[t4L]

@Brock: yeah, sorry for clearing that, i forgot to mention of cos you have to copy ntdll to tmp file and load that instead of using %systemroot%\system32\(sysWow64)\ntdll.dll.

@TheExecuter: well, even if ZwCreateFile is hooked, there're multiple ways to bypass that hook but it's just too complicated to do such as simple task such as getting raw syscall numbers. Keep it simple, don't over-engineer mundane stuffs is my point.

[EP_X0FF]

What if what if? What if the ntdll stub magically different? What if ntdll patched on disk? What if FSD is here? What if there is a deep kernel hook? What if we have DKOH? What if you even cannot start? What the stupid questions? Want to use raw syscalls means you are playing against user mode. Grab your tables and use them, magically jumping in other hook at sysexit, rofl, but nobody seems cares.

Answers given. Further offtopic is too much. Closed.