hookproc.c

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		hookproc.c
 *
 * Abstract:
 *
 *		This module implements various service operation (system call) hooking routines.
 *
 *		Since not all the Zw* services are exported, we use a hack to find the required information.
 *		ntdll.dll contains stubs for calling all the system services. All stubs start with
 *		"mov eax, function_index" instruction where function_index is an index into a global
 *		system call table. By parsing ntdll.dll and extracting all the function indeces
 *		we can map all the Zw* names to their appropriate system call table indeces.
 *
 * Author:
 *
 *		Eugene Tsyrklevich 16-Feb-2004
 *
 * Revision History:
 *
 *		None.
 */

#include <NTDDK.h>
#include "hookproc.h"
#include "sysinfo.h"
#include "ntproto.h"
#include "learn.h"
#include "file.h"
#include "registry.h"
#include "section.h"
#include "sysinfo.h"
#include "semaphore.h"
#include "dirobj.h"
#include "symlink.h"
#include "mutant.h"
#include "event.h"
#include "port.h"
#include "job.h"
#include "token.h"
#include "timer.h"
#include "driverobj.h"
#include "process.h"
#include "procname.h"
#include "time.h"
#include "atom.h"
#include "vdm.h"
#include "debug.h"
#include "i386.h"
#include "misc.h"
#include "log.h"


#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, InitSyscallsHooks)
#pragma alloc_text (INIT, InstallSyscallsHooks)
#pragma alloc_text (PAGE, RemoveSyscallsHooks)
#endif


#if DBG
int		HookedRoutineRunning = 0;
#endif

PCHAR	NTDLL_Base;

int ZwCallsNumber = 0;



/*
 * FindFunctionOffset()
 *
 * Description:
 *		Finds a Zw* system call offset in a system service table.
 *
 *		Implementation of all the Zw* system services (such as ZwOpenFile or ZwCreateProcess())
 *		start with a "mov eax, function_offset" instruction. Function offset is extracted from
 *		the first instruction.
 *
 * Parameters:
 *		Function - Pointer to the function code.
 *
 * Returns:
 *		Integer function offset (-1 in case of a failure).
 */

/* "MOV EAX,IMM32" opcode */
#define	OPCODE_MOV	0xB8

/* macro shortcut for bailing out of FindFunctionOffset in case of an error */

#define	ABORT_FindFunctionOffset(msg) {																\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionOffset():"));		\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg);												\
		return -1;																					\
	}

int
FindFunctionOffset(PULONG_PTR Function)
{
	PUCHAR		Instruction;
	ULONG		num, ServiceIDNumber, ServiceTableIndex;


	/*
	 * Make sure that the service code starts with a MOV EAX,IMM32 instruction:
	 *
	 * lkd> u ZwCreateFile
	 * nt!ZwCreateFile:
	 * 804f86f4 b825000000       mov     eax,0x25
	 */

	Instruction = (PUCHAR) Function;

	if (*Instruction != OPCODE_MOV)

		ABORT_FindFunctionOffset(("Invalid opcode %x\n", *Instruction));


	/*
	 * Extract the Service Descriptor Table index (4 bytes following the mov opcode)
	 *
	 * The index format is as follows:
	 *
	 * Leading 18 bits are all zeroes
	 * Following 2 bits are system service table index (3 bits on Win64)
	 * Following 12 bits are service number
	 */

	num = * (PULONG) ++Instruction;


	/* only SERVICE_TABLE_INDEX_BITS LSB bits should be set */

	ServiceTableIndex = num >> SERVICE_ID_NUMBER_BITS;

	if (ServiceTableIndex >= NUMBER_SERVICE_TABLES)

		ABORT_FindFunctionOffset(("Invalid SSDT index: %x (%x)\n", ServiceTableIndex, num));


	/* XXX temporary? There exist 4 (8 on IA64) service tables. All the Zw* system services are in table 0 */
	if (ServiceTableIndex != 0)

		ABORT_FindFunctionOffset(("Invalid SSDT index2: %x (%x)\n", ServiceTableIndex, num));


	/* Verify Service ID Number is in range */

	ServiceIDNumber = num & SERVICE_ID_NUMBER_MASK;

//XXX shouldn't we be using the shadow table instead??
//shadow table Zw* base address is the same in addition to GUI table
	if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)

		ABORT_FindFunctionOffset(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));


	return ServiceIDNumber;
}



#if 0

/*
 * HookSystemService()
 *
 * Description:
 *		Replaces an existing sytem service pointer (n a global system service table) with another function pointer.
 *
 * Parameters:
 *		OldService - Pointer to the service code to mediate.
 *		NewService - Pointer to the new function code.
 *
 * Returns:
 *		Current OldService indexed system service function pointer.
 */

/* macro shortcut for bailing out of HookSystemService in case of an error */

#define	ABORT_HookSystemService(msg) {																\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemService():"));		\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, (msg));											\
		return NULL;																				\
	}

PVOID
HookSystemService(PVOID OldService, PVOID NewService)
{
	PULONG_PTR	ssdt;
	PULONG_PTR	retptr = NULL;
	ULONG		ServiceIDNumber;


	if (OldService == NULL || NewService == NULL)

		ABORT_HookSystemService(("NULL detected. OldService=%x NewService=%x", OldService, NewService));


	ServiceIDNumber = FindFunctionOffset(OldService);

	if (ServiceIDNumber == -1)

		ABORT_HookSystemService(("FindFunctionOffset(%x) failed", OldService));


	ssdt = KeServiceDescriptorTable[0].ServiceTableBase;


	retptr = (PULONG_PTR) ssdt[ServiceIDNumber];

	if (retptr == NULL)

		ABORT_HookSystemService(("ssdt[index] = NULL\n"));


	if (((ULONG) retptr & SystemAddressStart) == 0)

		ABORT_HookSystemService(("invalid code instruction specified\n"));


	retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService);


	return retptr;
}

#endif



/*
 * HookSystemServiceByIndex()
 *
 * Description:
 *		Replaces an existing sytem service (n a global system service table) with another function pointer.
 *
 * Parameters:
 *		ServiceIDNumber - Index of a system service to mediate.
 *		NewService - Pointer to the new function code.
 *
 * Returns:
 *		Current ServiceIDNumber indexed system service function pointer.
 */

/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */

#define	ABORT_HookSystemServiceByIndex(msg) {															\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemServiceByIndex():"));		\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg);													\
		return NULL;																					\
	}

PVOID
HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService)
{
	PULONG_PTR	ssdt;
	PULONG_PTR	retptr = NULL;
	ULONG		ServiceTableIndex = 0;


	ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase;


	/* Verify Service ID Number is in range */

//XXX shouldn't we be using the shadow table instead??
	if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)

		ABORT_HookSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));


	retptr = (PULONG_PTR) ssdt[ServiceIDNumber];

	if (retptr == NULL)

		ABORT_HookSystemServiceByIndex(("ssdt[index] = NULL\n"));


	if (((ULONG) retptr & SystemAddressStart) == 0)

		ABORT_HookSystemServiceByIndex(("invalid code instruction specified\n"));

	
	retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService);


	return retptr;
}


#if 0
/*
 * FindSystemServiceByIndex()
 *
 * Description:XXX
 *		Replaces an existing sytem service (n a global system service table) with another function pointer.
 *
 * Parameters:
 *		ServiceIDNumber - Index of a system service to mediate.
 *		NewService - Pointer to the new function code.
 *
 * Returns:
 *		Current ServiceIDNumber indexed system service function pointer.
 */

/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */

#define	ABORT_FindSystemServiceByIndex(msg) { LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindSystemServiceByIndex():")); LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); return NULL; }

PULONG
FindSystemServiceByIndex(ULONG ServiceIDNumber)
{
	PULONG_PTR	ssdt;
	PULONG_PTR	retptr = NULL;
	ULONG		ServiceTableIndex = 0;


	ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase;


	/* Verify Service ID Number is in range */

//XXX shouldn't we be using the shadow table instead??
	if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)

		ABORT_FindSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));


	retptr = (PULONG_PTR) ssdt[ServiceIDNumber];

	if (retptr == NULL)

		ABORT_FindSystemServiceByIndex(("ssdt[index] = NULL\n"));


	if (((ULONG) retptr & SystemAddressStart) == 0)

		ABORT_FindSystemServiceByIndex(("invalid code instruction specified\n"));


	return (PULONG) ssdt[ServiceIDNumber];
}
#endif


/*
 * HookSystemServiceByName()
 *
 * Description:
 *		Replaces an existing sytem service (n a global system service table) with another function pointer.
 *
 * Parameters:
 *		ServiceName - Name of a Zw* system service to mediate.
 *		HookFunction - Pointer to the mediator function code.
 *
 * Returns:
 *		TRUE to indicate success, FALSE if failed.
 */

BOOLEAN
HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction)
{
	int		i;


	for (i = 0; i < ZwCallsNumber; i++)
	{
		if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
		{
//			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("HookSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));

			// hijack the syscall if not hijacked already
			if (ZwCalls[i].Hijacked == FALSE && ZwCalls[i].ServiceIDNumber != -1)
			{
				if ((ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber,
												HookFunction ? HookFunction : ZwCalls[i].HookFunction)) != NULL)
				{
					ZwCalls[i].Hijacked = TRUE;
				}
			}

			return TRUE;
		}
	}


	return FALSE;
}



#if 0
/*
 * FindSystemServiceIndex()
 *
 * Description:
 *		Find a system service index for a specified service name.
 *
 * Parameters:
 *		ServiceName - Name of a Zw* system service to find.
 *
 * Returns:
 *		System service index if found, -1 otherwise.
 */

ULONG
FindSystemServiceIndex(PCHAR ServiceName)
{
	int		i;


	for (i = 0; i < ZwCallsNumber; i++)
	{
		if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
		{
//			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));

			return ZwCalls[i].ServiceIDNumber;
		}
	}


	return -1;
}
#endif


/*
 * FindSystemServiceNumber()
 *
 * Description:
 *		Find a system service number for a specified service name.
 *
 * Parameters:
 *		ServiceName - Name of a Zw* system service to find.
 *
 * Returns:
 *		System service number if found, -1 otherwise.
 */

ULONG
FindSystemServiceNumber(PCHAR ServiceName)
{
	int		i;


	for (i = 0; i < ZwCallsNumber; i++)
	{
		if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
		{
//			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));

			return i;
		}
	}


	return -1;
}



/*
 * Find_NTDLL_Base()
 *
 * Description:
 *		Returns the base address of mapped ntdll.dll in a "System" process context.
 *
 *		NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
 *
 * Parameters:
 *		None.
 *
 * Returns:
 *		ntdll.dll base address (NULL if not found).
 */

PVOID
Find_NTDLL_Base()
{
	ULONG						size, i;
	PVOID						ntdll = NULL;
	PULONG						SystemInfo;
	PSYSTEM_MODULE_INFORMATION	pSMI;
	NTSTATUS					status;


	/*
	 * The data returned to the SystemInformation buffer is a ULONG count of the number of
	 * modules followed immediately by an array of SYSTEM_MODULE_INFORMATION.
	 *
	 * The system modules are the Portable Executable (PE) format files loaded into the
	 * kernel address space (ntoskrnl.exe, hal.dll, device drivers, and so on) and ntdll.dll.
	 */


	/* first, find out the total amount of module information to be returned */

	status = ZwQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
	if (size == 0 || size > 1024*1024)
	{
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: ZwQuerySystemInformation failed. status=%x size=%d\n", status, size));
		return NULL;
	}


	/* second, allocate the required amount of memory */
	
	SystemInfo = ExAllocatePoolWithTag(PagedPool, size + 4, _POOL_TAG);
	if (SystemInfo == NULL)
	{
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: out of memory (requested %d bytes)\n", size + 4));
		return NULL;
	}


	/* third, request the module information */

	ZwQuerySystemInformation(SystemModuleInformation, SystemInfo, size, &i);

	if (size != ((*SystemInfo * sizeof(SYSTEM_MODULE_INFORMATION)) + 4))
	{
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: inconsistent size (%d != %d * %d + 4)\n", size, *SystemInfo, sizeof(SYSTEM_MODULE_INFORMATION)));
		return NULL;
	}



	pSMI = (PSYSTEM_MODULE_INFORMATION) (SystemInfo + 1);

	for (i = 0; i < *SystemInfo; i++)
	{
//		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("comparing '%s' (base 0x%x)\n", pSMI[i].ImageName + pSMI[i].ModuleNameOffset, pSMI[i].Base));

		if (_stricmp(pSMI[i].ImageName + pSMI[i].ModuleNameOffset, "ntdll.dll") == 0)
		{
			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_VERBOSE, ("Find_NTDLL_Base: ntdll.dll base address is %x\n", pSMI[i].Base));
			ntdll = pSMI[i].Base;
			break;
		}
	}

	ExFreePoolWithTag(SystemInfo, _POOL_TAG);


	return ntdll;
}


#if 0
PVOID
Find_Kernel32_Base2()
{
	PVOID						Kernel32 = NULL;
	NTSTATUS					status;
	OBJECT_ATTRIBUTES			ObjectAttributes;
	IO_STATUS_BLOCK				isb;
	HANDLE						FileHandle;
	UNICODE_STRING				usName;
	PVOID						BaseAddress = NULL;
	SIZE_T						Size;
	CHAR						buffer[256];


//	RtlInitUnicodeString(&usName, L"\\SystemRoot\\System32\\kernel32.dll");
	RtlInitUnicodeString(&usName, L"\\??\\c:\\windows\\system32\\kernel32.dll");
	InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

	status = ZwCreateFile(&FileHandle, GENERIC_READ, &ObjectAttributes, &isb, NULL, 0, 0, 0, 0, NULL, 0);
	if (!NT_SUCCESS(status))
	{
		LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("Find_Kernel32_Base: Failed to open file %S (%x)\n", usName.Buffer, status));
		return FALSE;
	}


	status = ZwReadFile(FileHandle, NULL, NULL, NULL, &isb, (PVOID) buffer, sizeof(buffer) - 1,	0, NULL);

	if (! NT_SUCCESS(status))
	{
		if (status != STATUS_END_OF_FILE)
		{
			LOG(LOG_SS_POLICY, LOG_PRIORITY_DEBUG, ("LoadSecurityPolicy: ZwReadFile failed rc=%x\n", status));
		}
	}

	ZwClose(FileHandle);


	return Kernel32;
}



PVOID
Find_Kernel32_Base()
{
	PVOID						Kernel32 = NULL;
	NTSTATUS					status;
	OBJECT_ATTRIBUTES			ObjectAttributes;
	HANDLE						SectionHandle;
	UNICODE_STRING				usName;
	PVOID						BaseAddress = NULL;
	SIZE_T						Size;
	NTSTATUS					q;


	RtlInitUnicodeString(&usName, L"\\KnownDlls\\kernel32.dll");
	InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_KERNEL_HANDLE, NULL, NULL);

	if (NT_SUCCESS( ZwOpenSection(&SectionHandle, SECTION_MAP_READ, &ObjectAttributes) ))
	{
		q = ZwMapViewOfSection(SectionHandle, NtCurrentProcess(), &BaseAddress, 0, 0, NULL, &Size, ViewShare, MEM_RESERVE, PAGE_READWRITE);
		if (NT_SUCCESS(q))
		{
			KdPrint(("XXX mapped kernel32.dll at BaseAddress %x\n", BaseAddress));

			if (!NT_SUCCESS( ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress) ))
			{
				KdPrint(("ZwUnmapViewOfSection failed"));
			}

			ZwClose(SectionHandle);
		}
		else
		{
			KdPrint(("ZwMapViewOfSection failed with status %x", q));
		}
	}
	else
	{
		KdPrint(("ZwOpenSection failed"));
	}

	return Kernel32;
}
#endif


/*
 * FindFunctionBase()
 *
 * Description:
 *		Finds the address where a function is mapped at.
 *
 *		NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
 *
 * Parameters:
 *		Base - Mapped address of a DLL exporting the function.
 *		Name - Function name.
 *
 * Returns:
 *		Address where a function is mapped at (NULL if not found).
 */

/* macro shortcut for bailing out of FindFunctionBase in case of an error */

#define	ABORT_FindFunctionBase(msg) {																\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionBase():"));			\
		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg);												\
		return NULL;																				\
	}

PVOID
FindFunctionBase(PCHAR ImageBase, PCSTR Name)
{
	PIMAGE_DOS_HEADER		DosHeader;
	PIMAGE_NT_HEADERS		PeHeader;
	PIMAGE_DATA_DIRECTORY	ImageExportDirectoryEntry;
	ULONG					ExportDirectorySize, ExportDirectoryOffset, i;
	PIMAGE_EXPORT_DIRECTORY	ExportDirectory;
	PULONG					ExportAddressTable;
	PSHORT					ExportOrdinalTable;
	PULONG					ExportNameTable;


	if ( (DosHeader = (PIMAGE_DOS_HEADER) ImageBase) == NULL)

		ABORT_FindFunctionBase(("Base pointer is NULL (name = %s)\n", Name));


	if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)

		ABORT_FindFunctionBase(("DOS Signature not found! (%x %x)\n", DosHeader, DosHeader->e_magic));


	if (DosHeader->e_lfanew > 1024*1024)

		ABORT_FindFunctionBase(("Invalid e_lfanew value %x\n", DosHeader->e_lfanew));


	if ( (PeHeader = (PIMAGE_NT_HEADERS) (ImageBase + DosHeader->e_lfanew)) == NULL)

		ABORT_FindFunctionBase(("NT header pointer is NULL (name = %s)\n", Name));


	if (PeHeader->Signature != IMAGE_PE_SIGNATURE)

		ABORT_FindFunctionBase(("PE Signature not found! (%x %x)\n", PeHeader, PeHeader->Signature));


	if ( (ImageExportDirectoryEntry = PeHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT) == NULL)

		ABORT_FindFunctionBase(("Export directory pointer is NULL (name = %s)\n", Name));


	ExportDirectorySize = ImageExportDirectoryEntry->Size;
	ExportDirectoryOffset = ImageExportDirectoryEntry->VirtualAddress;

	if ( (ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) (ImageBase + ExportDirectoryOffset)) == NULL)

		ABORT_FindFunctionBase(("Exports pointer is NULL (name = %s)\n", Name));


	ExportAddressTable = (PULONG) (ImageBase + ExportDirectory->AddressOfFunctions);
	ExportOrdinalTable = (PSHORT) (ImageBase + ExportDirectory->AddressOfNameOrdinals);
	ExportNameTable = (PULONG) (ImageBase + ExportDirectory->AddressOfNames);

//XXX "AcceptConnectPort\0" \0 necessary to make sure ZwCreateProcess does not match ZwCreateProcessEx ?

	for (i = 0; i < ExportDirectory->NumberOfNames; i++)
	{
		ULONG ord = ExportOrdinalTable[i];

		if (ExportAddressTable[ord] < ExportDirectoryOffset ||
			ExportAddressTable[ord] >= ExportDirectoryOffset + ExportDirectorySize)
		{
			//XXX windows loader uses binary search?
			if (strcmp(ImageBase + ExportNameTable[i], Name) == 0)
			{
				return ImageBase + ExportAddressTable[ord];
			}
		}
	}

	return NULL;
}



/*
 * FindZwFunctionIndex()
 *
 * Description:
 *		Finds a system service table index of a Zw* system service.
 *
 *		NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
 *
 * Parameters:
 *		Name - Zw* service name.
 *
 * Returns:
 *		Zw* service index in a system service table (-1 if not found).
 */

int
FindZwFunctionIndex(PCSTR Name)
{
	PULONG_PTR	FunctionBase;


	if (NTDLL_Base == NULL)
		if ( (NTDLL_Base = Find_NTDLL_Base()) == NULL)
			return -1;


	if ( (FunctionBase = FindFunctionBase(NTDLL_Base, Name)) == NULL)
	{
//		LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindZwFunctionIndex: FindZwFunctionBase(%s) returned NULL", Name));
		return -1;
	}


	return FindFunctionOffset(FunctionBase);
}



/*
 * ZwCalls structure describes all known system services.
 * Part of the structure (i.e. system call table offset and system call address)
 * is filled in at runtime.
 *
 * Automatically generated with
 * dumpbin /exports c:\windows2003\system32\ntdll.dll|grep Zw|
 *		perl -wnle "print qq{\t{ \"$1\", NULL, (PULONG_PTR) SystemCallHandler$i, NULL, FALSE },} if /(Zw.*)/; ++$i" > win2k3_syscalls
 *
 * perl -wne "if (/\"Zw(.*?)\"/) { $q=length $1; s/\"Zw(.*?)\"/\"Zw$1\", $q/} print" q.txt > q2.txt
 */

struct _ZwCalls /* {
	PCHAR			ZwName;				// System call name
	USHORT			ZwNameLength;		// System call name length
	USHORT			ServiceIDNumber;	// System call index (filled in at runtime)
	PULONG_PTR		HookFunction;		// Address of the hijacking function (function that will be called instead of the original system call)
	PULONG_PTR		OriginalFunction;	// PlaceHolder for the address of the original syscall address
	BOOLEAN			Hijacked;			// Flag indicating whether we already hijacked this system call
										// or whether this is a special system service that needs to be hijacked initially
} */ ZwCalls[] =
{
	{ "ZwAcceptConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler0, NULL, FALSE },
	{ "ZwAccessCheck", 11, -1, (PULONG_PTR) SystemCallHandler1, NULL, FALSE },
	{ "ZwAccessCheckAndAuditAlarm", 24, -1, (PULONG_PTR) SystemCallHandler2, NULL, FALSE },
	{ "ZwAccessCheckByType", 17, -1, (PULONG_PTR) SystemCallHandler3, NULL, FALSE },
	{ "ZwAccessCheckByTypeAndAuditAlarm", 30, -1, (PULONG_PTR) SystemCallHandler4, NULL, FALSE },
	{ "ZwAccessCheckByTypeResultList", 27, -1, (PULONG_PTR) SystemCallHandler5, NULL, FALSE },
	{ "ZwAccessCheckByTypeResultListAndAuditAlarm", 40, -1, (PULONG_PTR) SystemCallHandler6, NULL, FALSE },
	{ "ZwAccessCheckByTypeResultListAndAuditAlarmByHandle", 48, -1, (PULONG_PTR) SystemCallHandler7, NULL, FALSE },


#if HOOK_ATOM
	{ "ZwAddAtom", 7, -1, (PULONG_PTR) HookedNtAddAtom, NULL, TRUE },
#else
	{ "ZwAddAtom", 7, -1, (PULONG_PTR) SystemCallHandler8, NULL, FALSE },
#endif


//XXX
	{ "ZwAddBootEntry", 12, -1, (PULONG_PTR) SystemCallHandler9, NULL, FALSE },
	{ "ZwAddDriverEntry", 14, -1, (PULONG_PTR) SystemCallHandler10, NULL, FALSE },


#if HOOK_TOKEN_ZZZ
	{ "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) HookedNtAdjustGroupsToken, NULL, TRUE },
#else
	{ "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) SystemCallHandler11, NULL, FALSE },
#endif

#if HOOK_TOKEN
	{ "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) HookedNtAdjustPrivilegesToken, NULL, TRUE },
#else
	{ "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) SystemCallHandler12, NULL, FALSE },
#endif


	{ "ZwAlertResumeThread", 17, -1, (PULONG_PTR) SystemCallHandler13, NULL, FALSE },
	{ "ZwAlertThread", 11, -1, (PULONG_PTR) SystemCallHandler14, NULL, FALSE },
	{ "ZwAllocateLocallyUniqueId", 23, -1, (PULONG_PTR) SystemCallHandler15, NULL, FALSE },
	{ "ZwAllocateUserPhysicalPages", 25, -1, (PULONG_PTR) SystemCallHandler16, NULL, FALSE },
	{ "ZwAllocateUuids", 13, -1, (PULONG_PTR) SystemCallHandler17, NULL, FALSE },
	{ "ZwAllocateVirtualMemory", 21, -1, (PULONG_PTR) SystemCallHandler18, NULL, FALSE },
	{ "ZwApphelpCacheControl", 19, -1, (PULONG_PTR) SystemCallHandler19, NULL, FALSE },
	{ "ZwAreMappedFilesTheSame", 21, -1, (PULONG_PTR) SystemCallHandler20, NULL, FALSE },
	{ "ZwAssignProcessToJobObject", 24, -1, (PULONG_PTR) SystemCallHandler21, NULL, FALSE },
	{ "ZwCallbackReturn", 14, -1, (PULONG_PTR) SystemCallHandler22, NULL, FALSE },
	{ "ZwCancelDeviceWakeupRequest", 25, -1, (PULONG_PTR) SystemCallHandler23, NULL, FALSE },
	{ "ZwCancelIoFile", 12, -1, (PULONG_PTR) SystemCallHandler24, NULL, FALSE },
	{ "ZwCancelTimer", 11, -1, (PULONG_PTR) SystemCallHandler25, NULL, FALSE },
	{ "ZwClearEvent", 10, -1, (PULONG_PTR) SystemCallHandler26, NULL, FALSE },

	/* don't mediate for performance reasons, requires a valid handle anyway  */
	{ "ZwClose", 5, -1, NULL, NULL, FALSE },

	{ "ZwCloseObjectAuditAlarm", 21, -1, (PULONG_PTR) SystemCallHandler28, NULL, FALSE },
	{ "ZwCompactKeys", 11, -1, (PULONG_PTR) SystemCallHandler29, NULL, FALSE },
	{ "ZwCompareTokens", 13, -1, (PULONG_PTR) SystemCallHandler30, NULL, FALSE },
	{ "ZwCompleteConnectPort", 19, -1, (PULONG_PTR) SystemCallHandler31, NULL, FALSE },
	{ "ZwCompressKey", 11, -1, (PULONG_PTR) SystemCallHandler32, NULL, FALSE },


#if HOOK_PORT
	{ "ZwConnectPort", 11, -1, (PULONG_PTR) HookedNtConnectPort, NULL, TRUE },
#else
	{ "ZwConnectPort", 11, -1, (PULONG_PTR) SystemCallHandler33, NULL, FALSE },
#endif


	{ "ZwContinue", 8, -1, (PULONG_PTR) SystemCallHandler34, NULL, FALSE },


#if HOOK_DEBUG_ZZZ
	{ "ZwCreateDebugObject", 17, -1, (PULONG_PTR) HookedNtCreateDebugObject, NULL, TRUE },
#else
	{ "ZwCreateDebugObject", 17, -1, (PULONG_PTR) SystemCallHandler35, NULL, FALSE },
#endif


#if HOOK_DIROBJ
	{ "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) HookedNtCreateDirectoryObject, NULL, TRUE },
#else
	{ "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) SystemCallHandler36, NULL, FALSE },
#endif


#if HOOK_EVENT
	{ "ZwCreateEvent", 11, -1, (PULONG_PTR) HookedNtCreateEvent, NULL, TRUE },
	{ "ZwCreateEventPair", 15, -1, (PULONG_PTR) HookedNtCreateEventPair, NULL, TRUE },
#else
	{ "ZwCreateEvent", 11, -1, (PULONG_PTR) SystemCallHandler37, NULL, FALSE },
	{ "ZwCreateEventPair", 15, -1, (PULONG_PTR) SystemCallHandler38, NULL, FALSE },
#endif


#if HOOK_FILE
	{ "ZwCreateFile", 10, -1, (PULONG_PTR) HookedNtCreateFile, NULL, TRUE },
#else
	{ "ZwCreateFile", 10, -1, (PULONG_PTR) SystemCallHandler39, NULL, FALSE },
#endif


	{ "ZwCreateIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler40, NULL, FALSE },


#if HOOK_JOB
	{ "ZwCreateJobObject", 15, -1, (PULONG_PTR) HookedNtCreateJobObject, NULL, TRUE },
#else
	{ "ZwCreateJobObject", 15, -1, (PULONG_PTR) SystemCallHandler41, NULL, FALSE },
#endif


//XXX ???
	{ "ZwCreateJobSet", 12, -1, (PULONG_PTR) SystemCallHandler42, NULL, FALSE },
	

#if HOOK_REGISTRY
	{ "ZwCreateKey", 9, -1, (PULONG_PTR) HookedNtCreateKey, NULL, TRUE },
#else
	{ "ZwCreateKey", 9, -1, (PULONG_PTR) SystemCallHandler43, NULL, FALSE },
#endif


	{ "ZwCreateKeyedEvent", 16, -1, (PULONG_PTR) SystemCallHandler44, NULL, FALSE },


#if HOOK_FILE
	{ "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) HookedNtCreateMailslotFile, NULL, TRUE },
#else
	{ "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) SystemCallHandler45, NULL, FALSE },
#endif


#if HOOK_MUTANT
	{ "ZwCreateMutant", 12, -1, (PULONG_PTR) HookedNtCreateMutant, NULL, TRUE },
#else
	{ "ZwCreateMutant", 12, -1, (PULONG_PTR) SystemCallHandler46, NULL, FALSE },
#endif


#if HOOK_FILE
	{ "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) HookedNtCreateNamedPipeFile, NULL, TRUE },
#else
	{ "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) SystemCallHandler47, NULL, FALSE },
#endif


	{ "ZwCreatePagingFile", 16, -1, (PULONG_PTR) SystemCallHandler48, NULL, FALSE },


#if HOOK_PORT
	{ "ZwCreatePort", 10, -1, (PULONG_PTR) HookedNtCreatePort, NULL, TRUE },
#else
	{ "ZwCreatePort", 10, -1, (PULONG_PTR) SystemCallHandler49, NULL, FALSE },
#endif


#if HOOK_PROCESS
	{ "ZwCreateProcess", 13, -1, (PULONG_PTR) HookedNtCreateProcess, NULL, TRUE },
	{ "ZwCreateProcessEx", 15, -1, (PULONG_PTR) HookedNtCreateProcessEx, NULL, TRUE },
#else
	{ "ZwCreateProcess", 13, -1, (PULONG_PTR) SystemCallHandler50, NULL, FALSE },
	{ "ZwCreateProcessEx", 15, -1, (PULONG_PTR) SystemCallHandler51, NULL, FALSE },
#endif


	{ "ZwCreateProfile", 13, -1, (PULONG_PTR) SystemCallHandler52, NULL, FALSE },


#if HOOK_SECTION
	{ "ZwCreateSection", 13, -1, (PULONG_PTR) HookedNtCreateSection, NULL, TRUE },
#else
	{ "ZwCreateSection", 13, -1, (PULONG_PTR) SystemCallHandler53, NULL, FALSE },
#endif


#if HOOK_SEMAPHORE
	{ "ZwCreateSemaphore", 15, -1, (PULONG_PTR) HookedNtCreateSemaphore, NULL, TRUE },
#else
	{ "ZwCreateSemaphore", 15, -1, (PULONG_PTR) SystemCallHandler54, NULL, FALSE },
#endif


#if HOOK_SYMLINK
	{ "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) HookedNtCreateSymbolicLinkObject, NULL, TRUE },
#else
	{ "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) SystemCallHandler55, NULL, FALSE },
#endif


#if HOOK_PROCESS
	{ "ZwCreateThread", 12, -1, (PULONG_PTR) HookedNtCreateThread, NULL, TRUE },
#else
	{ "ZwCreateThread", 12, -1, (PULONG_PTR) SystemCallHandler56, NULL, FALSE },
#endif


#if HOOK_TIMER
	{ "ZwCreateTimer", 11, -1, (PULONG_PTR) HookedNtCreateTimer, NULL, TRUE },
#else
	{ "ZwCreateTimer", 11, -1, (PULONG_PTR) SystemCallHandler57, NULL, FALSE },
#endif


#if HOOK_TOKEN_ZZZ
	{ "ZwCreateToken", 11, -1, (PULONG_PTR) HookedNtCreateToken, NULL, TRUE },
#else
	{ "ZwCreateToken", 11, -1, (PULONG_PTR) SystemCallHandler58, NULL, FALSE },
#endif


#if HOOK_PORT
	{ "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) HookedNtCreateWaitablePort, NULL, TRUE },
#else
	{ "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) SystemCallHandler59, NULL, FALSE },
#endif


#if HOOK_DEBUG
	{ "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) HookedNtDebugActiveProcess, NULL, TRUE },
#else
	{ "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) SystemCallHandler60, NULL, FALSE },
#endif


	{ "ZwDebugContinue", 13, -1, (PULONG_PTR) SystemCallHandler61, NULL, FALSE },
	{ "ZwDelayExecution", 14, -1, (PULONG_PTR) SystemCallHandler62, NULL, FALSE },
	{ "ZwDeleteAtom", 10, -1, (PULONG_PTR) SystemCallHandler63, NULL, FALSE },
	{ "ZwDeleteBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler64, NULL, FALSE },
	{ "ZwDeleteDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler65, NULL, FALSE },


#if HOOK_FILE
	{ "ZwDeleteFile", 10, -1, (PULONG_PTR) HookedNtDeleteFile, NULL, TRUE },
#else
	{ "ZwDeleteFile", 10, -1, (PULONG_PTR) SystemCallHandler66, NULL, FALSE },
#endif


#if HOOK_REGISTRY
	{ "ZwDeleteKey", 9, -1, (PULONG_PTR) HookedNtDeleteKey, NULL, TRUE },
#else
	{ "ZwDeleteKey", 9, -1, (PULONG_PTR) SystemCallHandler67, NULL, FALSE },
#endif

	{ "ZwDeleteObjectAuditAlarm", 22, -1, (PULONG_PTR) SystemCallHandler68, NULL, FALSE },
	{ "ZwDeleteValueKey", 14, -1, (PULONG_PTR) SystemCallHandler69, NULL, FALSE },
//XXX

	{ "ZwDeviceIoControlFile", 19, -1, NULL, NULL, FALSE },
	{ "ZwDisplayString", 13, -1, (PULONG_PTR) SystemCallHandler71, NULL, FALSE },
	{ "ZwDuplicateObject", 15, -1, (PULONG_PTR) SystemCallHandler72, NULL, FALSE },
	{ "ZwDuplicateToken", 14, -1, (PULONG_PTR) SystemCallHandler73, NULL, FALSE },
	{ "ZwEnumerateBootEntries", 20, -1, (PULONG_PTR) SystemCallHandler74, NULL, FALSE },
	{ "ZwEnumerateDriverEntries", 22, -1, (PULONG_PTR) SystemCallHandler75, NULL, FALSE },
	{ "ZwEnumerateKey", 12, -1, (PULONG_PTR) SystemCallHandler76, NULL, FALSE },
	{ "ZwEnumerateSystemEnvironmentValuesEx", 34, -1, (PULONG_PTR) SystemCallHandler77, NULL, FALSE },
	{ "ZwEnumerateValueKey", 17, -1, (PULONG_PTR) SystemCallHandler78, NULL, FALSE },
//XXX


	{ "ZwExtendSection", 13, -1, (PULONG_PTR) SystemCallHandler79, NULL, FALSE },
	{ "ZwFilterToken", 11, -1, (PULONG_PTR) SystemCallHandler80, NULL, FALSE },


#if HOOK_ATOM
	{ "ZwFindAtom", 8, -1, (PULONG_PTR) HookedNtFindAtom, NULL, TRUE },
#else
	{ "ZwFindAtom", 8, -1, (PULONG_PTR) SystemCallHandler81, NULL, FALSE },
#endif


	{ "ZwFlushBuffersFile", 16, -1, (PULONG_PTR) SystemCallHandler82, NULL, FALSE },
	{ "ZwFlushInstructionCache", 21, -1, (PULONG_PTR) SystemCallHandler83, NULL, FALSE },
	{ "ZwFlushKey", 8, -1, (PULONG_PTR) SystemCallHandler84, NULL, FALSE },
	{ "ZwFlushVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler85, NULL, FALSE },
	{ "ZwFlushWriteBuffer", 16, -1, (PULONG_PTR) SystemCallHandler86, NULL, FALSE },
	{ "ZwFreeUserPhysicalPages", 21, -1, (PULONG_PTR) SystemCallHandler87, NULL, FALSE },
	{ "ZwFreeVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler88, NULL, FALSE },
	{ "ZwFsControlFile", 13, -1, (PULONG_PTR) SystemCallHandler89, NULL, FALSE },
	{ "ZwGetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler90, NULL, FALSE },
	{ "ZwGetCurrentProcessorNumber", 25, -1, (PULONG_PTR) SystemCallHandler91, NULL, FALSE },
	{ "ZwGetDevicePowerState", 19, -1, (PULONG_PTR) SystemCallHandler92, NULL, FALSE },
	{ "ZwGetPlugPlayEvent", 16, -1, (PULONG_PTR) SystemCallHandler93, NULL, FALSE },
	{ "ZwGetWriteWatch", 13, -1, (PULONG_PTR) SystemCallHandler94, NULL, FALSE },

//XXX
	{ "ZwImpersonateAnonymousToken", 25, -1, (PULONG_PTR) SystemCallHandler95, NULL, FALSE },
	{ "ZwImpersonateClientOfPort", 23, -1, (PULONG_PTR) SystemCallHandler96, NULL, FALSE },
	{ "ZwImpersonateThread", 17, -1, (PULONG_PTR) SystemCallHandler97, NULL, FALSE },

	{ "ZwInitializeRegistry", 18, -1, (PULONG_PTR) SystemCallHandler98, NULL, FALSE },
	{ "ZwInitiatePowerAction", 19, -1, (PULONG_PTR) SystemCallHandler99, NULL, FALSE },
	{ "ZwIsProcessInJob", 14, -1, (PULONG_PTR) SystemCallHandler100, NULL, FALSE },
	{ "ZwIsSystemResumeAutomatic", 23, -1, (PULONG_PTR) SystemCallHandler101, NULL, FALSE },
	{ "ZwListenPort", 10, -1, (PULONG_PTR) SystemCallHandler102, NULL, FALSE },


#if HOOK_DRIVEROBJ
	{ "ZwLoadDriver", 10, -1, (PULONG_PTR) HookedNtLoadDriver, NULL, TRUE },
#else
	{ "ZwLoadDriver", 10, -1, (PULONG_PTR) SystemCallHandler103, NULL, FALSE },
#endif


	{ "ZwLoadKey", 7, -1, (PULONG_PTR) SystemCallHandler104, NULL, FALSE },
	{ "ZwLoadKey2", 8, -1, (PULONG_PTR) SystemCallHandler105, NULL, FALSE },
	{ "ZwLoadKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler106, NULL, FALSE },
	{ "ZwLockFile", 8, -1, (PULONG_PTR) SystemCallHandler107, NULL, FALSE },
	{ "ZwLockProductActivationKeys", 25, -1, (PULONG_PTR) SystemCallHandler108, NULL, FALSE },
	{ "ZwLockRegistryKey", 15, -1, (PULONG_PTR) SystemCallHandler109, NULL, FALSE },
	{ "ZwLockVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler110, NULL, FALSE },
	{ "ZwMakePermanentObject", 19, -1, (PULONG_PTR) SystemCallHandler111, NULL, FALSE },
	{ "ZwMakeTemporaryObject", 19, -1, (PULONG_PTR) SystemCallHandler112, NULL, FALSE },
	{ "ZwMapUserPhysicalPages", 20, -1, (PULONG_PTR) SystemCallHandler113, NULL, FALSE },
	{ "ZwMapUserPhysicalPagesScatter", 27, -1, (PULONG_PTR) SystemCallHandler114, NULL, FALSE },


#if HOOK_SECTION_ZZZ
	{ "ZwMapViewOfSection", 16, -1, (PULONG_PTR) HookedNtMapViewOfSection, NULL, TRUE },
#else
	{ "ZwMapViewOfSection", 16, -1, (PULONG_PTR) SystemCallHandler115, NULL, FALSE },
#endif


	{ "ZwModifyBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler116, NULL, FALSE },
	{ "ZwModifyDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler117, NULL, FALSE },
	{ "ZwNotifyChangeDirectoryFile", 25, -1, (PULONG_PTR) SystemCallHandler118, NULL, FALSE },
	{ "ZwNotifyChangeKey", 15, -1, (PULONG_PTR) SystemCallHandler119, NULL, FALSE },
	{ "ZwNotifyChangeMultipleKeys", 24, -1, (PULONG_PTR) SystemCallHandler120, NULL, FALSE },


#if HOOK_DIROBJ
	{ "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) HookedNtOpenDirectoryObject, NULL, TRUE },
#else
	{ "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) SystemCallHandler121, NULL, FALSE },
#endif


#if HOOK_EVENT
	{ "ZwOpenEvent", 9, -1, (PULONG_PTR) HookedNtOpenEvent, NULL, TRUE },
	{ "ZwOpenEventPair", 13, -1, (PULONG_PTR) HookedNtOpenEventPair, NULL, TRUE },
#else
	{ "ZwOpenEvent", 9, -1, (PULONG_PTR) SystemCallHandler122, NULL, FALSE },
	{ "ZwOpenEventPair", 13, -1, (PULONG_PTR) SystemCallHandler123, NULL, FALSE },
#endif


#if HOOK_FILE
	{ "ZwOpenFile", 8, -1, (PULONG_PTR) HookedNtOpenFile, NULL, TRUE },
#else
	{ "ZwOpenFile", 8, -1, (PULONG_PTR) SystemCallHandler124, NULL, FALSE },
#endif

	{ "ZwOpenIoCompletion", 16, -1, (PULONG_PTR) SystemCallHandler125, NULL, FALSE },


#if HOOK_JOB
	{ "ZwOpenJobObject", 13, -1, (PULONG_PTR) HookedNtOpenJobObject, NULL, TRUE },
#else
	{ "ZwOpenJobObject", 13, -1, (PULONG_PTR) SystemCallHandler126, NULL, FALSE },
#endif


#if HOOK_REGISTRY
	{ "ZwOpenKey", 7, -1, (PULONG_PTR) HookedNtOpenKey, NULL, TRUE },
#else
	{ "ZwOpenKey", 7, -1, (PULONG_PTR) SystemCallHandler127, NULL, FALSE },
#endif


	{ "ZwOpenKeyedEvent", 14, -1, (PULONG_PTR) SystemCallHandler128, NULL, FALSE },


#if HOOK_MUTANT
	{ "ZwOpenMutant", 10, -1, (PULONG_PTR) HookedNtOpenMutant, NULL, TRUE },
#else
	{ "ZwOpenMutant", 10, -1, (PULONG_PTR) SystemCallHandler129, NULL, FALSE },
#endif


	{ "ZwOpenObjectAuditAlarm", 20, -1, (PULONG_PTR) SystemCallHandler130, NULL, FALSE },


#if HOOK_PROCESS
	{ "ZwOpenProcess", 11, -1, (PULONG_PTR) HookedNtOpenProcess, NULL, TRUE },
#else
	{ "ZwOpenProcess", 11, -1, (PULONG_PTR) SystemCallHandler131, NULL, FALSE },
#endif


#if HOOK_TOKEN_ZZZ
	{ "ZwOpenProcessToken", 16, -1, (PULONG_PTR) HookedNtOpenProcessToken, NULL, TRUE },
	{ "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) HookedNtOpenProcessTokenEx, NULL, TRUE },
#else
	{ "ZwOpenProcessToken", 16, -1, (PULONG_PTR) SystemCallHandler132, NULL, FALSE },
	{ "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) SystemCallHandler133, NULL, FALSE },
#endif


#if HOOK_SECTION
	{ "ZwOpenSection", 11, -1, (PULONG_PTR) HookedNtOpenSection, NULL, TRUE },
#else
	{ "ZwOpenSection", 11, -1, (PULONG_PTR) SystemCallHandler134, NULL, FALSE },
#endif


#if HOOK_SEMAPHORE
	{ "ZwOpenSemaphore", 13, -1, (PULONG_PTR) HookedNtOpenSemaphore, NULL, TRUE },
#else
	{ "ZwOpenSemaphore", 13, -1, (PULONG_PTR) SystemCallHandler135, NULL, FALSE },
#endif


#if HOOK_SYMLINK_ZZZ
	{ "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) HookedNtOpenSymbolicLinkObject, NULL, TRUE },
#else
	{ "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) SystemCallHandler136, NULL, FALSE },
#endif


#if HOOK_PROCESS
	{ "ZwOpenThread", 10, -1, (PULONG_PTR) HookedNtOpenThread, NULL, TRUE },
#else
	{ "ZwOpenThread", 10, -1, (PULONG_PTR) SystemCallHandler137, NULL, FALSE },
#endif


#if HOOK_TOKEN_ZZZ
	{ "ZwOpenThreadToken", 15, -1, (PULONG_PTR) HookedNtOpenThreadToken, NULL, TRUE },
	{ "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) HookedNtOpenThreadTokenEx, NULL, TRUE },
#else
	{ "ZwOpenThreadToken", 15, -1, (PULONG_PTR) SystemCallHandler138, NULL, FALSE },
	{ "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) SystemCallHandler139, NULL, FALSE },
#endif


#if HOOK_TIMER
	{ "ZwOpenTimer", 9, -1, (PULONG_PTR) HookedNtOpenTimer, NULL, TRUE },
#else
	{ "ZwOpenTimer", 9, -1, (PULONG_PTR) SystemCallHandler140, NULL, FALSE },
#endif


	{ "ZwPlugPlayControl", 15, -1, (PULONG_PTR) SystemCallHandler141, NULL, FALSE },
	{ "ZwPowerInformation", 16, -1, (PULONG_PTR) SystemCallHandler142, NULL, FALSE },
	{ "ZwPrivilegeCheck", 14, -1, (PULONG_PTR) SystemCallHandler143, NULL, FALSE },
	{ "ZwPrivilegeObjectAuditAlarm", 25, -1, (PULONG_PTR) SystemCallHandler144, NULL, FALSE },
	{ "ZwPrivilegedServiceAuditAlarm", 27, -1, (PULONG_PTR) SystemCallHandler145, NULL, FALSE },
	{ "ZwProtectVirtualMemory", 20, -1, (PULONG_PTR) SystemCallHandler146, NULL, FALSE },
	{ "ZwPulseEvent", 10, -1, (PULONG_PTR) SystemCallHandler147, NULL, FALSE },


#if HOOK_FILE
	{ "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) HookedNtQueryAttributesFile, NULL, TRUE },
#else
	{ "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) SystemCallHandler148, NULL, FALSE },
#endif


	{ "ZwQueryBootEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler149, NULL, FALSE },
	{ "ZwQueryBootOptions", 16, -1, (PULONG_PTR) SystemCallHandler150, NULL, FALSE },
	{ "ZwQueryDebugFilterState", 21, -1, (PULONG_PTR) SystemCallHandler151, NULL, FALSE },
	{ "ZwQueryDefaultLocale", 18, -1, (PULONG_PTR) SystemCallHandler152, NULL, FALSE },
	{ "ZwQueryDefaultUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler153, NULL, FALSE },


#if FILE_HOOK_ZZZ
	{ "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) HookedNtQueryDirectoryFile, NULL, TRUE },
#else
	{ "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) SystemCallHandler154, NULL, FALSE },
#endif


	{ "ZwQueryDirectoryObject", 20, -1, (PULONG_PTR) SystemCallHandler155, NULL, FALSE },
	{ "ZwQueryDriverEntryOrder", 21, -1, (PULONG_PTR) SystemCallHandler156, NULL, FALSE },
	{ "ZwQueryEaFile", 11, -1, (PULONG_PTR) SystemCallHandler157, NULL, FALSE },
	{ "ZwQueryEvent", 10, -1, (PULONG_PTR) SystemCallHandler158, NULL, FALSE },


#if HOOK_FILE
	{ "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) HookedNtQueryFullAttributesFile, NULL, TRUE },
#else
	{ "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) SystemCallHandler159, NULL, FALSE },
#endif


	{ "ZwQueryInformationAtom", 20, -1, (PULONG_PTR) SystemCallHandler160, NULL, FALSE },
	{ "ZwQueryInformationFile", 20, -1, (PULONG_PTR) SystemCallHandler161, NULL, FALSE },
	{ "ZwQueryInformationJobObject", 25, -1, (PULONG_PTR) SystemCallHandler162, NULL, FALSE },
	{ "ZwQueryInformationPort", 20, -1, (PULONG_PTR) SystemCallHandler163, NULL, FALSE },
	{ "ZwQueryInformationProcess", 23, -1, (PULONG_PTR) SystemCallHandler164, NULL, FALSE },
	{ "ZwQueryInformationThread", 22, -1, (PULONG_PTR) SystemCallHandler165, NULL, FALSE },
	{ "ZwQueryInformationToken", 21, -1, (PULONG_PTR) SystemCallHandler166, NULL, FALSE },
	{ "ZwQueryInstallUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler167, NULL, FALSE },
	{ "ZwQueryIntervalProfile", 20, -1, (PULONG_PTR) SystemCallHandler168, NULL, FALSE },
	{ "ZwQueryIoCompletion", 17, -1, (PULONG_PTR) SystemCallHandler169, NULL, FALSE },
	{ "ZwQueryKey", 8, -1, (PULONG_PTR) SystemCallHandler170, NULL, FALSE },
	{ "ZwQueryMultipleValueKey", 21, -1, (PULONG_PTR) SystemCallHandler171, NULL, FALSE },
	{ "ZwQueryMutant", 11, -1, (PULONG_PTR) SystemCallHandler172, NULL, FALSE },
	{ "ZwQueryObject", 11, -1, (PULONG_PTR) SystemCallHandler173, NULL, FALSE },
	{ "ZwQueryOpenSubKeys", 16, -1, (PULONG_PTR) SystemCallHandler174, NULL, FALSE },
	{ "ZwQueryOpenSubKeysEx", 18, -1, (PULONG_PTR) SystemCallHandler175, NULL, FALSE },
	{ "ZwQueryPerformanceCounter", 23, -1, (PULONG_PTR) SystemCallHandler176, NULL, FALSE },
	{ "ZwQueryPortInformationProcess", 27, -1, (PULONG_PTR) SystemCallHandler177, NULL, FALSE },
	{ "ZwQueryQuotaInformationFile", 25, -1, (PULONG_PTR) SystemCallHandler178, NULL, FALSE },
	{ "ZwQuerySection", 12, -1, (PULONG_PTR) SystemCallHandler179, NULL, FALSE },
	{ "ZwQuerySecurityObject", 19, -1, (PULONG_PTR) SystemCallHandler180, NULL, FALSE },
	{ "ZwQuerySemaphore", 14, -1, (PULONG_PTR) SystemCallHandler181, NULL, FALSE },
	{ "ZwQuerySymbolicLinkObject", 23, -1, (PULONG_PTR) SystemCallHandler182, NULL, FALSE },
	{ "ZwQuerySystemEnvironmentValue", 27, -1, (PULONG_PTR) SystemCallHandler183, NULL, FALSE },
	{ "ZwQuerySystemEnvironmentValueEx", 29, -1, (PULONG_PTR) SystemCallHandler184, NULL, FALSE },
	{ "ZwQuerySystemInformation", 22, -1, (PULONG_PTR) SystemCallHandler185, NULL, FALSE },
	{ "ZwQuerySystemTime", 15, -1, (PULONG_PTR) SystemCallHandler186, NULL, FALSE },
	{ "ZwQueryTimer", 10, -1, (PULONG_PTR) SystemCallHandler187, NULL, FALSE },
	{ "ZwQueryTimerResolution", 20, -1, (PULONG_PTR) SystemCallHandler188, NULL, FALSE },


#if HOOK_REGISTRY_ZZZ
	{ "ZwQueryValueKey", 13, -1, (PULONG_PTR) HookedNtQueryValueKey, NULL, TRUE },
#else
	{ "ZwQueryValueKey", 13, -1, (PULONG_PTR) SystemCallHandler189, NULL, FALSE },
#endif


	{ "ZwQueryVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler190, NULL, FALSE },
	{ "ZwQueryVolumeInformationFile", 26, -1, (PULONG_PTR) SystemCallHandler191, NULL, FALSE },
	{ "ZwQueueApcThread", 14, -1, (PULONG_PTR) SystemCallHandler192, NULL, FALSE },


//XXX should we not mediate these calls? they are only raised during an error and we might
// not encounter them during "learning" phase? can these be abused otherwise?
	{ "ZwRaiseException", 14, -1, (PULONG_PTR) SystemCallHandler193, NULL, FALSE },
	{ "ZwRaiseHardError", 14, -1, (PULONG_PTR) SystemCallHandler194, NULL, FALSE },

	/* don't mediate for performance reasons, requires a valid handle anyway  */
	{ "ZwReadFile", 8, -1, NULL, NULL, FALSE },
	{ "ZwReadFileScatter", 15, -1, NULL, NULL, FALSE },
	{ "ZwReadRequestData", 15, -1, NULL, NULL, FALSE },
	{ "ZwReadVirtualMemory", 17, -1, NULL, NULL, FALSE },

	{ "ZwRegisterThreadTerminatePort", 27, -1, (PULONG_PTR) SystemCallHandler199, NULL, FALSE },
	{ "ZwReleaseKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler200, NULL, FALSE },
	{ "ZwReleaseMutant", 13, -1, (PULONG_PTR) SystemCallHandler201, NULL, FALSE },
	{ "ZwReleaseSemaphore", 16, -1, (PULONG_PTR) SystemCallHandler202, NULL, FALSE },
	{ "ZwRemoveIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler203, NULL, FALSE },
	{ "ZwRemoveProcessDebug", 18, -1, (PULONG_PTR) SystemCallHandler204, NULL, FALSE },

//XXX
	{ "ZwRenameKey", 9, -1, (PULONG_PTR) SystemCallHandler205, NULL, FALSE },
	{ "ZwReplaceKey", 10, -1, (PULONG_PTR) SystemCallHandler206, NULL, FALSE },


	{ "ZwReplyPort", 9, -1, (PULONG_PTR) SystemCallHandler207, NULL, FALSE },
	{ "ZwReplyWaitReceivePort", 20, -1, (PULONG_PTR) SystemCallHandler208, NULL, FALSE },
	{ "ZwReplyWaitReceivePortEx", 22, -1, (PULONG_PTR) SystemCallHandler209, NULL, FALSE },
	{ "ZwReplyWaitReplyPort", 18, -1, (PULONG_PTR) SystemCallHandler210, NULL, FALSE },
	{ "ZwRequestDeviceWakeup", 19, -1, (PULONG_PTR) SystemCallHandler211, NULL, FALSE },
	{ "ZwRequestPort", 11, -1, (PULONG_PTR) SystemCallHandler212, NULL, FALSE },
	{ "ZwRequestWaitReplyPort", 20, -1, (PULONG_PTR) SystemCallHandler213, NULL, FALSE },
	{ "ZwRequestWakeupLatency", 20, -1, (PULONG_PTR) SystemCallHandler214, NULL, FALSE },
	{ "ZwResetEvent", 10, -1, (PULONG_PTR) SystemCallHandler215, NULL, FALSE },
	{ "ZwResetWriteWatch", 15, -1, (PULONG_PTR) SystemCallHandler216, NULL, FALSE },
	{ "ZwRestoreKey", 10, -1, (PULONG_PTR) SystemCallHandler217, NULL, FALSE },
	{ "ZwResumeProcess", 13, -1, (PULONG_PTR) SystemCallHandler218, NULL, FALSE },
	{ "ZwResumeThread", 12, -1, (PULONG_PTR) SystemCallHandler219, NULL, FALSE },
	{ "ZwSaveKey", 7, -1, (PULONG_PTR) SystemCallHandler220, NULL, FALSE },
	{ "ZwSaveKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler221, NULL, FALSE },
	{ "ZwSaveMergedKeys", 14, -1, (PULONG_PTR) SystemCallHandler222, NULL, FALSE },


#if HOOK_PORT
	{ "ZwSecureConnectPort", 17, -1, (PULONG_PTR) HookedNtSecureConnectPort, NULL, TRUE },
#else
	{ "ZwSecureConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler223, NULL, FALSE },
#endif


	{ "ZwSetBootEntryOrder", 17, -1, (PULONG_PTR) SystemCallHandler224, NULL, FALSE },
	{ "ZwSetBootOptions", 14, -1, (PULONG_PTR) SystemCallHandler225, NULL, FALSE },

//XXX
	{ "ZwSetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler226, NULL, FALSE },

	{ "ZwSetDebugFilterState", 19, -1, (PULONG_PTR) SystemCallHandler227, NULL, FALSE },
	{ "ZwSetDefaultHardErrorPort", 23, -1, (PULONG_PTR) SystemCallHandler228, NULL, FALSE },
	{ "ZwSetDefaultLocale", 16, -1, (PULONG_PTR) SystemCallHandler229, NULL, FALSE },
	{ "ZwSetDefaultUILanguage", 20, -1, (PULONG_PTR) SystemCallHandler230, NULL, FALSE },
	{ "ZwSetDriverEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler231, NULL, FALSE },
	{ "ZwSetEaFile", 9, -1, (PULONG_PTR) SystemCallHandler232, NULL, FALSE },
	{ "ZwSetEvent", 8, -1, (PULONG_PTR) SystemCallHandler233, NULL, FALSE },
	{ "ZwSetEventBoostPriority", 21, -1, (PULONG_PTR) SystemCallHandler234, NULL, FALSE },
	{ "ZwSetHighEventPair", 16, -1, (PULONG_PTR) SystemCallHandler235, NULL, FALSE },
	{ "ZwSetHighWaitLowEventPair", 23, -1, (PULONG_PTR) SystemCallHandler236, NULL, FALSE },
	{ "ZwSetInformationDebugObject", 25, -1, (PULONG_PTR) SystemCallHandler237, NULL, FALSE },

#if HOOK_FILE
	{ "ZwSetInformationFile", 18, -1, (PULONG_PTR) HookedNtSetInformationFile, NULL, TRUE },
#else
	{ "ZwSetInformationFile", 18, -1, (PULONG_PTR) SystemCallHandler238, NULL, FALSE },
#endif

	{ "ZwSetInformationJobObject", 23, -1, (PULONG_PTR) SystemCallHandler239, NULL, FALSE },
	{ "ZwSetInformationKey", 17, -1, (PULONG_PTR) SystemCallHandler240, NULL, FALSE },
	{ "ZwSetInformationObject", 20, -1, (PULONG_PTR) SystemCallHandler241, NULL, FALSE },
	{ "ZwSetInformationProcess", 21, -1, (PULONG_PTR) SystemCallHandler242, NULL, FALSE },
	{ "ZwSetInformationThread", 20, -1, (PULONG_PTR) SystemCallHandler243, NULL, FALSE },


#if HOOK_TOKEN
	{ "ZwSetInformationToken", 19, -1, (PULONG_PTR) HookedNtSetInformationToken, NULL, TRUE },
#else
	{ "ZwSetInformationToken", 19, -1, (PULONG_PTR) SystemCallHandler244, NULL, FALSE },
#endif


	{ "ZwSetIntervalProfile", 18, -1, (PULONG_PTR) SystemCallHandler245, NULL, FALSE },
	{ "ZwSetIoCompletion", 15, -1, (PULONG_PTR) SystemCallHandler246, NULL, FALSE },


#if HOOK_VDM
	{ "ZwSetLdtEntries", 13, -1, (PULONG_PTR) HookedNtSetLdtEntries, NULL, TRUE },
#else
	{ "ZwSetLdtEntries", 13, -1, (PULONG_PTR) SystemCallHandler247, NULL, FALSE },
#endif


	{ "ZwSetLowEventPair", 15, -1, (PULONG_PTR) SystemCallHandler248, NULL, FALSE },
	{ "ZwSetLowWaitHighEventPair", 23, -1, (PULONG_PTR) SystemCallHandler249, NULL, FALSE },
	{ "ZwSetQuotaInformationFile", 23, -1, (PULONG_PTR) SystemCallHandler250, NULL, FALSE },
	{ "ZwSetSecurityObject", 17, -1, (PULONG_PTR) SystemCallHandler251, NULL, FALSE },
	{ "ZwSetSystemEnvironmentValue", 25, -1, (PULONG_PTR) SystemCallHandler252, NULL, FALSE },	// XXX intel hal supports only 1 variable LastKnownGood
	{ "ZwSetSystemEnvironmentValueEx", 27, -1, (PULONG_PTR) SystemCallHandler253, NULL, FALSE },


#if HOOK_SYSINFO
	{ "ZwSetSystemInformation", 20, -1, (PULONG_PTR) HookedNtSetSystemInformation, NULL, TRUE },
#else
	{ "ZwSetSystemInformation", 20, -1, (PULONG_PTR) SystemCallHandler254, NULL, FALSE },
#endif


	{ "ZwSetSystemPowerState", 19, -1, (PULONG_PTR) SystemCallHandler255, NULL, FALSE },


#if HOOK_TIME
	{ "ZwSetSystemTime", 13, -1, (PULONG_PTR) HookedNtSetSystemTime, NULL, TRUE },
#else
	{ "ZwSetSystemTime", 13, -1, (PULONG_PTR) SystemCallHandler256, NULL, FALSE },
#endif


	{ "ZwSetThreadExecutionState", 23, -1, (PULONG_PTR) SystemCallHandler257, NULL, FALSE },
	{ "ZwSetTimer", 8, -1, (PULONG_PTR) SystemCallHandler258, NULL, FALSE },


#if 0 //HOOK_TIME
	{ "ZwSetTimerResolution", 18, -1, (PULONG_PTR) HookedNtSetTimerResolution, NULL, TRUE },
#else
	{ "ZwSetTimerResolution", 18, -1, (PULONG_PTR) SystemCallHandler259, NULL, FALSE },
#endif


	{ "ZwSetUuidSeed", 11, -1, (PULONG_PTR) SystemCallHandler260, NULL, FALSE },


#if HOOK_REGISTRY_ZZZ
	{ "ZwSetValueKey", 11, -1, (PULONG_PTR) HookedNtSetValueKey, NULL, TRUE },
#else
	{ "ZwSetValueKey", 11, -1, (PULONG_PTR) SystemCallHandler261, NULL, FALSE },
#endif


	{ "ZwSetVolumeInformationFile", 24, -1, (PULONG_PTR) SystemCallHandler262, NULL, FALSE },

//XXX
	{ "ZwShutdownSystem", 14, -1, (PULONG_PTR) SystemCallHandler263, NULL, FALSE },

	{ "ZwSignalAndWaitForSingleObject", 28, -1, (PULONG_PTR) SystemCallHandler264, NULL, FALSE },
	{ "ZwStartProfile", 12, -1, (PULONG_PTR) SystemCallHandler265, NULL, FALSE },
	{ "ZwStopProfile", 11, -1, (PULONG_PTR) SystemCallHandler266, NULL, FALSE },
	{ "ZwSuspendProcess", 14, -1, (PULONG_PTR) SystemCallHandler267, NULL, FALSE },
	{ "ZwSuspendThread", 13, -1, (PULONG_PTR) SystemCallHandler268, NULL, FALSE },
	{ "ZwSystemDebugControl", 18, -1, (PULONG_PTR) SystemCallHandler269, NULL, FALSE },

//XXX
	{ "ZwTerminateJobObject", 18, -1, (PULONG_PTR) SystemCallHandler270, NULL, FALSE },
	{ "ZwTerminateProcess", 16, -1, (PULONG_PTR) SystemCallHandler271, NULL, FALSE },
	{ "ZwTerminateThread", 15, -1, (PULONG_PTR) SystemCallHandler272, NULL, FALSE },

	{ "ZwTestAlert", 9, -1, (PULONG_PTR) SystemCallHandler273, NULL, FALSE },
	{ "ZwTraceEvent", 10, -1, (PULONG_PTR) SystemCallHandler274, NULL, FALSE },
	{ "ZwTranslateFilePath", 17, -1, (PULONG_PTR) SystemCallHandler275, NULL, FALSE },


#if HOOK_DRIVEROBJ_ZZZ
	{ "ZwUnloadDriver", 12, -1, (PULONG_PTR) HookedNtUnloadDriver, NULL, TRUE },
#else
	{ "ZwUnloadDriver", 12, -1, (PULONG_PTR) SystemCallHandler276, NULL, FALSE },
#endif


	{ "ZwUnloadKey", 9, -1, (PULONG_PTR) SystemCallHandler277, NULL, FALSE },
	{ "ZwUnloadKey2", 10, -1, (PULONG_PTR) SystemCallHandler278, NULL, FALSE },
	{ "ZwUnloadKeyEx", 11, -1, (PULONG_PTR) SystemCallHandler279, NULL, FALSE },
	{ "ZwUnlockFile", 10, -1, (PULONG_PTR) SystemCallHandler280, NULL, FALSE },
	{ "ZwUnlockVirtualMemory", 19, -1, (PULONG_PTR) SystemCallHandler281, NULL, FALSE },
	{ "ZwUnmapViewOfSection", 18, -1, (PULONG_PTR) SystemCallHandler282, NULL, FALSE },


#if HOOK_VDM
	{ "ZwVdmControl", 10, -1, (PULONG_PTR) HookedNtVdmControl, NULL, TRUE },
#else
	{ "ZwVdmControl", 10, -1, (PULONG_PTR) SystemCallHandler283, NULL, FALSE },
#endif


	{ "ZwWaitForDebugEvent", 17, -1, (PULONG_PTR) SystemCallHandler284, NULL, FALSE },
	{ "ZwWaitForKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler285, NULL, FALSE },
	{ "ZwWaitForMultipleObjects", 22, -1, (PULONG_PTR) SystemCallHandler286, NULL, FALSE },
	{ "ZwWaitForSingleObject", 19, -1, (PULONG_PTR) SystemCallHandler287, NULL, FALSE },
	{ "ZwWaitHighEventPair", 17, -1, (PULONG_PTR) SystemCallHandler288, NULL, FALSE },
	{ "ZwWaitLowEventPair", 16, -1, (PULONG_PTR) SystemCallHandler289, NULL, FALSE },

	/* don't mediate for performance reasons, requires a valid handle anyway  */
	{ "ZwWriteFile", 9, -1, NULL, NULL, FALSE },
	{ "ZwWriteFileGather", 15, -1, NULL, NULL, FALSE },
	{ "ZwWriteRequestData", 16, -1, NULL, NULL, FALSE },
	{ "ZwWriteVirtualMemory", 18, -1, NULL, NULL, FALSE },
	{ "ZwYieldExecution", 14, -1, NULL, NULL, FALSE },
};



ACTION_TYPE
VerifySystemServiceCall(USHORT SystemServiceNumber)
{
	ACTION_TYPE			Action = ACTION_NONE;
	PIMAGE_PID_ENTRY	p;
	PPOLICY_RULE		PolicyRule;


//	LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("system call %x %x %s. irql %d", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName, KeGetCurrentIrql()));


	if (KeGetCurrentIrql() != PASSIVE_LEVEL)
		return ACTION_NONE;


	if (LearningMode)
	{
		AddRule(RULE_SYSCALL, ZwCalls[SystemServiceNumber].ZwName, 0);
		return ACTION_NONE;
	}

	
	/* verify policy and user return address? */

	p = FindImagePidEntry(CURRENT_PROCESS_PID, 0);

	if (p == NULL)
	{
		LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("VerifySystemServiceCall: FindImagePidEntry(%d) failed\n", CURRENT_PROCESS_PID));
		return ACTION_NONE;
	}
//XXX p->SecPolicy spinlock is not acquired
	PolicyRule = p->SecPolicy.RuleList[ RULE_SYSCALL ];
	if (PolicyRule)
	{
		/* Calculate the bit array ULONG we need to read (bit array consists of a bunch of ULONGs) */
		ULONG	UlongCount = SystemServiceNumber >> UlongBitShift;

		/* Choose the correct bit array ULONG */
		PULONG	BitArray = &PolicyRule->ServiceBitArray[0] + UlongCount;

		ULONG	BitOffset = SystemServiceNumber - (UlongCount << UlongBitShift);

		/* read the bit */
		Action = *BitArray & ( 1 << BitOffset ) ? ACTION_PERMIT : ACTION_DENY;

		if (Action == ACTION_DENY)
		{
			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("denying system call %x %x %s\n", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName));
			Action = ACTION_PERMIT;
		}
	}

	return Action;
}


//XXX can we get rid of pushfd / popfd ?
//XXX move to i386.c?
#define	SYSCALL_HANDLER(num)							\
	__declspec(naked) void SystemCallHandler##num()		\
	{													\
		_asm pushad 									\
		_asm { pushfd }									\
		if (0 && VerifySystemServiceCall(num) == ACTION_DENY)\
		{												\
			_asm popfd									\
			_asm popad									\
			_asm mov eax, 0xC0000022 /*STATUS_ACCESS_DENIED*/				\
			_asm ret									\
		}												\
		_asm popfd										\
		_asm popad										\
		_asm jmp dword ptr [ ZwCalls + num*20 + 12 ]	\
/*		_asm jmp ZwCalls[num].OriginalFunction			*/\
	}

/*
//XXX can find out dynamically the amount of stack space to clean up by looking at Zw* ret instruction
			if (PolicyCheck(RULE_SYSCALL, NULL, 0) == ACTION_DENY)				\
			{											\
				_asm mov eax, 0xC0000022				\
				_asm ret								\
			}											\
*/


SYSCALL_HANDLER(0) SYSCALL_HANDLER(1) SYSCALL_HANDLER(2) SYSCALL_HANDLER(3) SYSCALL_HANDLER(4)
SYSCALL_HANDLER(5) SYSCALL_HANDLER(6) SYSCALL_HANDLER(7) SYSCALL_HANDLER(8) SYSCALL_HANDLER(9)
SYSCALL_HANDLER(10) SYSCALL_HANDLER(11) SYSCALL_HANDLER(12) SYSCALL_HANDLER(13) SYSCALL_HANDLER(14)
SYSCALL_HANDLER(15) SYSCALL_HANDLER(16) SYSCALL_HANDLER(17) SYSCALL_HANDLER(18) SYSCALL_HANDLER(19)
SYSCALL_HANDLER(20) SYSCALL_HANDLER(21) SYSCALL_HANDLER(22) SYSCALL_HANDLER(23) SYSCALL_HANDLER(24)
SYSCALL_HANDLER(25) SYSCALL_HANDLER(26) SYSCALL_HANDLER(27) SYSCALL_HANDLER(28) SYSCALL_HANDLER(29)
SYSCALL_HANDLER(30) SYSCALL_HANDLER(31) SYSCALL_HANDLER(32) SYSCALL_HANDLER(33) SYSCALL_HANDLER(34)
SYSCALL_HANDLER(35) SYSCALL_HANDLER(36) SYSCALL_HANDLER(37) SYSCALL_HANDLER(38) SYSCALL_HANDLER(39)
SYSCALL_HANDLER(40) SYSCALL_HANDLER(41) SYSCALL_HANDLER(42) SYSCALL_HANDLER(43) SYSCALL_HANDLER(44)
SYSCALL_HANDLER(45) SYSCALL_HANDLER(46) SYSCALL_HANDLER(47) SYSCALL_HANDLER(48) SYSCALL_HANDLER(49)
SYSCALL_HANDLER(50) SYSCALL_HANDLER(51) SYSCALL_HANDLER(52) SYSCALL_HANDLER(53) SYSCALL_HANDLER(54)
SYSCALL_HANDLER(55) SYSCALL_HANDLER(56) SYSCALL_HANDLER(57) SYSCALL_HANDLER(58) SYSCALL_HANDLER(59)
SYSCALL_HANDLER(60) SYSCALL_HANDLER(61) SYSCALL_HANDLER(62) SYSCALL_HANDLER(63) SYSCALL_HANDLER(64)
SYSCALL_HANDLER(65) SYSCALL_HANDLER(66) SYSCALL_HANDLER(67) SYSCALL_HANDLER(68) SYSCALL_HANDLER(69)
SYSCALL_HANDLER(70) SYSCALL_HANDLER(71) SYSCALL_HANDLER(72) SYSCALL_HANDLER(73) SYSCALL_HANDLER(74)
SYSCALL_HANDLER(75) SYSCALL_HANDLER(76) SYSCALL_HANDLER(77) SYSCALL_HANDLER(78) SYSCALL_HANDLER(79)
SYSCALL_HANDLER(80) SYSCALL_HANDLER(81) SYSCALL_HANDLER(82) SYSCALL_HANDLER(83) SYSCALL_HANDLER(84)
SYSCALL_HANDLER(85) SYSCALL_HANDLER(86) SYSCALL_HANDLER(87) SYSCALL_HANDLER(88) SYSCALL_HANDLER(89)
SYSCALL_HANDLER(90) SYSCALL_HANDLER(91) SYSCALL_HANDLER(92) SYSCALL_HANDLER(93) SYSCALL_HANDLER(94)
SYSCALL_HANDLER(95) SYSCALL_HANDLER(96) SYSCALL_HANDLER(97) SYSCALL_HANDLER(98) SYSCALL_HANDLER(99)
SYSCALL_HANDLER(100) SYSCALL_HANDLER(101) SYSCALL_HANDLER(102) SYSCALL_HANDLER(103) SYSCALL_HANDLER(104)
SYSCALL_HANDLER(105) SYSCALL_HANDLER(106) SYSCALL_HANDLER(107) SYSCALL_HANDLER(108) SYSCALL_HANDLER(109)
SYSCALL_HANDLER(110) SYSCALL_HANDLER(111) SYSCALL_HANDLER(112) SYSCALL_HANDLER(113) SYSCALL_HANDLER(114)
SYSCALL_HANDLER(115) SYSCALL_HANDLER(116) SYSCALL_HANDLER(117) SYSCALL_HANDLER(118) SYSCALL_HANDLER(119)
SYSCALL_HANDLER(120) SYSCALL_HANDLER(121) SYSCALL_HANDLER(122) SYSCALL_HANDLER(123) SYSCALL_HANDLER(124)
SYSCALL_HANDLER(125) SYSCALL_HANDLER(126) SYSCALL_HANDLER(127) SYSCALL_HANDLER(128) SYSCALL_HANDLER(129)
SYSCALL_HANDLER(130) SYSCALL_HANDLER(131) SYSCALL_HANDLER(132) SYSCALL_HANDLER(133) SYSCALL_HANDLER(134)
SYSCALL_HANDLER(135) SYSCALL_HANDLER(136) SYSCALL_HANDLER(137) SYSCALL_HANDLER(138) SYSCALL_HANDLER(139)
SYSCALL_HANDLER(140) SYSCALL_HANDLER(141) SYSCALL_HANDLER(142) SYSCALL_HANDLER(143) SYSCALL_HANDLER(144)
SYSCALL_HANDLER(145) SYSCALL_HANDLER(146) SYSCALL_HANDLER(147) SYSCALL_HANDLER(148) SYSCALL_HANDLER(149)
SYSCALL_HANDLER(150) SYSCALL_HANDLER(151) SYSCALL_HANDLER(152) SYSCALL_HANDLER(153) SYSCALL_HANDLER(154)
SYSCALL_HANDLER(155) SYSCALL_HANDLER(156) SYSCALL_HANDLER(157) SYSCALL_HANDLER(158) SYSCALL_HANDLER(159)
SYSCALL_HANDLER(160) SYSCALL_HANDLER(161) SYSCALL_HANDLER(162) SYSCALL_HANDLER(163) SYSCALL_HANDLER(164)
SYSCALL_HANDLER(165) SYSCALL_HANDLER(166) SYSCALL_HANDLER(167) SYSCALL_HANDLER(168) SYSCALL_HANDLER(169)
SYSCALL_HANDLER(170) SYSCALL_HANDLER(171) SYSCALL_HANDLER(172) SYSCALL_HANDLER(173) SYSCALL_HANDLER(174)
SYSCALL_HANDLER(175) SYSCALL_HANDLER(176) SYSCALL_HANDLER(177) SYSCALL_HANDLER(178) SYSCALL_HANDLER(179)
SYSCALL_HANDLER(180) SYSCALL_HANDLER(181) SYSCALL_HANDLER(182) SYSCALL_HANDLER(183) SYSCALL_HANDLER(184)
SYSCALL_HANDLER(185) SYSCALL_HANDLER(186) SYSCALL_HANDLER(187) SYSCALL_HANDLER(188) SYSCALL_HANDLER(189)
SYSCALL_HANDLER(190) SYSCALL_HANDLER(191) SYSCALL_HANDLER(192) SYSCALL_HANDLER(193) SYSCALL_HANDLER(194)
SYSCALL_HANDLER(195) SYSCALL_HANDLER(196) SYSCALL_HANDLER(197) SYSCALL_HANDLER(198) SYSCALL_HANDLER(199)
SYSCALL_HANDLER(200) SYSCALL_HANDLER(201) SYSCALL_HANDLER(202) SYSCALL_HANDLER(203) SYSCALL_HANDLER(204)
SYSCALL_HANDLER(205) SYSCALL_HANDLER(206) SYSCALL_HANDLER(207) SYSCALL_HANDLER(208) SYSCALL_HANDLER(209)
SYSCALL_HANDLER(210) SYSCALL_HANDLER(211) SYSCALL_HANDLER(212) SYSCALL_HANDLER(213) SYSCALL_HANDLER(214)
SYSCALL_HANDLER(215) SYSCALL_HANDLER(216) SYSCALL_HANDLER(217) SYSCALL_HANDLER(218) SYSCALL_HANDLER(219)
SYSCALL_HANDLER(220) SYSCALL_HANDLER(221) SYSCALL_HANDLER(222) SYSCALL_HANDLER(223) SYSCALL_HANDLER(224)
SYSCALL_HANDLER(225) SYSCALL_HANDLER(226) SYSCALL_HANDLER(227) SYSCALL_HANDLER(228) SYSCALL_HANDLER(229)
SYSCALL_HANDLER(230) SYSCALL_HANDLER(231) SYSCALL_HANDLER(232) SYSCALL_HANDLER(233) SYSCALL_HANDLER(234)
SYSCALL_HANDLER(235) SYSCALL_HANDLER(236) SYSCALL_HANDLER(237) SYSCALL_HANDLER(238) SYSCALL_HANDLER(239)
SYSCALL_HANDLER(240) SYSCALL_HANDLER(241) SYSCALL_HANDLER(242) SYSCALL_HANDLER(243) SYSCALL_HANDLER(244)
SYSCALL_HANDLER(245) SYSCALL_HANDLER(246) SYSCALL_HANDLER(247) SYSCALL_HANDLER(248) SYSCALL_HANDLER(249)
SYSCALL_HANDLER(250) SYSCALL_HANDLER(251) SYSCALL_HANDLER(252) SYSCALL_HANDLER(253) SYSCALL_HANDLER(254)
SYSCALL_HANDLER(255) SYSCALL_HANDLER(256) SYSCALL_HANDLER(257) SYSCALL_HANDLER(258) SYSCALL_HANDLER(259)
SYSCALL_HANDLER(260) SYSCALL_HANDLER(261) SYSCALL_HANDLER(262) SYSCALL_HANDLER(263) SYSCALL_HANDLER(264)
SYSCALL_HANDLER(265) SYSCALL_HANDLER(266) SYSCALL_HANDLER(267) SYSCALL_HANDLER(268) SYSCALL_HANDLER(269)
SYSCALL_HANDLER(270) SYSCALL_HANDLER(271) SYSCALL_HANDLER(272) SYSCALL_HANDLER(273) SYSCALL_HANDLER(274)
SYSCALL_HANDLER(275) SYSCALL_HANDLER(276) SYSCALL_HANDLER(277) SYSCALL_HANDLER(278) SYSCALL_HANDLER(279)
SYSCALL_HANDLER(280) SYSCALL_HANDLER(281) SYSCALL_HANDLER(282) SYSCALL_HANDLER(283) SYSCALL_HANDLER(284)
SYSCALL_HANDLER(285) SYSCALL_HANDLER(286) SYSCALL_HANDLER(287) SYSCALL_HANDLER(288) SYSCALL_HANDLER(289)
SYSCALL_HANDLER(290) SYSCALL_HANDLER(291) SYSCALL_HANDLER(292) SYSCALL_HANDLER(293) SYSCALL_HANDLER(294)



/*
 * InitSyscallsHooks()
 *
 * Description:
 *		Find the correct global syscall table indeces for all system calls
 *		(initialize "OriginalFunction" pointers). Must be called at PASSIVE_LEVEL IRQL
 *		in order to access pageable memory.
 *
 *		NOTE: Called once during driver initialization (DriverEntry()).
 *
 * Parameters:
 *		None.
 *
 * Returns:
 *		TRUE to indicate success, FALSE if failed.
 */

BOOLEAN
InitSyscallsHooks()
{
	int		i;


	ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]);

	for (i = 0; i < ZwCallsNumber; i++)
	{
		//XXX this can be optimized to return index directly?! this way when we restore syscalls back we don't have to do the same process again??!?!
		ZwCalls[i].ServiceIDNumber = (USHORT) FindZwFunctionIndex(ZwCalls[i].ZwName);
	}


	return TRUE;
}



/*
 * InstallSyscallsHooks()
 *
 * Description:
 *		Mediate various system services. Called at DISPATCH_LEVEL IRQL.
 *
 *		NOTE: Called once during driver initialization (DriverEntry()).
 *
 * Parameters:
 *		None.
 *
 * Returns:
 *		TRUE to indicate success, FALSE if failed.
 */

BOOLEAN
InstallSyscallsHooks()
{
	int		i;


	ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]);

	for (i = 0; i < ZwCallsNumber; i++)
	{
		if (ZwCalls[i].HookFunction != NULL &&
			(HOOK_SYSCALLS || LearningMode || ZwCalls[i].Hijacked == TRUE))
		{
			if (ZwCalls[i].ServiceIDNumber != (USHORT) -1)
			{
				ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber,
																	   ZwCalls[i].HookFunction);
				ZwCalls[i].Hijacked = TRUE;
			}
		}
	}


	return TRUE;
}



/*
 * RemoveSyscallsHooks()
 *
 * Description:
 *		Restores all the original system service function pointers.
 *
 *		NOTE: Called once during driver unload (DriverUnload()).
 *
 * Parameters:
 *		None.
 *
 * Returns:
 *		Nothing.
 */

void
RemoveSyscallsHooks()
{
	int		i;


	for (i = 0; i < ZwCallsNumber; i++)
	{
		// restore hijacked system calls
		if (ZwCalls[i].Hijacked == TRUE && ZwCalls[i].OriginalFunction != NULL && ZwCalls[i].ServiceIDNumber != -1)
		{
//			LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Restoring syscall %d %x\n", i, i));

			HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber, ZwCalls[i].OriginalFunction);
		}
	}
}