Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example:
NtQueryInformationProcess
Code:
CPU Disasm
Address Hex dump Command Comments
77768D50 B8 19000000 MOV EAX,19 ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength)
77768D55 E8 04000000 CALL ntdll.77768D5E
77768D5A 0000 ADD BYTE PTR DS:[EAX],AL
77768D5C 70 77 JO SHORT ntdll.77768DD5
77768D5E 5A POP EDX
77768D5F 807A 03 4B CMP BYTE PTR DS:[EDX+3],4B
77768D63 75 0A JNE SHORT ntdll.77768D6F
77768D65 64:FF15 C000000 CALL DWORD PTR FS:[0C0]
77768D6C C2 1400 RETN 14
NtSetInformationThread
Code:
CPU Disasm
Address Hex dump Command Comments
77768C90 B8 0D000000 MOV EAX,0D
77768C95 BA B0D57777 MOV EDX,ntdll.7777D5B0
77768C9A FFD2 CALL EDX
77768C9C C2 1000 RETN 10
Call Wow64SystemServiceCall
Code:
CPU Disasm
Address Hex dump Command Comments
7777D5B0 64:8B15 3000000 MOV EDX,DWORD PTR FS:[30]
7777D5B7 8B92 54020000 MOV EDX,DWORD PTR DS:[EDX+254]
7777D5BD F7C2 02000000 TEST EDX,00000002
7777D5C3 74 03 JE SHORT ntdll.7777D5C8
7777D5C5 CD 2E INT 2E
7777D5C7 C3 RETN
7777D5C8 EA CFD57777 330 JMP FAR 0033:7777D5CF ; Far jump or call
7777D5CF 41 INC ECX
7777D5D0 FFA7 F8000000 JMP DWORD PTR DS:[EDI+0F8]