public static extern UInt32 LdrLoadDll(IntPtr PathToFile, NtDllSupport.LoadLibraryFlags dwFlags, ref NtDllSupport.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle);
// this is where we are intercepting all file accesses!
private uint LdrLoadDll_Hooked(IntPtr PathToFile, NtDllSupport.LoadLibraryFlags dwFlags, ref NtDllSupport.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle)
{
lock (sync_object) {
Console.WriteLine("Begin ---------------------LdrLoadDll(\"" + ModuleFileName + "\")");
preprocessHook();
TransferUnit transfer_unit = createTransferUnit();
transfer_unit["PathToFile"] = PathToFile;
transfer_unit["ModuleFileName"] = ModuleFileName.ToString();
transfer_unit["dwFlags"] = dwFlags;
// call original API through our Kernel32Support class
uint result = NtDllSupport.LdrLoadDll(PathToFile, dwFlags, ref ModuleFileName, ref ModuleHandle);
transfer_unit["ModuleHandle"] = ModuleHandle;
HookRegistry.checkHooksToInstall();
makeCallBack(transfer_unit);
Console.WriteLine("End -----------------------LdrLoadDll(\"" + ModuleFileName + "\")=");
return(result);
}
}