I intend to hook into a ntdll function ZwTerminateProcess, but am having a problem with x64, because if a x86 app is running in a windows x64 , it is loaded with two ntdlls:
One from System32 path and the other one from SysWOW64.
Until here I have no problems, except: the first ntdll(system32) don't show up when I list dlls using CreateToolhelp32Snapshot() or EnumProcessModules() and when I use GetModuleHandle() the return is the hModule from the second ntdll(SysWOW64).
I was thinking that maybe the first dll was loaded with LOAD_LIBRARY_AS_DATAFILE flag but if it were the case the app would not be able to use the function from the first ntdll(System32). I have tried to hook the ZwTerminateProcess() in the second ntdll but it doesn't work. Does anyone have some idea of how to help me?
Please let me know if more clarification is required.
Thank you, Douglas.