaHide and ScyllaHide profile are disabled.

[Mattiwatti]

Sorry I haven't looked at this yet, this issue flew under my radar because I didn't get an email due to it being transferred from the x64dbg repo. Can you reupload the file please? It seems to be gone from the file host.

[UnlimitedChild]

Sorry I haven't looked at this yet, this issue flew under my radar because I didn't get an email due to it being transferred from the x64dbg repo. Can you reupload the file please? It seems to be gone from the file host.

Hi Mattiwatti,

https://www.upload.ee/files/12855630/XOR_28.7z.html

[Mattiwatti]

I can't reproduce this I'm afraid. Can you show your ScyllaHide settings, as well as say what OS you are using?

I have to agree with @mrexodia that your image bases for kernel32.dll and kernelbase.dll look way off. Are you sure there isn't some other program or plugin messing with your process(es)?

[UnlimitedChild]

Hi Mattiwatti,

the same result I get on the version without all plugins. Even if the profile is disabled. My windows version - Win 10 1909 18363.418, nod antivirus is present in the system.

Invalid address! The address 00007FFDC7687F30 is not a valid memory location... OK