Go to native API learning notes

I recently studied native APIs and made notes, which may be useful in the future.
First, you must understand what native APIs are?
I prefer to understand this:
Native API can be translated as "Native API"
For example, if your application calls a Win32 API, such as readfile, readfile calls NTDLL at the underlying layer. the ntreadfile exported in DLL is transferred to the ntreadfile routine. The ntreadfile is called the native API.
Note: This ntreadfile is a non-documented routine in the operating system, so it is not suitable for direct calls in applications.
In fact, the native API is very powerful, and the online cool-man also provides the method to use the native API in ring3.
Call method 1 (General ):
Step 1: declare a function pointer
For example, if we need to call the ntcreatefile function, we need to declare a function pointer of the same type according to the definition of ntcreatefile (this will make the compiler happy)
Typedef ntstatus (* myntcreatefile )(
Out phandle filehandle,
In access_mask desiredaccess,
In pobject_attributes objectattributes,
// Out pio_status_block iostatusblock,
Out pvoid iostatusblock,
In plarge_integer allocationsize optional,
In ulong fileattributes,
In ulong internal access,
In ulong createdisposition,
In ulong createoptions,
In pvoid eabuffer optional,
In ulong ealength
);
Myntcreatefile myntcreatefilefun; Step 2: Obtain the native API address in natdll
Myntcreatefilefun = (myntcreatefile) getprocaddress (getmodulehandle ("NTDLL. dll"), "ntcreatefile"); Step 3: Call the native API to complete the Function

Hook native API and hook other API functions are the same! There are several hook methods, such as IAT hook and inline hook.
The implementation idea is as follows:
Here we use the zwwritefile function as an example. The Code is as follows. Hard encoding is used here and the detours Hook can be used.
7c92df7e> B8 12010000 mov eax, 112; zwwritefile
7c92df83 Ba 0003fe7f mov edX, 7ffe0300
7c92df88 ff12 call dword ptr ds: [edX]; NTDLL. kifastsystemcall
7c92df8a C2 2400 retn 24

The basic idea of Hook is to modify the 5--12 bytes at the function entry
7c92df83 Ba 0003fe7f mov edX, 7ffe0300
7c92df88 ff12 call dword ptr ds: [edX]; NTDLL. kifastsystemcall
Modify:
MoV edX, [custom hook function address]
Call edX
The modified code is as follows:
7c92df7e> B8 12010000 mov eax, 112; zwwritefile
7c92df83 Ba 0003fe7f mov edX, XXXXXXXX; Xxxxx is the address of the hook function, defined in your DLL
7c92df88 ff12 call edX; call to your hook function
7c92df8a C2 2400 retn 24
Pay attention to stack balancing in your own functions!