hooks.cpp

hNtCreateFile = SSDT::Hook("NtCreateFile", (void*)HookNtCreateFile);
if (hNtCreateFile)
hook_count++;

undocumented.h

static NTSTATUS NTAPI NtCreateFile(
Out PHANDLE FileHandle,
In ACCESS_MASK DesiredAccess,
In POBJECT_ATTRIBUTES ObjectAttributes,
Out PIO_STATUS_BLOCK IoStatusBlock,
In_opt PLARGE_INTEGER AllocationSize,
In ULONG FileAttributes,
In ULONG ShareAccess,
In ULONG CreateDisposition,
In ULONG CreateOptions,
In_reads_bytes_opt(EaLength) PVOID EaBuffer,
In ULONG EaLength);

undocumented.cpp

static NTCREATEFILE NtCF = 0;
//Exported kernel functions after this on UndocumentedInit
if (!NtCF)
{
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"NtCreateFile");
NtCF = (NTCREATEFILE)MmGetSystemRoutineAddress(&routineName);
if (!NtCF)
return false;
}

NTSTATUS NTAPI Undocumented::NtCreateFile(
Out PHANDLE FileHandle,
In ACCESS_MASK DesiredAccess,
In POBJECT_ATTRIBUTES ObjectAttributes,
Out PIO_STATUS_BLOCK IoStatusBlock,
In_opt PLARGE_INTEGER AllocationSize,
In ULONG FileAttributes,
In ULONG ShareAccess,
In ULONG CreateDisposition,
In ULONG CreateOptions,
In_reads_bytes_opt(EaLength) PVOID EaBuffer,
In ULONG EaLength)
{
Log("undocumented Ntcf:%p", NtCF);
return NtCF(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions,EaBuffer,EaLength);
}