switched back to NtShutdownSystem

nasa-mapper/vdm_ctx/vdm_ctx.cpp

@@ -4,18 +4,17 @@ namespace vdm
 {
 	vdm_ctx::vdm_ctx()
 	{
-		// already found the syscall's physical page...
+		// if we already found the syscall's physical page...
 		if (vdm::syscall_address.load())
 			return;
 
-		LoadLibraryA("user32.dll"); // required for win32u.dll...
+		vdm::ntoskrnl = reinterpret_cast<std::uint8_t*>(
-		vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
+			LoadLibraryExA("ntoskrnl.exe", NULL,
-			LoadLibraryExA("drivers\\dxgkrnl.sys", NULL,
 				DONT_RESOLVE_DLL_REFERENCES));
 
 		nt_rva = reinterpret_cast<std::uint32_t>(
 			util::get_kmodule_export(
-				"dxgkrnl.sys",
+				"ntoskrnl.exe",
 				syscall_hook.first,
 				true
 			));
@@ -55,7 +54,7 @@ namespace vdm
 
 			// check the first 32 bytes of the syscall, if its the same, test that its the correct
 			// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
-			if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
+			if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32))
 				if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
 					syscall_address.store(
 						reinterpret_cast<void*>(

nasa-mapper/vdm_ctx/vdm_ctx.h

@@ -10,14 +10,14 @@
 namespace vdm
 {
 	// change this to whatever you want :^)
-	constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
+	constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
 
 	inline std::atomic<bool> is_page_found = false;
 	inline std::atomic<void*> syscall_address = nullptr;
 
 	inline std::uint16_t nt_page_offset;
 	inline std::uint32_t nt_rva;
-	inline std::uint8_t* dxgkrnl_buffer;
+	inline std::uint8_t* ntoskrnl;
 
 	class vdm_ctx
 	{