WOW64, NtSetDebugFilterState Bug (No trampoline hook)

[TheDomco]

So In "ApplyNtdllHook" HOOK_NATIVE_NOTRAMP is used to hook NtSetDebugFilterState. It uses "DetourCreateRemoteNative" which is "DetourCreateRemoteNative32". Which will always return 0 (trampoline) for no trampline hooks. Therefore "StartHooking" ends there and returns false and the other hooks are never hooked. Means if I want to use x32dbg with WIN32 build of scyllahide on 64bit system (w10), I am not able to.

[TheDomco]

"Solved" it I guess by changing "HOOK_NATIVE_NOTRAMP" to "HOOK_NATIVE"

[Mattiwatti]

Thanks. I pushed a slightly different fix for this which makes the HOOK_NATIVE_NOTRAMP macro ignore the return value because, as you said, it will always be NULL. The truth is that I have no clue why NtSetDebugFilterState uses HOOK_NATIVE_NOTRAMP unlike all of the others which use HOOK_NATIVE, so I decided to err on the side of caution and leave the hook method unchanged. It probably doesn't matter either way.

Side note: the NtSetDebugFilterState hook is essentially useless, see TitanHide #3 for more info. Though that is of course no excuse for the hook method being broken.