From b233ec7a04d9ac5c89e33fc97dc4a5c77ed53eb9 Mon Sep 17 00:00:00 2001
From: xerox <xerox@back.engineering>
Date: Thu, 5 Nov 2020 13:19:51 -0800
Subject: [PATCH] switched back to NtShutdownSystem

---
 nasa-injector/vdm_ctx/vdm_ctx.cpp | 9 ++++-----
 nasa-injector/vdm_ctx/vdm_ctx.hpp | 4 ++--
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/nasa-injector/vdm_ctx/vdm_ctx.cpp b/nasa-injector/vdm_ctx/vdm_ctx.cpp
index 9be9a5e..1454478 100644
--- a/nasa-injector/vdm_ctx/vdm_ctx.cpp
+++ b/nasa-injector/vdm_ctx/vdm_ctx.cpp
@@ -15,14 +15,13 @@ namespace vdm
 		if (vdm::syscall_address.load())
 			return;
 
-		LoadLibraryA("user32.dll"); // required for win32u.dll...
-		vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
-			LoadLibraryExA("drivers\\dxgkrnl.sys", NULL,
+		vdm::ntoskrnl = reinterpret_cast<std::uint8_t*>(
+			LoadLibraryExA("ntoskrnl.exe", NULL,
 				DONT_RESOLVE_DLL_REFERENCES));
 
 		nt_rva = reinterpret_cast<std::uint32_t>(
 			util::get_kmodule_export(
-				"dxgkrnl.sys",
+				"ntoskrnl.exe",
 				syscall_hook.first,
 				true
 			));
@@ -72,7 +71,7 @@ namespace vdm
 
 			// check the first 32 bytes of the syscall, if its the same, test that its the correct
 			// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
-			if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
+			if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32))
 				if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
 					syscall_address.store(
 						reinterpret_cast<void*>(
diff --git a/nasa-injector/vdm_ctx/vdm_ctx.hpp b/nasa-injector/vdm_ctx/vdm_ctx.hpp
index 4e3d8f3..37bc3c4 100644
--- a/nasa-injector/vdm_ctx/vdm_ctx.hpp
+++ b/nasa-injector/vdm_ctx/vdm_ctx.hpp
@@ -11,14 +11,14 @@
 namespace vdm
 {
 	// change this to whatever you want :^)
-	constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
+	constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
 
 	inline std::atomic<bool> is_page_found = false;
 	inline std::atomic<void*> syscall_address = nullptr;
 
 	inline std::uint16_t nt_page_offset;
 	inline std::uint32_t nt_rva;
-	inline std::uint8_t* dxgkrnl_buffer;
+	inline std::uint8_t* ntoskrnl;
 
 	using read_phys_t = std::function<decltype(vdm::read_phys)>;
 	using write_phys_t = std::function<decltype(vdm::write_phys)>;