Thread: ScyllaHide
View Single Post
  #61  
Old 09-04-2015, 11:58
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 67
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example:

NtQueryInformationProcess
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768D50    B8 19000000     MOV EAX,19                               ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength)
77768D55    E8 04000000     CALL ntdll.77768D5E
77768D5A    0000            ADD BYTE PTR DS:[EAX],AL
77768D5C    70 77           JO SHORT ntdll.77768DD5
77768D5E    5A              POP EDX
77768D5F    807A 03 4B      CMP BYTE PTR DS:[EDX+3],4B
77768D63    75 0A           JNE SHORT ntdll.77768D6F
77768D65    64:FF15 C000000 CALL DWORD PTR FS:[0C0]
77768D6C    C2 1400         RETN 14
NtSetInformationThread
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768C90    B8 0D000000     MOV EAX,0D
77768C95    BA B0D57777     MOV EDX,ntdll.7777D5B0
77768C9A    FFD2            CALL EDX
77768C9C    C2 1000         RETN 10
Call Wow64SystemServiceCall
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
7777D5B0    64:8B15 3000000 MOV EDX,DWORD PTR FS:[30]
7777D5B7    8B92 54020000   MOV EDX,DWORD PTR DS:[EDX+254]
7777D5BD    F7C2 02000000   TEST EDX,00000002
7777D5C3    74 03           JE SHORT ntdll.7777D5C8
7777D5C5    CD 2E           INT 2E
7777D5C7    C3              RETN
7777D5C8    EA CFD57777 330 JMP FAR 0033:7777D5CF                    ; Far jump or call
7777D5CF    41              INC ECX
7777D5D0    FFA7 F8000000   JMP DWORD PTR DS:[EDI+0F8]
__________________
Welcome to my place http://www.reaonline.net

Last edited by Computer_Angel; 09-04-2015 at 12:45.
Reply With Quote