/*NTSYSAPI
NTSTATUS
NTAPI
ZwGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);*/
//NTSYSAPI
NTSTATUS
NTAPI
NewNtGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);
int ProcessNameOffset; //Used to find process name
typedef ULONG (*NTGETCONTEXTTHREAD)(HANDLE, PCONTEXT);
//This allows us to define a TYPE that corresponds to our function
//Notice that we use the TYPE that we defined.
NTGETCONTEXTTHREAD OriginalNtGetContextThread;
//Make a variable that will be used to store the Call Number
ULONG NtGetContextThread_callnumber = 0x0055;
//These are macros that lets us easily access function #callnumber in the table
#define SYSCALL_INDEX(_function) *(PULONG)((PUCHAR)_function+1)
#define SYSTEMSERVICE(_callnumber) KeServiceDescriptorTable->ServiceTable[_callnumber]
PEPROCESS PeProcess;
//hookcode function
void hook()
{
//ProcessNameOffset = 0; <==== if i enable the following lines i get
bsod..
__asm {
cli // deny interrupt handling
push eax
mov eax, CR0
and eax, 0x0FFFEFFFF //disables some write protection: http://en.wikibooks.org/wiki/X86_Assembly/Protected_Mode#CR0
mov CR0, eax
pop eax
cli //ignore interrupts for the moment
}
//NtGetContextThread_callnumber = SYSCALL_INDEX(ZwGetContextThread);
OriginalNtGetContextThread = SYSTEMSERVICE(NtGetContextThread_callnumber); //store original function
SYSTEMSERVICE(NtGetContextThread_callnumber) = (PVOID)NewNtGetContextThread; //put our hook function in the table
__asm{
push eax
mov eax, CR0
or eax, NOT 0x0FFFEFFFF //enables some write protection
mov CR0, eax
pop eax
sti //reenable interrupts
}
}