NtQuerySystemInformation in 64bit and about RtlGetNativeSystemInformation

Successfully hooked Api on 64bit. Obviously, by hooking the NtQuerySystemInformation(), the parameter values ​​in NewNtQuerysysteminformation() I create were well derived, and the notepad process, the main purpose of the code below, was successfully deleted from Process Explorer 64bit. But here is a question. In the picture below, I followed the address from the cheat engine according to the pfunc with the address of NtQuerySystemInformation(), but it points to RtlGetnativeSysteminformation() instead of NtQuerySystemInformation()... Has the name of NtQuerySystemInformation() changed to this in Windows 10 64-bit??

#include <Windows.h>
#include "stdio.h"
#include "tchar.h"

#define STR_MODULE_NAME                 (L"hide.dll")
#define STR_HIDE_PROCESS_NAME           (L"notepad.exe")
#define STATUS_SUCCESS                  (0x00000000L) 

typedef LONG NTSTATUS;

typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation = 0,
    SystemPerformanceInformation = 2,
    SystemTimeOfDayInformation = 3,
    SystemProcessInformation = 5,
    SystemProcessorPerformanceInformation = 8,
    SystemInterruptInformation = 23,
    SystemExceptionInformation = 33,
    SystemRegistryQuotaInformation = 37,
    SystemLookasideInformation = 45
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    BYTE Reserved1[52];
    PVOID Reserved2[3];
    HANDLE UniqueProcessId;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

typedef NTSTATUS(WINAPI* PFNTQUERYSYSTEMINFORMATION)(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength);


BYTE g_pOrgZwQSI[16] = { 0, };

BOOL hook64_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)
{
    FARPROC pFunc;
    DWORD dwOldProtect, dwlowAddress, dwhighAddress, dwmov;
    BYTE pBuf[14] = { 0x68, 0, };
    PBYTE pByte;

    pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
    pByte = (PBYTE)pFunc;
    if (pByte[0] == 0x68)
        return FALSE;

    VirtualProtect((LPVOID)pFunc, 16, PAGE_EXECUTE_READWRITE, &dwOldProtect);

    memcpy(pOrgBytes, pFunc, 16);
    memset(pFunc, 0x90, 16);
    dwlowAddress = (DWORD)((DWORD64)pfnNew & 0xffffffff);
    memcpy(&pBuf[1], &dwlowAddress, 4);
    dwmov = 0x042444C7;
    memcpy(&pBuf[5],&dwmov , 4);
    dwhighAddress = DWORD((DWORD64)pfnNew >> 32);
    memcpy(&pBuf[9],&dwhighAddress , 4);
    pBuf[13] = 0xC3;
    memcpy(pFunc, &pBuf, 14);

    VirtualProtect((LPVOID)pFunc, 16, dwOldProtect, &dwOldProtect);

    return TRUE;
}


BOOL unhook64_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)
{
    FARPROC pFunc;
    DWORD dwOldProtect;
    PBYTE pByte;

    pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);
    pByte = (PBYTE)pFunc;
    if (pByte[0] != 0x68)
        return FALSE;

    VirtualProtect((LPVOID)pFunc, 16, PAGE_EXECUTE_READWRITE, &dwOldProtect);

    memcpy(pFunc, pOrgBytes, 16);

    VirtualProtect((LPVOID)pFunc, 16, dwOldProtect, &dwOldProtect);

    return TRUE;
}



NTSTATUS WINAPI NewNtQuerySystemInformation(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID SystemInformation,
    ULONG SystemInformationLength,
    PULONG ReturnLength)
{
    NTSTATUS status;
    FARPROC pFunc;
    PSYSTEM_PROCESS_INFORMATION pCur, pPrev = 0;
    char szProcName[MAX_PATH] = { 0, };

    unhook64_by_code("ntdll.dll", "NtQuerySystemInformation", g_pOrgZwQSI);
    
    pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"),
        "NtQuerySystemInformation");
    status = ((PFNTQUERYSYSTEMINFORMATION)pFunc)
        (SystemInformationClass, SystemInformation,
            SystemInformationLength, ReturnLength); 
    if (status != STATUS_SUCCESS)
        goto __NTQUERYSYSTEMINFORMATION_END;

    if (SystemInformationClass == SystemProcessInformation)
    {
        pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
        
        while (TRUE)
        {
            if (pCur->Reserved2[1] != NULL)
            {
                if (!_tcsicmp((PWSTR)pCur->Reserved2[1], STR_HIDE_PROCESS_NAME))
                {
                    if (pCur->NextEntryOffset == 0)
                        pPrev->NextEntryOffset = 0;
                    else
                        pPrev->NextEntryOffset += pCur->NextEntryOffset;
                }
                else
                    pPrev = pCur;   // 원하는 프로세스를 못 찾은 경우만 pPrev 세팅
            }

            if (pCur->NextEntryOffset == 0)
                break;

            pCur = (PSYSTEM_PROCESS_INFORMATION)((uintptr_t)pCur + pCur->NextEntryOffset);
        }
    }

__NTQUERYSYSTEMINFORMATION_END:

    hook64_by_code("ntdll.dll", "NtQuerySystemInformation",
        (PROC)NewNtQuerySystemInformation, g_pOrgZwQSI);

    return status;
}


BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:

        hook64_by_code("ntdll.dll", "NtQuerySystemInformation",
            (PROC)NewNtQuerySystemInformation, g_pOrgZwQSI);
        break;

    case DLL_PROCESS_DETACH:

        unhook64_by_code("ntdll.dll", "NtQuerySystemInformation",
            g_pOrgZwQSI);
        break;
    }

    return TRUE;
}