Exetools  

Go Back   Exetools > General > Community Tools

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #11  
Old 09-04-2015, 11:58
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 67
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Alot changes in ntdll in windows 10 make scyllahide failed to hook functions in ntdll.
Example:

NtQueryInformationProcess
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768D50    B8 19000000     MOV EAX,19                               ; NTSTATUS ntdll.NtQueryInformationProcess(ProcessHandle,ProcessInfoClass,Buffer,Bufsize,pLength)
77768D55    E8 04000000     CALL ntdll.77768D5E
77768D5A    0000            ADD BYTE PTR DS:[EAX],AL
77768D5C    70 77           JO SHORT ntdll.77768DD5
77768D5E    5A              POP EDX
77768D5F    807A 03 4B      CMP BYTE PTR DS:[EDX+3],4B
77768D63    75 0A           JNE SHORT ntdll.77768D6F
77768D65    64:FF15 C000000 CALL DWORD PTR FS:[0C0]
77768D6C    C2 1400         RETN 14
NtSetInformationThread
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
77768C90    B8 0D000000     MOV EAX,0D
77768C95    BA B0D57777     MOV EDX,ntdll.7777D5B0
77768C9A    FFD2            CALL EDX
77768C9C    C2 1000         RETN 10
Call Wow64SystemServiceCall
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
7777D5B0    64:8B15 3000000 MOV EDX,DWORD PTR FS:[30]
7777D5B7    8B92 54020000   MOV EDX,DWORD PTR DS:[EDX+254]
7777D5BD    F7C2 02000000   TEST EDX,00000002
7777D5C3    74 03           JE SHORT ntdll.7777D5C8
7777D5C5    CD 2E           INT 2E
7777D5C7    C3              RETN
7777D5C8    EA CFD57777 330 JMP FAR 0033:7777D5CF                    ; Far jump or call
7777D5CF    41              INC ECX
7777D5D0    FFA7 F8000000   JMP DWORD PTR DS:[EDI+0F8]
__________________
Welcome to my place http://www.reaonline.net

Last edited by Computer_Angel; 09-04-2015 at 12:45.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ScyllaHide HookLibraryx86.dll phroyt General Discussion 3 10-25-2019 09:48
ScyllaHide Detector Lueilwitz Source Code 2 08-07-2019 06:32


All times are GMT +8. The time now is 09:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )