hookproc.h

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		hookproc.h
 *
 * Abstract:
 *
 *		This module definies various types used by service operation (system call) hooking routines.
 *
 * Author:
 *
 *		Eugene Tsyrklevich 16-Feb-2004
 *
 * Revision History:
 *
 *		None.
 */


#ifndef __HOOKPROC_H__
#define __HOOKPROC_H__


#include "userland.h"


/* should the following calls be intercepted? */

#define	HOOK_EVENT		1
#define	HOOK_FILE		1
#define	HOOK_DIROBJ		1
#define	HOOK_JOB		1
#define	HOOK_NETWORK	1
#define	HOOK_MUTANT		1
#define	HOOK_PORT		1
#define	HOOK_PROCESS	1
#define	HOOK_REGISTRY	1
#define	HOOK_SECTION	1
#define	HOOK_SEMAPHORE	1
#define	HOOK_SYMLINK	1
#define	HOOK_SYSINFO	1
#define	HOOK_TIME		1
#define	HOOK_TIMER		1
#define	HOOK_TOKEN		1
#define	HOOK_DRIVEROBJ	1
#define	HOOK_ATOM		1
#define	HOOK_VDM		1
#define	HOOK_SYSCALLS	0
#define	HOOK_DEBUG		1
#define	HOOK_MEDIA		1
#define	HOOK_BOPROT		0


#pragma pack(push, 1)
typedef struct _SERVICE_TABLE_DESCRIPTOR {

	PULONG	ServiceTableBase;		/* table of function pointers		*/
	PVOID	ServiceCounterTable;	/* used in checked build only		*/
	ULONG	NumberOfServices;		/* number of services in this table	*/
	/* extra LONG on IA64 goes here */
	PVOID	ParamTableBase;			/* number of parameters				*/

} SERVICE_TABLE_DESCRIPTOR, *PSERVICE_TABLE_DESCRIPTOR;
#pragma pack(pop)


/*
 * The Service Descriptor Table index (4 bytes following the mov opcode)
 *
 * The index format is as follows:
 *
 * Leading 18 bits are all zeroes
 * Following 2 bits are system service table index (3 bits on Win64)
 * Following 12 bits are service number
 */

#define	SERVICE_TABLE_INDEX_BITS	2
#define	NUMBER_SERVICE_TABLES		(1 << SERVICE_TABLE_INDEX_BITS)

#define	SERVICE_ID_NUMBER_BITS		12
#define	SERVICE_ID_NUMBER_MASK		((1 << SERVICE_ID_NUMBER_BITS) - 1)


/*
 * The kernel's service descriptor table, which is used to find the address
 * of the service dispatch tables to use for a service ID.
 *
 * Descriptor 0 is used for core services (NTDLL)
 * Descriptor 1 is used for GUI services (WIN32K)
 * Descriptors 2 and 3 are unused on current versions of Windows NT.
 */

__declspec(dllimport) SERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable[NUMBER_SERVICE_TABLES];


/*
 * not exported
 */

//PSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;



void SystemCallHandler0(); void SystemCallHandler1(); void SystemCallHandler2(); void SystemCallHandler3();
void SystemCallHandler4(); void SystemCallHandler5(); void SystemCallHandler6(); void SystemCallHandler7();
void SystemCallHandler8(); void SystemCallHandler9(); void SystemCallHandler10(); void SystemCallHandler11();
void SystemCallHandler12(); void SystemCallHandler13(); void SystemCallHandler14(); void SystemCallHandler15();
void SystemCallHandler16(); void SystemCallHandler17(); void SystemCallHandler18(); void SystemCallHandler19();
void SystemCallHandler20(); void SystemCallHandler21(); void SystemCallHandler22(); void SystemCallHandler23();
void SystemCallHandler24(); void SystemCallHandler25(); void SystemCallHandler26(); void SystemCallHandler27();
void SystemCallHandler28(); void SystemCallHandler29(); void SystemCallHandler30(); void SystemCallHandler31();
void SystemCallHandler32(); void SystemCallHandler33(); void SystemCallHandler34(); void SystemCallHandler35();
void SystemCallHandler36(); void SystemCallHandler37(); void SystemCallHandler38(); void SystemCallHandler39();
void SystemCallHandler40(); void SystemCallHandler41(); void SystemCallHandler42(); void SystemCallHandler43();
void SystemCallHandler44(); void SystemCallHandler45(); void SystemCallHandler46(); void SystemCallHandler47();
void SystemCallHandler48(); void SystemCallHandler49(); void SystemCallHandler50(); void SystemCallHandler51();
void SystemCallHandler52(); void SystemCallHandler53(); void SystemCallHandler54(); void SystemCallHandler55();
void SystemCallHandler56(); void SystemCallHandler57(); void SystemCallHandler58(); void SystemCallHandler59();
void SystemCallHandler60(); void SystemCallHandler61(); void SystemCallHandler62(); void SystemCallHandler63();
void SystemCallHandler64(); void SystemCallHandler65(); void SystemCallHandler66(); void SystemCallHandler67();
void SystemCallHandler68(); void SystemCallHandler69(); void SystemCallHandler70(); void SystemCallHandler71();
void SystemCallHandler72(); void SystemCallHandler73(); void SystemCallHandler74(); void SystemCallHandler75();
void SystemCallHandler76(); void SystemCallHandler77(); void SystemCallHandler78(); void SystemCallHandler79();
void SystemCallHandler80(); void SystemCallHandler81(); void SystemCallHandler82(); void SystemCallHandler83();
void SystemCallHandler84(); void SystemCallHandler85(); void SystemCallHandler86(); void SystemCallHandler87();
void SystemCallHandler88(); void SystemCallHandler89(); void SystemCallHandler90(); void SystemCallHandler91();
void SystemCallHandler92(); void SystemCallHandler93(); void SystemCallHandler94(); void SystemCallHandler95();
void SystemCallHandler96(); void SystemCallHandler97(); void SystemCallHandler98(); void SystemCallHandler99();
void SystemCallHandler100(); void SystemCallHandler101(); void SystemCallHandler102(); void SystemCallHandler103();
void SystemCallHandler104(); void SystemCallHandler105(); void SystemCallHandler106(); void SystemCallHandler107();
void SystemCallHandler108(); void SystemCallHandler109(); void SystemCallHandler110(); void SystemCallHandler111();
void SystemCallHandler112(); void SystemCallHandler113(); void SystemCallHandler114(); void SystemCallHandler115();
void SystemCallHandler116(); void SystemCallHandler117(); void SystemCallHandler118(); void SystemCallHandler119();
void SystemCallHandler120(); void SystemCallHandler121(); void SystemCallHandler122(); void SystemCallHandler123();
void SystemCallHandler124(); void SystemCallHandler125(); void SystemCallHandler126(); void SystemCallHandler127();
void SystemCallHandler128(); void SystemCallHandler129(); void SystemCallHandler130(); void SystemCallHandler131();
void SystemCallHandler132(); void SystemCallHandler133(); void SystemCallHandler134(); void SystemCallHandler135();
void SystemCallHandler136(); void SystemCallHandler137(); void SystemCallHandler138(); void SystemCallHandler139();
void SystemCallHandler140(); void SystemCallHandler141(); void SystemCallHandler142(); void SystemCallHandler143();
void SystemCallHandler144(); void SystemCallHandler145(); void SystemCallHandler146(); void SystemCallHandler147();
void SystemCallHandler148(); void SystemCallHandler149(); void SystemCallHandler150(); void SystemCallHandler151();
void SystemCallHandler152(); void SystemCallHandler153(); void SystemCallHandler154(); void SystemCallHandler155();
void SystemCallHandler156(); void SystemCallHandler157(); void SystemCallHandler158(); void SystemCallHandler159();
void SystemCallHandler160(); void SystemCallHandler161(); void SystemCallHandler162(); void SystemCallHandler163();
void SystemCallHandler164(); void SystemCallHandler165(); void SystemCallHandler166(); void SystemCallHandler167();
void SystemCallHandler168(); void SystemCallHandler169(); void SystemCallHandler170(); void SystemCallHandler171();
void SystemCallHandler172(); void SystemCallHandler173(); void SystemCallHandler174(); void SystemCallHandler175();
void SystemCallHandler176(); void SystemCallHandler177(); void SystemCallHandler178(); void SystemCallHandler179();
void SystemCallHandler180(); void SystemCallHandler181(); void SystemCallHandler182(); void SystemCallHandler183();
void SystemCallHandler184(); void SystemCallHandler185(); void SystemCallHandler186(); void SystemCallHandler187();
void SystemCallHandler188(); void SystemCallHandler189(); void SystemCallHandler190(); void SystemCallHandler191();
void SystemCallHandler192(); void SystemCallHandler193(); void SystemCallHandler194(); void SystemCallHandler195();
void SystemCallHandler196(); void SystemCallHandler197(); void SystemCallHandler198(); void SystemCallHandler199();
void SystemCallHandler200(); void SystemCallHandler201(); void SystemCallHandler202(); void SystemCallHandler203();
void SystemCallHandler204(); void SystemCallHandler205(); void SystemCallHandler206(); void SystemCallHandler207();
void SystemCallHandler208(); void SystemCallHandler209(); void SystemCallHandler210(); void SystemCallHandler211();
void SystemCallHandler212(); void SystemCallHandler213(); void SystemCallHandler214(); void SystemCallHandler215();
void SystemCallHandler216(); void SystemCallHandler217(); void SystemCallHandler218(); void SystemCallHandler219();
void SystemCallHandler220(); void SystemCallHandler221(); void SystemCallHandler222(); void SystemCallHandler223();
void SystemCallHandler224(); void SystemCallHandler225(); void SystemCallHandler226(); void SystemCallHandler227();
void SystemCallHandler228(); void SystemCallHandler229(); void SystemCallHandler230(); void SystemCallHandler231();
void SystemCallHandler232(); void SystemCallHandler233(); void SystemCallHandler234(); void SystemCallHandler235();
void SystemCallHandler236(); void SystemCallHandler237(); void SystemCallHandler238(); void SystemCallHandler239();
void SystemCallHandler240(); void SystemCallHandler241(); void SystemCallHandler242(); void SystemCallHandler243();
void SystemCallHandler244(); void SystemCallHandler245(); void SystemCallHandler246(); void SystemCallHandler247();
void SystemCallHandler248(); void SystemCallHandler249(); void SystemCallHandler250(); void SystemCallHandler251();
void SystemCallHandler252(); void SystemCallHandler253(); void SystemCallHandler254(); void SystemCallHandler255();
void SystemCallHandler256(); void SystemCallHandler257(); void SystemCallHandler258(); void SystemCallHandler259();
void SystemCallHandler260(); void SystemCallHandler261(); void SystemCallHandler262(); void SystemCallHandler263();
void SystemCallHandler264(); void SystemCallHandler265(); void SystemCallHandler266(); void SystemCallHandler267();
void SystemCallHandler268(); void SystemCallHandler269(); void SystemCallHandler270(); void SystemCallHandler271();
void SystemCallHandler272(); void SystemCallHandler273(); void SystemCallHandler274(); void SystemCallHandler275();
void SystemCallHandler276(); void SystemCallHandler277(); void SystemCallHandler278(); void SystemCallHandler279();
void SystemCallHandler280(); void SystemCallHandler281(); void SystemCallHandler282(); void SystemCallHandler283();
void SystemCallHandler284(); void SystemCallHandler285(); void SystemCallHandler286(); void SystemCallHandler287();
void SystemCallHandler288(); void SystemCallHandler289(); void SystemCallHandler290(); void SystemCallHandler291();
void SystemCallHandler292(); void SystemCallHandler293(); void SystemCallHandler294();



// XXX
// SystemCallHandler macro depends on the size of this structure and the offset of the OriginalFunction!

extern struct _ZwCalls
{
	PCHAR			ZwName;				// System call name
	USHORT			ZwNameLength;		// System call name length
	USHORT			ServiceIDNumber;	// System call index (filled in at runtime)
	PULONG_PTR		HookFunction;		// Address of the hijacking function (function that will be called instead of the original system call)
	PULONG_PTR		OriginalFunction;	// PlaceHolder for the address of the original syscall address
	BOOLEAN			Hijacked;			// Flag indicating whether we already hijacked this system call
										// or whether this is a special system service that needs to be hijacked initially
};

extern struct _ZwCalls ZwCalls[];


#define	ZW_ADD_ATOM_INDEX				 8

#define	ZW_ADJUST_TOKEN_INDEX			12

#define	ZW_CONNECT_PORT_INDEX			33

#define	ZW_CREATE_DIRECTORYOBJECT_INDEX	36
#define	ZW_CREATE_EVENT_INDEX			37
#define	ZW_CREATE_EVENT_PAIR_INDEX		38
#define	ZW_CREATE_FILE_INDEX			39

#define	ZW_CREATE_JOBOBJECT_INDEX		41

#define	ZW_CREATE_KEY_INDEX				43

#define	ZW_CREATE_MAILSLOTFILE_INDEX	45
#define	ZW_CREATE_MUTANT_INDEX			46
#define	ZW_CREATE_NAMEDPIPEFILE_INDEX	47

#define	ZW_CREATE_PORT_INDEX			49
#define	ZW_CREATE_PROCESS_INDEX			50
#define	ZW_CREATE_PROCESSEX_INDEX		51

#define	ZW_CREATE_SECTION_INDEX			53
#define	ZW_CREATE_SEMAPHORE_INDEX		54
#define	ZW_CREATE_SYMLINK_INDEX			55
#define	ZW_CREATE_THREAD_INDEX			56
#define	ZW_CREATE_TIMER_INDEX			57
#define	ZW_CREATE_TOKEN_INDEX			58
#define	ZW_CREATE_WAITPORT_INDEX		59
#define	ZW_DEBUG_ACTIVEPROCESS_INDEX	60

#define	ZW_DELETE_FILE_INDEX			66
#define	ZW_DELETE_KEY_INDEX				67

#define	ZW_FIND_ATOM_INDEX				81

#define	ZW_LOAD_DRIVER_INDEX			103

#define	ZW_MAPVIEW_SECTION_INDEX		115

#define	ZW_OPEN_DIRECTORYOBJECT_INDEX	121
#define	ZW_OPEN_EVENT_INDEX				122
#define	ZW_OPEN_EVENT_PAIR_INDEX		123
#define	ZW_OPEN_FILE_INDEX				124

#define	ZW_OPEN_JOBOBJECT_INDEX			126
#define	ZW_OPEN_KEY_INDEX				127

#define	ZW_OPEN_MUTANT_INDEX			129

#define	ZW_OPEN_PROCESS_INDEX			131

#define	ZW_OPEN_SECTION_INDEX			134
#define	ZW_OPEN_SEMAPHORE_INDEX			135
#define	ZW_OPEN_SYMLINK_INDEX			136
#define	ZW_OPEN_THREAD_INDEX			137

#define	ZW_OPEN_TIMER_INDEX				140

#define	ZW_QUERY_ATTRIBUTES_FILE_INDEX	148

#define	ZW_QUERY_DIRECTORYFILE_INDEX	154

#define	ZW_QUERY_FULLATTR_FILE_INDEX	159

#define	ZW_QUERY_VALUE_KEY_INDEX		189

#define	ZW_SECURECONNECT_PORT_INDEX		223

#define	ZW_SET_INFO_FILE_INDEX			238

#define	ZW_SET_INFO_TOKEN_INDEX			244

#define	ZW_SET_LDT_ENTRIES_INDEX		247

#define	ZW_SET_SYSTEM_INFORMATION_INDEX	254

#define	ZW_SET_SYSTEM_TIME_INDEX		256

#define	ZW_SET_TIMER_RESOLUTION_INDEX	259

#define	ZW_SET_VALUE_KEY_INDEX			261

#define	ZW_UNLOAD_DRIVER_INDEX			276

#define	ZW_VDM_CONTROL_INDEX			283


/*
 * make sure we don't try to unload the driver while a system call is in progress
 * still not atomic but we shouldn't be unloading this driver in any case
 */

#if DBG

extern int	HookedRoutineRunning;
#define	HOOK_ROUTINE_ENTER()			NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedRoutineRunning);
#define	HOOK_ROUTINE_EXIT(status)		{ InterlockedDecrement(&HookedRoutineRunning); return ((status)); }

extern int	HookedTDIRunning;
#define	HOOK_TDI_ENTER()			NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedTDIRunning);
#define	HOOK_TDI_ENTER_NORC()		InterlockedIncrement(&HookedTDIRunning);
#define	HOOK_TDI_EXIT(status)		{ InterlockedDecrement(&HookedTDIRunning); return ((status)); }


#else


#define	HOOK_ROUTINE_ENTER()			NTSTATUS rc; ACTION_TYPE Action; 
#define	HOOK_ROUTINE_EXIT(status)		{ return ((status)); }

#define	HOOK_TDI_ENTER()			NTSTATUS rc; ACTION_TYPE Action;
#define	HOOK_TDI_ENTER_NORC()		
#define	HOOK_TDI_EXIT(status)		{ return ((status)); }

#endif


/*
 * Various macros used by most of the hooking routines
 */

#define	POLICY_CHECK_OPTYPE_NAME(OBJECTTYPE, OPTYPE)								\
	while (KeGetPreviousMode() == UserMode) {										\
		UCHAR			OpType = (OPTYPE);											\
		PWSTR			PolicyFilename = NULL;										\
		USHORT			PolicyLinenumber = 0;										\
		UCHAR			RuleNumber = 0;												\
		LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));						\
		Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
		if (Action & ACTION_ASK)													\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			/*XXX GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);*/	\
			Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME);	\
		}																			\
		if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY)						\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
		}																			\
		else if (Action & ACTION_DENY)												\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));	\
			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
		}																			\
		else if (Action & ACTION_LOG)												\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
		}																			\
		break;																		\
	}


#define	POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE)										\
	if (KeGetPreviousMode() == UserMode && GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS) )\
	{																				\
		UCHAR			OpType = (OPTYPE);											\
		PWSTR			PolicyFilename = NULL;										\
		USHORT			PolicyLinenumber = 0;										\
		UCHAR			RuleNumber = 0;												\
		LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));						\
		Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
		if (Action & ACTION_ASK)													\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
			Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME);	\
		}																			\
		if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY)						\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
		}																			\
		else if (Action & ACTION_DENY)												\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));	\
			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
		}																			\
		else if (Action & ACTION_LOG)												\
		{																			\
			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
		}																			\
	}


#define	POLICY_CHECK(OBJECTTYPE)	POLICY_CHECK_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))



#define	HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, OPTYPE)										\
	CHAR		OBJECTTYPE##NAME[MAX_PATH];													\
	HOOK_ROUTINE_ENTER();																	\
	if (LearningMode == FALSE)																\
	{																						\
		POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE);											\
	}


#define	HOOK_ROUTINE_START(OBJECTTYPE)	HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))


#define	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, OBJECTNAME, OPTYPE)								\
	if (LearningMode == TRUE /*&& NT_SUCCESS(rc)*/)															\
	{																										\
		if (OBJECTNAME)																						\
		{																									\
			AddRule(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OPTYPE);											\
		}																									\
		else																								\
		{																									\
			/*LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: GetPathFromOA() failed. status=%x\n", (ULONG) PsGetCurrentProcessId(), FunctionName, rc));*/	\
		}																									\
	}																										\
	HOOK_ROUTINE_EXIT(rc);


#define	HOOK_ROUTINE_FINISH_OPTYPE(OBJECTTYPE, OPTYPE)												\
		HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE,											\
											  GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS),	\
											  OPTYPE)

#define	HOOK_ROUTINE_FINISH(OBJECTTYPE)																\
		HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE,											\
											  GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS),	\
											  Get_##OBJECTTYPE##_OperationType(DesiredAccess))



//#define	USE_DEFAULT_HOOK_FUNCTION	NULL


extern PCHAR	NTDLL_Base;
extern int		ZwCallsNumber;


PVOID	HookSystemService(PVOID OldService, PVOID NewService);
PVOID	HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService);
BOOLEAN	HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction);

BOOLEAN	InitSyscallsHooks();
BOOLEAN	InstallSyscallsHooks();
void	RemoveSyscallsHooks();

int		FindZwFunctionIndex(PCSTR Name);
PVOID	FindFunctionBase(PCHAR ImageBase, PCSTR Name);
ULONG	FindSystemServiceNumber(PCHAR ServiceName);


#endif	/* __HOOKPROC_H__ */