There is an unsaved comment in progress. You will lose your changes if you continue. Are you sure you want to reopen the work item?
relative mov in EntryPoint not handled
On WinXP64 SP2, the User32.dll code for GetWindowThreadProcessId starts as:
0000000077C40900 sub rsp, 28h (4 bytes: 48 83 EC 28)
0000000077C40904 mov rax, qword ptr [77CE69D8h] (7 bytes: 48 8B 05 CD 60 0A 00)
Those 2 instructions are copied as is in the relocated EntryPoint after the trampoline code, but the 2nd instruction is a relative mov and thus is not handled well (neither detected and forbidden, nor the relative offset modified).
This causes the hooked process to crash.