I did some testing.
https://github.com/x64dbg/ScyllaHide/issues/2
Seems there is junk bytes at Win10 Anniversary's NtQueryInformationProcess call as well as a different signature. The code leading to the gateway is a JMP to the jmp (so two jmps) to the gateway, whereas Win8.1 is a simple jmp. More details are at that issue link.
Quote:
Originally Posted by Kla$
Please fix bug on update Windows 10 in ollydbg1 and ollydbg2
thank you in advance
---------------------------
Error
---------------------------
Windows 10 SysWowSpecialJmpAddress was not found!
---------------------------
§°§¬
---------------------------
---------------------------
ERROR
---------------------------
Unknown syscall structure!
---------------------------
§°§¬
---------------------------
|
That bug I managed to fix, but I haven't checked the remaining ones. There was also changes for 3 APIs that are enough for Obsidium and Themida targets to be detected. So far for me, managed to get VMP debugged.