2

I intend to hook into a ntdll function ZwTerminateProcess, but am having a problem with x64, because if a x86 app is running in a windows x64 , it is loaded with two ntdlls: One from System32 path and the other one from SysWOW64.

Until here I have no problems, except: the first ntdll(system32) don't show up when I list dlls using CreateToolhelp32Snapshot() or EnumProcessModules() and when I use GetModuleHandle() the return is the hModule from the second ntdll(SysWOW64).

I was thinking that maybe the first dll was loaded with LOAD_LIBRARY_AS_DATAFILE flag but if it were the case the app would not be able to use the function from the first ntdll(System32). I have tried to hook the ZwTerminateProcess() in the second ntdll but it doesn't work. Does anyone have some idea of how to help me?

Please let me know if more clarification is required.

Thank you, Douglas.

Ben
  • 10,106
  • 3
  • 40
  • 58
user3078184
  • 21
  • 2
  • 1
    The DLL from SysWOW64 is - despite its name - the right one for your 32bit application. The DLL from System32 is the 64bit version. See also http://stackoverflow.com/questions/949959/why-do-64-bit-dlls-go-to-system32-and-32-bit-dlls-to-syswow64-on-64-bit-windows - For finding out why the hook does not work, you should improve your question and maybe show some code. – JensG Dec 07 '13 at 18:35
  • yeah, but i need to do a hook in the dll from System32 the problem is i can't get it hModule, the problem isn't the code because what i'm doing is just put a retn, but i'm putting it on the wrong place, with C.E(Cheat Engine 6.2) for example i can put on the right place but with my app i can't.. – user3078184 Dec 07 '13 at 18:41
  • GetProcAddress(GetModuleHandleA('ntdll.dll'),'ZwTerminateProcess'); it returns a wrong address, i already tried with LoadLibraryA() instead of GetModuleHandleA but it keep returns a wrong address – user3078184 Dec 07 '13 at 18:48
  • sorry, i wasn't clear.. i already tried it and the returns was the hModule from the SysWOW64 dll, even i using LoadLibraryA('C:\Windows\System32\ntdll.dll') – user3078184 Dec 07 '13 at 19:03
  • Try loading from c:\windows\sysnative\ntdll.dll – maxandron Oct 31 '16 at 16:03

0 Answers0