#11
|
||||
|
||||
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example: NtQueryInformationProcess Code:
CPU Disasm Address Hex dump Command Comments 77768D50 B8 19000000 MOV EAX,19 ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength) 77768D55 E8 04000000 CALL ntdll.77768D5E 77768D5A 0000 ADD BYTE PTR DS:[EAX],AL 77768D5C 70 77 JO SHORT ntdll.77768DD5 77768D5E 5A POP EDX 77768D5F 807A 03 4B CMP BYTE PTR DS:[EDX+3],4B 77768D63 75 0A JNE SHORT ntdll.77768D6F 77768D65 64:FF15 C000000 CALL DWORD PTR FS:[0C0] 77768D6C C2 1400 RETN 14 Code:
CPU Disasm Address Hex dump Command Comments 77768C90 B8 0D000000 MOV EAX,0D 77768C95 BA B0D57777 MOV EDX,ntdll.7777D5B0 77768C9A FFD2 CALL EDX 77768C9C C2 1000 RETN 10 Code:
CPU Disasm Address Hex dump Command Comments 7777D5B0 64:8B15 3000000 MOV EDX,DWORD PTR FS:[30] 7777D5B7 8B92 54020000 MOV EDX,DWORD PTR DS:[EDX+254] 7777D5BD F7C2 02000000 TEST EDX,00000002 7777D5C3 74 03 JE SHORT ntdll.7777D5C8 7777D5C5 CD 2E INT 2E 7777D5C7 C3 RETN 7777D5C8 EA CFD57777 330 JMP FAR 0033:7777D5CF ; Far jump or call 7777D5CF 41 INC ECX 7777D5D0 FFA7 F8000000 JMP DWORD PTR DS:[EDI+0F8]
__________________
Welcome to my place http://www.reaonline.net Last edited by Computer_Angel; 09-04-2015 at 12:45. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ScyllaHide HookLibraryx86.dll | phroyt | General Discussion | 3 | 10-25-2019 09:48 |
ScyllaHide Detector | Lueilwitz | Source Code | 2 | 08-07-2019 06:32 |