atom0s is correct, Microsoft usually from build to build randomize the syscall table
Btw you've mentioned in your first post ZwTerminateProcess() yet in your second you state NtTerminateProcess(). Subtly different, but serious consequences (BSOD) if called from the wrong ring level.
ZwTerminateProcess is for CPL0, at that point you could mine for ZwTerminateProcess export function table from ntoskrnl via function name matching, so you never need to keep a hardcoded table of offsets.
Similarly for CPL3, NtTerminateProcess() can be mined from the UM ntdll export table. But if you want to bypass a hook if e.g. an antivirus hook placed in UM, setup the stack and make the syscall is the way to go.
*I'll leave it to you to figure out how to mine for the syscall and make it (:
Last edited by Avalon; 07-25-2018 at 04:55.
|