/*NTSYSAPI
NTSTATUS
NTAPI
ZwGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);*/
//NTSYSAPI
NTSTATUS
NTAPI
NewNtGetContextThread(
IN HANDLE ThreadHandle,
OUT PCONTEXT Context
);
int ProcessNameOffset; //Used to find process name
typedef ULONG (*NTGETCONTEXTTHREAD)(HANDLE, PCONTEXT);
//This allows us to define a TYPE that corresponds to our function
//Notice that we use the TYPE that we defined.
NTGETCONTEXTTHREAD OriginalNtGetContextThread;
//Make a variable that will be used to store the Call Number
ULONG NtGetContextThread_callnumber = 0x0055;
//These are macros that lets us easily access function #callnumber in the table
#define SYSCALL_INDEX(_function) *(PULONG)((PUCHAR)_function+1)
#define SYSTEMSERVICE(_callnumber) KeServiceDescriptorTable->ServiceTable[_callnumber]
PEPROCESS PeProcess;
//hookcode function
void hook()
{
//ProcessNameOffset = 0; <==== if i enable the following lines i get
bsod..
__asm {
cli // deny interrupt handling
push eax
mov eax, CR0
and eax, 0x0FFFEFFFF //disables some write protection: af7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2F1i4K6u0W2N6$3W2C8K9h3u0G2L8$3E0K6i4K6u0W2L8%4u0Y4i4K6u0r3N6$3W2C8K9g2)9J5c8W2R3^5y4W2)9#2k6V1q4K6M7$3g2E0j5X3I4&6i4K6u0r3f1s2u0G2N6r3g2U0N6r3g2V1i4K6g2X3e0h3!0V1k6g2)9J5x3@1y4d9x3l9`.`.
mov CR0, eax
pop eax
cli //ignore interrupts for the moment
}
//NtGetContextThread_callnumber = SYSCALL_INDEX(ZwGetContextThread);
OriginalNtGetContextThread = SYSTEMSERVICE(NtGetContextThread_callnumber); //store original function
SYSTEMSERVICE(NtGetContextThread_callnumber) = (PVOID)NewNtGetContextThread; //put our hook function in the table
__asm{
push eax
mov eax, CR0
or eax, NOT 0x0FFFEFFFF //enables some write protection
mov CR0, eax
pop eax
sti //reenable interrupts
}
}
