### ApplyHook: Install All Hook Categories Source: https://context7.com/x64dbg/scyllahide/llms.txt Top-level hook installation dispatcher that calls sub-installers for ntdll, kernel32, and user32 hooks. Records trampoline addresses and backup byte counts. ```cpp bool ApplyHook(HOOK_DLL_DATA* hdd, HANDLE hProcess, BYTE* dllMemory, DWORD_PTR imageBase) { hdd->hDllImage = (HMODULE)imageBase; // ntdll: NtSetInformationThread, NtQueryInformationProcess, NtClose, etc. ApplyNtdllHook(hdd, hProcess, dllMemory, imageBase); // kernel32/kernelbase: GetTickCount, GetLocalTime, OutputDebugStringA, etc. ApplyKernel32Hook(hdd, hProcess, dllMemory, imageBase); // user32/win32u: NtUserFindWindowEx, NtUserBuildHwndList, etc. ApplyUserHook(hdd, hProcess, dllMemory, imageBase); return true; } // To uninstall all hooks (e.g., on detach): RestoreHooks(hdd, hProcess); ``` -------------------------------- ### startInjectionProcess for DLL Mapping and Hooking Source: https://context7.com/x64dbg/scyllahide/llms.txt C++ code for startInjectionProcess, detailing the steps for suspending process threads, reflective DLL mapping, resolving syscalls, and installing hooks. ```cpp bool startInjectionProcess(HANDLE hProcess, BYTE* dllMemory) { PROCESS_SUSPEND_INFO suspendInfo; SafeSuspendProcess(hProcess, &suspendInfo); // suspend all threads if (g_settings.opts().removeDebugPrivileges) RemoveDebugPrivileges(hProcess); LPVOID remoteImageBase = MapModuleToProcess(hProcess, dllMemory, true); // reflective map FillHookDllData(hProcess, &g_hdd); // resolve NtUser* syscall addresses DWORD rva = GetDllFunctionAddressRVA(dllMemory, "HookDllData"); StartHooking(hProcess, dllMemory, (DWORD_PTR)remoteImageBase); // patch PEB + install hooks WriteProcessMemory(hProcess, (LPVOID)((DWORD_PTR)rva + (DWORD_PTR)remoteImageBase), &g_hdd, sizeof(HOOK_DLL_DATA), nullptr); // push config into remote DLL SafeResumeProcess(&suspendInfo); // Output: "Hook injection successful, image base 0x00007FF..." } ``` -------------------------------- ### ApplyHook Source: https://context7.com/x64dbg/scyllahide/llms.txt Top-level hook installation dispatcher. Calls the three sub-installers for ntdll, kernel32, and user32 hooks, recording each trampoline address and backup byte count in HOOK_DLL_DATA. ```APIDOC ## `ApplyHook` — Installing All Hook Categories Top-level hook installation dispatcher. Calls the three sub-installers for ntdll, kernel32, and user32 hooks, recording each trampoline address and backup byte count in `HOOK_DLL_DATA`. ```cpp bool ApplyHook(HOOK_DLL_DATA* hdd, HANDLE hProcess, BYTE* dllMemory, DWORD_PTR imageBase) { hdd->hDllImage = (HMODULE)imageBase; // ntdll: NtSetInformationThread, NtQueryInformationProcess, NtClose, etc. ApplyNtdllHook(hdd, hProcess, dllMemory, imageBase); // kernel32/kernelbase: GetTickCount, GetLocalTime, OutputDebugStringA, etc. ApplyKernel32Hook(hdd, hProcess, dllMemory, imageBase); // user32/win32u: NtUserFindWindowEx, NtUserBuildHwndList, etc. ApplyUserHook(hdd, hProcess, dllMemory, imageBase); return true; } // To uninstall all hooks (e.g., on detach): RestoreHooks(hdd, hProcess); ``` ``` -------------------------------- ### InjectorCLI Command-Line Usage Source: https://context7.com/x64dbg/scyllahide/llms.txt Examples of using InjectorCLI to target processes by name or PID. The 'nowait' option prevents the injector from pausing before exiting. ```bash # Inject by process name (waits for Enter before exiting) InjectorCLI.exe target.exe HookLibraryx64.dll ``` ```bash # Inject by decimal PID InjectorCLI.exe pid:1234 HookLibraryx64.dll nowait ``` ```bash # Inject by hex PID, no wait InjectorCLI.exe pid:0x4D2 HookLibraryx64.dll nowait ``` -------------------------------- ### InjectorCLI wmain Entry Point Flow Source: https://context7.com/x64dbg/scyllahide/llms.txt Simplified C++ code illustrating the internal entry point flow of InjectorCLI, including loading settings and initiating the injection process. ```cpp // wmain — simplified scl::Settings g_settings; g_settings.Load(g_scyllaHideIniPath.c_str()); // load scylla_hide.ini ReadSettings(); // copy opts → HOOK_DLL_DATA g_hdd DWORD targetPid = GetProcessIdByName(L"target.exe"); // or: targetPid parsed from "pid:1234" / "pid:0x4D2" startInjection(targetPid, L"HookLibraryx64.dll"); // Opens the process, reads the DLL into memory, suspends, maps, hooks, resumes. ``` -------------------------------- ### startInjection Function for DLL Mapping Source: https://context7.com/x64dbg/scyllahide/llms.txt C++ code for the startInjection function, which opens the target process, reads the hook DLL, suspends threads, and initiates reflective mapping and hooking. ```cpp bool startInjection(DWORD targetPid, const WCHAR* dllPath) { HANDLE hProcess = OpenProcess( PROCESS_SUSPEND_RESUME | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION, FALSE, targetPid); BYTE* dllMemory = ReadFileToMemory(dllPath); // read PE from disk // Suspend, inject, patch PEB, write hooks, resume startInjectionProcess(hProcess, dllMemory); // Optional: remove anti-attach protection if (g_settings.opts().killAntiAttach) ApplyAntiAntiAttach(targetPid); free(dllMemory); CloseHandle(hProcess); } ``` -------------------------------- ### SCL Settings for INI Profile Management (C++) Source: https://context7.com/x64dbg/scyllahide/llms.txt Manages INI configuration profiles for ScyllaHide, allowing dynamic loading, saving, and switching of hook settings. Use this to configure specific protector bypasses. ```cpp scl::Settings settings; settings.Load(L"C:\\Tools\\ScyllaHide\\scylla_hide.ini"); // Switch to a built-in profile settings.SetProfile(L"VMProtect x86/x64"); // Access current options const scl::Settings::Profile& opts = settings.opts(); bool hookNtClose = opts.hookNtClose; // true bool fixPeb = opts.fixPebBeingDebugged; // true // Check whether a hook DLL injection is needed at all // (returns false if only PEB patches are enabled) bool needDll = settings.hook_dll_needed(); // Add a custom profile and modify it settings.AddProfile(L"MyCustom"); settings.SetProfile(L"MyCustom"); settings.opts().hookNtQueryInformationProcess = TRUE; settings.opts().fixPebBeingDebugged = TRUE; settings.Save(); // writes back to ini_path_ ``` -------------------------------- ### ScyllaHide INI Configuration File Format Source: https://context7.com/x64dbg/scyllahide/llms.txt Defines the structure of the `scylla_hide.ini` file, including a `[SETTINGS]` section for the current profile and sections for individual profiles with hook and patch configurations. ```ini [SETTINGS] CurrentProfile=VMProtect x86/x64 [VMProtect x86/x64] ; DLL injection mode: Normal=load normally, Stealth=stealth map, Unload=unload after hooks DLLNormal=1 DLLStealth=0 DLLUnload=0 ; NT native hooks NtCloseHook=1 NtQueryInformationProcessHook=1 NtQueryObjectHook=1 NtSetInformationThreadHook=1 NtQuerySystemInformationHook=0 ; PEB patches PebBeingDebugged=1 PebHeapFlags=1 PebNtGlobalFlag=1 PebStartupInfo=1 PebOsBuildNumber=1 ; Timing hooks GetTickCountHook=0 GetTickCount64Hook=0 NtQueryPerformanceCounterHook=0 ; Debugger-specific (OllyDbg) BreakOnTLS=1 FixOllyBugs=1 RemoveEPBreak=1 X64Fix=1 WindowTitle=VMP ; IDA server AutostartServer=1 ServerPort=1337 [Themida x86/x64] NtCloseHook=1 NtCreateThreadExHook=1 NtQueryInformationProcessHook=1 NtSetInformationThreadHook=1 NtUserBuildHwndListHook=1 NtUserFindWindowExHook=1 NtUserQueryWindowHook=1 NtUserGetForegroundWindowHook=1 PebBeingDebugged=1 PebHeapFlags=1 PebNtGlobalFlag=1 ... ``` -------------------------------- ### HookedNtQuerySystemInformation Source: https://context7.com/x64dbg/scyllahide/llms.txt Handles eleven `SystemInformationClass` values that protectors use to detect kernel debuggers, enumerate handles to debug objects, and inspect process/integrity information. ```APIDOC ## `HookedNtQuerySystemInformation` — System-Level Debug Detection Bypass Handles eleven `SystemInformationClass` values that protectors use to detect kernel debuggers, enumerate handles to debug objects, and inspect process/integrity information. ```cpp // Classes intercepted: // SystemKernelDebuggerInformation → KernelDebuggerEnabled=FALSE, NotPresent=TRUE // SystemKernelDebuggerInformationEx → all three flags FALSE (Win 8.1+) // SystemKernelDebuggerFlags → zeroed (Win 10+) // SystemCodeIntegrityInformation → CodeIntegrityOptions=CODEINTEGRITY_OPTION_ENABLED // SystemCodeIntegrityUnlockInformation → buffer zeroed (Win 10+) // SystemHandleInformation → removes debugger handles from list // SystemExtendedHandleInformation → same, extended format // SystemProcessInformation → removes debugger process entry, fakes parent PID // SystemSessionProcessInformation → same // SystemExtendedProcessInformation → same SYSTEM_KERNEL_DEBUGGER_INFORMATION info; NtQuerySystemInformation(SystemKernelDebuggerInformation, &info, sizeof(info), nullptr); // With hook: info.KernelDebuggerEnabled == FALSE, info.KernelDebuggerNotPresent == TRUE ``` ``` -------------------------------- ### HookedNtQueryInformationProcess: Hide Debug Port and Handle Source: https://context7.com/x64dbg/scyllahide/llms.txt Intercepts NtQueryInformationProcess to return sanitized data for debug-related queries. Includes an instrumentation-callback to defeat manual syscall bypasses. ```cpp // Queries hidden by this hook: // ProcessDebugPort → returns NULL handle // ProcessDebugObjectHandle → returns STATUS_PORT_NOT_SET + NULL // ProcessDebugFlags → returns PROCESS_DEBUG_INHERIT (not being debugged) // ProcessBasicInformation → fakes InheritedFromUniqueProcessId to explorer.exe PID // ProcessBreakOnTermination → returns stored local value // ProcessHandleTracing → simulates enable/disable state // ProcessIoCounters → sets OtherOperationCount = 1 // Example: a packed binary calls NtQueryInformationProcess(ProcessDebugPort): HANDLE debugPort = (HANDLE)0xDEAD; NTSTATUS st = NtQueryInformationProcess( GetCurrentProcess(), ProcessDebugPort, &debugPort, sizeof(HANDLE), nullptr); // With hook active: st == STATUS_SUCCESS, debugPort == NULL // Without hook: st == STATUS_SUCCESS, debugPort == // The hook also installs an instrumentation callback (x64) to intercept // manual syscalls performed directly by VMProtect-style protectors: InstallInstrumentationCallbackHook(NtCurrentProcess, FALSE); // Callback returns STATUS_PORT_NOT_SET for NtQIP syscalls originating // from within the protected executable's own image. ``` -------------------------------- ### RestoreHooks Function for Uninstalling Hooks (C++) Source: https://context7.com/x64dbg/scyllahide/llms.txt Demonstrates the `RestoreHooks` function, which is responsible for cleanly removing all applied ScyllaHide hooks from a target process by restoring original function bytes and freeing memory. ```cpp // Called when the debugger detaches or the user clicks "Remove hooks" RestoreHooks(&g_hdd, hProcess); // Internally calls: // RestoreNtdllHooks → restores all ntdll jump patches // RestoreKernel32Hooks → restores GetTickCount, OutputDebugStringA, etc. // RestoreUserHooks → restores NtUser* patches // FreeMemory(hProcess, hdd->hDllImage) → unmaps hook DLL from target // On x86, if KiFastSystemCall was patched (single entry point for all syscalls), // restoring that one location removes all ntdll hooks at once: RestoreMemory(hProcess, KiFastSystemCallAddress, KiFastSystemCallBackup, sizeof(KiFastSystemCallBackup)); ``` -------------------------------- ### Hook Timing APIs to Mitigate Timing Attacks Source: https://context7.com/x64dbg/scyllahide/llms.txt These hooks freeze time-related APIs (GetTickCount, GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, NtQueryPerformanceCounter) at their first-call value and increment by one for subsequent calls. This defeats timing checks used to detect single-stepping. ```cpp // All six time functions share the same frozen-counter pattern: static DWORD OneTickCount = 0; DWORD WINAPI HookedGetTickCount() { if (!OneTickCount) OneTickCount = real_GetTickCount(); // latch on first call else OneTickCount++; // advance by 1 tick only return OneTickCount; } // GetTickCount64, GetLocalTime, GetSystemTime, NtQuerySystemTime, and // NtQueryPerformanceCounter all follow the same freeze-and-increment pattern. // This defeats: if (GetTickCount() - start > 500) { /* debugger detected */ } ``` -------------------------------- ### ApplyPEBPatch Source: https://context7.com/x64dbg/scyllahide/llms.txt Directly modifies the remote process's PEB (and PEB64 for WoW64 processes) to clear debug-indicator fields without injecting a DLL. Flags are OR-able bitmasks. ```APIDOC ## `ApplyPEBPatch` — Process Environment Block Patching Directly modifies the remote process's PEB (and PEB64 for WoW64 processes) to clear debug-indicator fields without injecting a DLL. ```cpp // Flags are OR-able bitmasks: // PEB_PATCH_BeingDebugged 0x01 → peb->BeingDebugged = FALSE // PEB_PATCH_NtGlobalFlag 0x02 → peb->NtGlobalFlag &= ~0x70 // PEB_PATCH_HeapFlags 0x04 → clears HEAP_TAIL_CHECKING_ENABLED etc. // PEB_PATCH_ProcessParameters 0x08 → clears debugger path in ProcessParameters // PEB_PATCH_OsBuildNumber 0x10 → peb->OSBuildNumber = FAKE_VERSION DWORD peb_flags = 0; if (g_settings.opts().fixPebBeingDebugged) peb_flags |= PEB_PATCH_BeingDebugged; if (g_settings.opts().fixPebHeapFlags) peb_flags |= PEB_PATCH_HeapFlags; if (g_settings.opts().fixPebNtGlobalFlag) peb_flags |= PEB_PATCH_NtGlobalFlag; if (g_settings.opts().fixPebStartupInfo) peb_flags |= PEB_PATCH_ProcessParameters; if (g_settings.opts().fixPebOsBuildNumber) peb_flags |= PEB_PATCH_OsBuildNumber; ApplyPEBPatch(hProcess, peb_flags); // Also patches PEB64 automatically when running as WoW64. ``` ``` -------------------------------- ### HookedNtQuerySystemInformation: Bypass System-Level Debug Detection Source: https://context7.com/x64dbg/scyllahide/llms.txt Handles eleven SystemInformationClass values used by protectors to detect kernel debuggers and inspect process information. Removes debugger handles and processes from lists. ```cpp // Classes intercepted: // SystemKernelDebuggerInformation → KernelDebuggerEnabled=FALSE, NotPresent=TRUE // SystemKernelDebuggerInformationEx → all three flags FALSE (Win 8.1+) // SystemKernelDebuggerFlags → zeroed (Win 10+) // SystemCodeIntegrityInformation → CodeIntegrityOptions=CODEINTEGRITY_OPTION_ENABLED // SystemCodeIntegrityUnlockInformation → buffer zeroed (Win 10+) // SystemHandleInformation → removes debugger handles from list // SystemExtendedHandleInformation → same, extended format // SystemProcessInformation → removes debugger process entry, fakes parent PID // SystemSessionProcessInformation → same // SystemExtendedProcessInformation → same SYSTEM_KERNEL_DEBUGGER_INFORMATION info; NtQuerySystemInformation(SystemKernelDebuggerInformation, &info, sizeof(info), nullptr); // With hook: info.KernelDebuggerEnabled == FALSE, info.KernelDebuggerNotPresent == TRUE ``` -------------------------------- ### HookedNtQueryInformationProcess Source: https://context7.com/x64dbg/scyllahide/llms.txt Intercepts `NtQueryInformationProcess` and returns sanitized data for all debug-related query classes, including an instrumentation-callback technique to defeat manual syscall bypasses. ```APIDOC ## `HookedNtQueryInformationProcess` — Hiding Debug Port and Debug Object Handle Intercepts `NtQueryInformationProcess` and returns sanitized data for all debug-related query classes, including an instrumentation-callback technique to defeat manual syscall bypasses. ```cpp // Queries hidden by this hook: // ProcessDebugPort → returns NULL handle // ProcessDebugObjectHandle → returns STATUS_PORT_NOT_SET + NULL // ProcessDebugFlags → returns PROCESS_DEBUG_INHERIT (not being debugged) // ProcessBasicInformation → fakes InheritedFromUniqueProcessId to explorer.exe PID // ProcessBreakOnTermination → returns stored local value // ProcessHandleTracing → simulates enable/disable state // ProcessIoCounters → sets OtherOperationCount = 1 // Example: a packed binary calls NtQueryInformationProcess(ProcessDebugPort): HANDLE debugPort = (HANDLE)0xDEAD; NTSTATUS st = NtQueryInformationProcess( GetCurrentProcess(), ProcessDebugPort, &debugPort, sizeof(HANDLE), nullptr); // With hook active: st == STATUS_SUCCESS, debugPort == NULL // Without hook: st == STATUS_SUCCESS, debugPort == // The hook also installs an instrumentation callback (x64) to intercept // manual syscalls performed directly by VMProtect-style protectors: InstallInstrumentationCallbackHook(NtCurrentProcess, FALSE); // Callback returns STATUS_PORT_NOT_SET for NtQIP syscalls originating // from within the protected executable's own image. ``` ``` -------------------------------- ### ApplyPEBPatch: Modify Process Environment Block Source: https://context7.com/x64dbg/scyllahide/llms.txt Directly modifies the remote process's PEB to clear debug-indicator fields without DLL injection. Flags are OR-able bitmasks for different PEB fields. ```cpp // Flags are OR-able bitmasks: // PEB_PATCH_BeingDebugged 0x01 → peb->BeingDebugged = FALSE // PEB_PATCH_NtGlobalFlag 0x02 → peb->NtGlobalFlag &= ~0x70 // PEB_PATCH_HeapFlags 0x04 → clears HEAP_TAIL_CHECKING_ENABLED etc. // PEB_PATCH_ProcessParameters 0x08 → clears debugger path in ProcessParameters // PEB_PATCH_OsBuildNumber 0x10 → peb->OSBuildNumber = FAKE_VERSION DWORD peb_flags = 0; if (g_settings.opts().fixPebBeingDebugged) peb_flags |= PEB_PATCH_BeingDebugged; if (g_settings.opts().fixPebHeapFlags) peb_flags |= PEB_PATCH_HeapFlags; if (g_settings.opts().fixPebNtGlobalFlag) peb_flags |= PEB_PATCH_NtGlobalFlag; if (g_settings.opts().fixPebStartupInfo) peb_flags |= PEB_PATCH_ProcessParameters; if (g_settings.opts().fixPebOsBuildNumber) peb_flags |= PEB_PATCH_OsBuildNumber; ApplyPEBPatch(hProcess, peb_flags); // Also patches PEB64 automatically when running as WoW64. ``` -------------------------------- ### Hook NtCreateThreadEx for Thread Hiding and Creation Prevention (C++) Source: https://context7.com/x64dbg/scyllahide/llms.txt This snippet illustrates how to hook `NtCreateThreadEx` to either strip the `THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER` flag or prevent new thread creation entirely. It's useful for analyzing packers like VMProtect. ```cpp // Strip hide-from-debugger flag: // EnableNtCreateThreadExHook = TRUE → CreateFlags &= ~0x4 // Prevent thread creation (for protectors like Execryptor): // EnablePreventThreadCreation = TRUE → returns STATUS_INSUFFICIENT_RESOURCES // for any NtCreateThreadEx / NtCreateThread targeting the current process // Example: VMProtect creates a watchdog thread hidden from debugger // → with hook, thread is created normally and remains visible to debugger ``` -------------------------------- ### Hook Window Management APIs for Debugger Window Hiding Source: https://context7.com/x64dbg/scyllahide/llms.txt These hooks filter debugger-related window handles from enumeration results and query responses. This prevents the target process from discovering the debugger's presence by querying window information, such as through FindWindow or EnumWindows. ```cpp // FindWindow(NULL, "x64dbg") → returns NULL (window class/name filtered) // EnumWindows callback will not see the debugger window handle // GetForegroundWindow() returns the target's own active window if the // foreground window belongs to the protected process ID // Window class names and titles from known debuggers (OllyDbg, x64dbg, IDA, etc.) // are matched by IsWindowClassNameBad() / IsWindowNameBad() / IsWindowBad() ``` -------------------------------- ### Hook NtGetContextThread/NtSetContextThread/NtContinue for Hardware Breakpoint Protection Source: https://context7.com/x64dbg/scyllahide/llms.txt These hooks protect hardware breakpoint registers (Dr0-Dr7) from being accessed or modified by the target process. NtGetContextThread strips debug registers from flags and zeroes them in the output. NtSetContextThread prevents overwriting debugger breakpoints. NtContinue restores breakpoints across exception dispatching. ```cpp // NtGetContextThread: strips CONTEXT_DEBUG_REGISTERS from the flags before the // real call, then zeroes Dr0–Dr7 (and branch tracing regs on x64) in the result. CONTEXT ctx = { .ContextFlags = CONTEXT_DEBUG_REGISTERS | CONTEXT_INTEGER }; NtGetContextThread(GetCurrentThread(), &ctx); // With hook: ctx.Dr0 == ctx.Dr1 == ... == ctx.Dr7 == 0 // NtSetContextThread: strips CONTEXT_DEBUG_REGISTERS so the debugger's // hardware breakpoints cannot be overwritten by the target. // NtContinue: after KiUserExceptionDispatcher clears Dr regs (which the hook // also intercepts), NtContinue restores the saved real breakpoints from a // per-thread slot array so the debugger's BPs keep working. ``` -------------------------------- ### Hook NtClose/NtDuplicateObject for Protected Handle Trap Source: https://context7.com/x64dbg/scyllahide/llms.txt These hooks prevent protectors from detecting debuggers by closing invalid or protected handles. Instead of raising an exception, NtClose returns STATUS_HANDLE_NOT_CLOSABLE. NtDuplicateObject strips the DUPLICATE_CLOSE_SOURCE flag for protected handles. ```cpp NTSTATUS HookedNtClose(HANDLE Handle) { OBJECT_HANDLE_FLAG_INFORMATION flags; NtQueryObject(Handle, ObjectHandleFlagInformation, &flags, sizeof(flags), nullptr); if (flags.ProtectFromClose) return STATUS_HANDLE_NOT_CLOSABLE; // return error without raising exception return real_NtClose(Handle); } // NtDuplicateObject: strips DUPLICATE_CLOSE_SOURCE flag when handle is ProtectFromClose ``` -------------------------------- ### Hook NtSetInformationThread to Block ThreadHideFromDebugger Source: https://context7.com/x64dbg/scyllahide/llms.txt This hook intercepts calls to NtSetInformationThread with the ThreadHideFromDebugger flag. It prevents the thread from becoming invisible to the debugger, ensuring that single-step exceptions and breakpoints continue to function. ```cpp NTSTATUS st = NtSetInformationThread( GetCurrentThread(), ThreadHideFromDebugger, // == 0x11 nullptr, 0); // Hooked result: STATUS_SUCCESS (no-op, thread remains visible) ``` -------------------------------- ### Hook NtQueryObject to Hide DebugObject Kernel Object Type Source: https://context7.com/x64dbg/scyllahide/llms.txt This hook modifies the results of NtQueryObject when querying ObjectTypesInformation. It removes or decrements the DebugObject entry, preventing protectors from detecting an active debug session by checking for DebugObject instances. ```cpp // Protector: enumerates all object types, looks for DebugObject TotalNumberOfObjects > 0 OBJECT_TYPES_INFORMATION* pTypes = /* ... */; NtQueryObject(nullptr, ObjectTypesInformation, pTypes, size, &returnLength); // With hook: DebugObject.TotalNumberOfObjects == 0, TotalNumberOfHandles == 0 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.