_Windows NT System-Call Hooking_
by Mark Russinovich and Bryce Cogswell

Example 1: 

ZwCreateFile:
  mov eax, 17h     ; system call number
  lea edx, [esp+4] ; pointer to params
  int 2Eh          ; NT x86 syscall trap
  ret 2Ch          ; pop params


Listing One
VOID HookRegistry( void )
{
    // hook everything
    RealRegOpenKey = SYSCALL( REGOPENKEY );
    SYSCALL( REGOPENKEY ) = (PVOID) HookRegOpenKey;

    RealRegQueryKey = SYSCALL( REGQUERYKEY );
   SYSCALL( REGQUERYKEY ) = (PVOID) HookRegQueryKey;

    RealRegQueryValueKey = SYSCALL( REGQUERYVALUEKEY );
    SYSCALL( REGQUERYVALUEKEY ) = (PVOID) HookRegQueryValueKey;

    RealRegEnumerateValueKey = SYSCALL( REGENUMERATEVALUEKEY );
    SYSCALL( REGENUMERATEVALUEKEY ) = (PVOID) HookRegEnumerateValueKey;

    RealRegEnumerateKey = SYSCALL( REGENUMERATEKEY );
    SYSCALL( REGENUMERATEKEY ) = (PVOID) HookRegEnumerateKey;

    RealRegDeleteKey = SYSCALL( REGDELETEKEY );
    SYSCALL( REGDELETEKEY ) = (PVOID) HookRegDeleteKey;

    RealRegFlushKey = SYSCALL( REGFLUSHKEY );
    SYSCALL( REGFLUSHKEY ) = (PVOID) HookRegFlushKey;

    RealRegSetValueKey = SYSCALL( REGSETVALUEKEY );
    SYSCALL( REGSETVALUEKEY ) = (PVOID) HookRegSetValueKey;

    RealRegCreateKey = SYSCALL( REGCREATEKEY );
    SYSCALL( REGCREATEKEY ) = (PVOID) HookRegCreateKey;

    RealRegDeleteValueKey = SYSCALL( REGDELETEVALUEKEY );
    SYSCALL( REGDELETEVALUEKEY ) = (PVOID) HookRegDeleteValueKey;
    
    RealRegCloseKey = SYSCALL( REGCLOSEKEY );
    SYSCALL( REGCLOSEKEY ) = (PVOID) HookRegCloseKey;
    RegHooked = TRUE;
}

Listing Two
NTSTATUS HookRegDeleteValueKey( IN HANDLE Handle, PUNICODE_STRING Name )
{
    NTSTATUS                ntstatus;
    CHAR                    fullname[1024], name[20];

    GetFullName( Handle, Name, fullname );
    MUTEX_P( RegMutex );
    ntstatus = RealRegDeleteValueKey( Handle, Name );
    MUTEX_V( RegMutex );
    UpdateStore( Sequence++, "%s\\tDeleteValueKey\\t%s\\t\\t%s", 
        GetProcess( name ), fullname,
        ErrorString( ntstatus ));
    return ntstatus;
}
}}


