From 6d6533f9473815d79590b6bf5ca20e076e846cfc Mon Sep 17 00:00:00 2001
From: flux <49762827+0xflux@users.noreply.github.com>
Date: Thu, 16 Jan 2025 20:17:30 +0000
Subject: [PATCH] Add function hook callback frame

---
 injected_dll/src/lib.rs | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/injected_dll/src/lib.rs b/injected_dll/src/lib.rs
index aaa4ad7..41229ef 100644
--- a/injected_dll/src/lib.rs
+++ b/injected_dll/src/lib.rs
@@ -1,4 +1,6 @@
-use windows::{Win32::UI::WindowsAndMessaging::{MessageBoxA, MB_OK}, Win32::System::SystemServices::*,};
+use std::{arch::asm, ffi::c_void};
+
+use windows::Win32::{Foundation::HANDLE, System::SystemServices::*, UI::WindowsAndMessaging::{MessageBoxA, MB_OK}};
 use windows::core::s;
 
 #[unsafe(no_mangle)]
@@ -16,4 +18,20 @@ fn attach() {
     unsafe {
         MessageBoxA(None, s!("Hello from Rust DLL"), s!("Hello from Rust DLL"), MB_OK);
     }
+}
+
+
+/// Injected DLL routine for examining the arguments passed to ZwOpenProcess and NtOpenProcess from 
+/// any process this DLL is injected into.
+#[unsafe(no_mangle)]
+unsafe extern "system" fn open_process(
+    process_handle: HANDLE,
+    desired_access: u32,
+    // We do not care for now about the OA
+    _: *mut c_void,
+    // We do not  care for now about the client id
+    _: *mut c_void,
+) {
+    // start off by causing a break in the injected process indicating we successfully called our function!
+    unsafe {asm!("int3")};
 }
\ No newline at end of file