Jump to content
Moopler Closing Read more... ×
Moopler

Zoomba

Member
  • Content Count

    2
  • Joined

  • Last visited

Community Reputation

1 Neutral

About Zoomba

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I don't think I have posted the source code here? So here. dinput8 It shows how to intercept all winapi calls from a single hook for a wow64 process. It won't work with the current version of blackcipher. For some WinApi like (NtOpenProcess,NtReadVirtualMemory,NtQueryVirtualMemory), it doesn't go through the wow64 callgate anymore (fs:c0), BlackCipher create a 64 bit thread and make it call the native syscall instead. There is 2 ntdll.dll loaded one 32 bit and the other 64 bit for a wow64 process. You now have to hook the 64 bit ntdll now. In Cheat Engine the module symbol "_NtOpenProcess" without the quotes is the 64 bit NtOpenProcess. There is an underscore before the winapi name. I have wrote a wow64 library in 2011 if anyones interested: wow64ext I gave it to my subordinate rewolf and he released it on his github.
×