From 389bbb16738ae97a52c93260db31973a3e777535 Mon Sep 17 00:00:00 2001
From: Souhardya Sardar <24700571+Souhardya@users.noreply.github.com>
Date: Thu, 30 Dec 2021 07:49:25 +0530
Subject: [PATCH] Add files via upload

---
 HookPorts/Dispatch_NTDLL.cpp                  | 513 +++++++++++++++++
 HookPorts/Dispatch_NTDLL.h                    |   3 +
 HookPorts/Dispatch_NTDLL_LdrLoadDll.cpp       |  75 +++
 HookPorts/Dispatch_NTDLL_LdrLoadDll.h         |  18 +
 HookPorts/Dispatch_NTDLL_LdrUnloadDll.cpp     |  52 ++
 HookPorts/Dispatch_NTDLL_LdrUnloadDll.h       |  11 +
 ...Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp | 258 +++++++++
 .../Dispatch_NTDLL_NtAdjustPrivilegesToken.h  |  80 +++
 ...Dispatch_NTDLL_NtAllocateVirtualMemory.cpp |  88 +++
 .../Dispatch_NTDLL_NtAllocateVirtualMemory.h  |  32 ++
 HookPorts/Dispatch_NTDLL_NtClose.cpp          |  68 +++
 HookPorts/Dispatch_NTDLL_NtClose.h            |  20 +
 HookPorts/Dispatch_NTDLL_NtConnectPort.cpp    |  96 ++++
 HookPorts/Dispatch_NTDLL_NtConnectPort.h      |  55 ++
 HookPorts/Dispatch_NTDLL_NtCreateEvent.cpp    |  81 +++
 HookPorts/Dispatch_NTDLL_NtCreateEvent.h      |  40 ++
 HookPorts/Dispatch_NTDLL_NtCreateFile.cpp     | 529 ++++++++++++++++++
 HookPorts/Dispatch_NTDLL_NtCreateFile.h       | 169 ++++++
 HookPorts/Dispatch_NTDLL_NtCreateKey.cpp      | 206 +++++++
 HookPorts/Dispatch_NTDLL_NtCreateKey.h        |  40 ++
 HookPorts/Dispatch_NTDLL_NtCreateMutant.cpp   | 135 +++++
 HookPorts/Dispatch_NTDLL_NtCreateMutant.h     |  28 +
 HookPorts/Dispatch_NTDLL_NtCreatePort.cpp     |  84 +++
 HookPorts/Dispatch_NTDLL_NtCreatePort.h       |  33 ++
 HookPorts/Dispatch_NTDLL_NtCreateProcess.cpp  |  92 +++
 HookPorts/Dispatch_NTDLL_NtCreateProcess.h    |  41 ++
 .../Dispatch_NTDLL_NtCreateProcessEx.cpp      | 100 ++++
 HookPorts/Dispatch_NTDLL_NtCreateProcessEx.h  |  44 ++
 HookPorts/Dispatch_NTDLL_NtCreateSection.cpp  |  89 +++
 HookPorts/Dispatch_NTDLL_NtCreateSection.h    |  37 ++
 .../Dispatch_NTDLL_NtCreateSemaphore.cpp      | 141 +++++
 HookPorts/Dispatch_NTDLL_NtCreateSemaphore.h  |  31 +
 HookPorts/Dispatch_NTDLL_NtCreateThread.cpp   | 113 ++++
 HookPorts/Dispatch_NTDLL_NtCreateThread.h     |  73 +++
 HookPorts/Dispatch_NTDLL_NtDeleteFile.cpp     |  65 +++
 HookPorts/Dispatch_NTDLL_NtDeleteFile.h       |  20 +
 HookPorts/Dispatch_NTDLL_NtDeleteKey.cpp      |  68 +++
 HookPorts/Dispatch_NTDLL_NtDeleteKey.h        |  20 +
 HookPorts/Dispatch_NTDLL_NtDeleteValueKey.cpp |  72 +++
 HookPorts/Dispatch_NTDLL_NtDeleteValueKey.h   |  23 +
 HookPorts/Dispatch_NTDLL_NtEnumerateKey.cpp   |  88 +++
 HookPorts/Dispatch_NTDLL_NtEnumerateKey.h     |  42 ++
 .../Dispatch_NTDLL_NtEnumerateValueKey.cpp    |  88 +++
 .../Dispatch_NTDLL_NtEnumerateValueKey.h      |  43 ++
 HookPorts/Dispatch_NTDLL_NtFsControlFile.cpp  | 104 ++++
 HookPorts/Dispatch_NTDLL_NtFsControlFile.h    |  62 ++
 .../Dispatch_NTDLL_NtGetContextThread.cpp     |  72 +++
 HookPorts/Dispatch_NTDLL_NtGetContextThread.h |  20 +
 HookPorts/Dispatch_NTDLL_NtLoadDriver.cpp     |  64 +++
 HookPorts/Dispatch_NTDLL_NtLoadDriver.h       |  19 +
 .../Dispatch_NTDLL_NtNotifyChangeKey.cpp      | 104 ++++
 HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.h  |  49 ++
 ...patch_NTDLL_NtNotifyChangeMultipleKeys.cpp | 112 ++++
 ...ispatch_NTDLL_NtNotifyChangeMultipleKeys.h |  56 ++
 HookPorts/Dispatch_NTDLL_NtOpenEvent.cpp      |  73 +++
 HookPorts/Dispatch_NTDLL_NtOpenEvent.h        |  26 +
 HookPorts/Dispatch_NTDLL_NtOpenFile.cpp       | 302 ++++++++++
 HookPorts/Dispatch_NTDLL_NtOpenFile.h         |  37 ++
 HookPorts/Dispatch_NTDLL_NtOpenKey.cpp        |  76 +++
 HookPorts/Dispatch_NTDLL_NtOpenKey.h          |  28 +
 HookPorts/Dispatch_NTDLL_NtOpenMutant.cpp     | 129 +++++
 HookPorts/Dispatch_NTDLL_NtOpenMutant.h       |  25 +
 HookPorts/Dispatch_NTDLL_NtOpenProcess.cpp    | 114 ++++
 HookPorts/Dispatch_NTDLL_NtOpenProcess.h      |  48 ++
 HookPorts/Dispatch_NTDLL_NtOpenSection.cpp    |  92 +++
 HookPorts/Dispatch_NTDLL_NtOpenSection.h      |  48 ++
 HookPorts/Dispatch_NTDLL_NtOpenSemaphore.cpp  | 129 +++++
 HookPorts/Dispatch_NTDLL_NtOpenSemaphore.h    |  25 +
 HookPorts/Dispatch_NTDLL_NtOpenThread.cpp     | 161 ++++++
 HookPorts/Dispatch_NTDLL_NtOpenThread.h       |  45 ++
 .../Dispatch_NTDLL_NtProtectVirtualMemory.cpp |  80 +++
 .../Dispatch_NTDLL_NtProtectVirtualMemory.h   |  29 +
 .../Dispatch_NTDLL_NtQueryAttributesFile.cpp  | 137 +++++
 .../Dispatch_NTDLL_NtQueryAttributesFile.h    |  24 +
 .../Dispatch_NTDLL_NtQueryDirectoryFile.cpp   | 330 +++++++++++
 .../Dispatch_NTDLL_NtQueryDirectoryFile.h     | 149 +++++
 ...spatch_NTDLL_NtQueryFullAttributesFile.cpp | 136 +++++
 ...Dispatch_NTDLL_NtQueryFullAttributesFile.h |  32 ++
 .../Dispatch_NTDLL_NtQueryInformationFile.cpp | 116 ++++
 .../Dispatch_NTDLL_NtQueryInformationFile.h   | 163 ++++++
 ...spatch_NTDLL_NtQueryInformationProcess.cpp |  80 +++
 ...Dispatch_NTDLL_NtQueryInformationProcess.h |  75 +++
 ...ispatch_NTDLL_NtQueryInformationThread.cpp |  84 +++
 .../Dispatch_NTDLL_NtQueryInformationThread.h |  51 ++
 HookPorts/Dispatch_NTDLL_NtQueryKey.cpp       |  84 +++
 HookPorts/Dispatch_NTDLL_NtQueryKey.h         |  35 ++
 86 files changed, 7629 insertions(+)
 create mode 100644 HookPorts/Dispatch_NTDLL.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL.h
 create mode 100644 HookPorts/Dispatch_NTDLL_LdrLoadDll.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_LdrLoadDll.h
 create mode 100644 HookPorts/Dispatch_NTDLL_LdrUnloadDll.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_LdrUnloadDll.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtClose.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtClose.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtConnectPort.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtConnectPort.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateEvent.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateEvent.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateMutant.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateMutant.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreatePort.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreatePort.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateProcess.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateProcess.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateProcessEx.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateProcessEx.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateSection.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateSection.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateSemaphore.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateSemaphore.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateThread.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtCreateThread.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteValueKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtDeleteValueKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtEnumerateKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtEnumerateKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtFsControlFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtFsControlFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtGetContextThread.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtGetContextThread.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtLoadDriver.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtLoadDriver.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenEvent.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenEvent.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenKey.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenMutant.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenMutant.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenProcess.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenProcess.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenSection.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenSection.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenSemaphore.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenSemaphore.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenThread.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtOpenThread.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationFile.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationFile.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationThread.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryInformationThread.h
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryKey.cpp
 create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryKey.h

diff --git a/HookPorts/Dispatch_NTDLL.cpp b/HookPorts/Dispatch_NTDLL.cpp
new file mode 100644
index 0000000..80e2ff0
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL.cpp
@@ -0,0 +1,513 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL.h"
+#include "./InlineHook.h"
+#include "../Common/DebugLog.h"
+
+#include "./Dispatch_NTDLL_LdrLoadDll.h"
+#include "./Dispatch_NTDLL_LdrUnloadDll.h"
+#include "./Dispatch_NTDLL_NtAdjustPrivilegesToken.h"
+#include "./Dispatch_NTDLL_NtAllocateVirtualMemory.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+#include "./Dispatch_NTDLL_NtConnectPort.h"
+#include "./Dispatch_NTDLL_NtCreateEvent.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "./Dispatch_NTDLL_NtCreateKey.h"
+#include "./Dispatch_NTDLL_NtCreateMutant.h"
+#include "./Dispatch_NTDLL_NtCreatePort.h"
+#include "./Dispatch_NTDLL_NtCreateProcess.h"
+#include "./Dispatch_NTDLL_NtCreateProcessEx.h"
+#include "./Dispatch_NTDLL_NtCreateSection.h"
+#include "./Dispatch_NTDLL_NtCreateSemaphore.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtDeleteFile.h"
+#include "./Dispatch_NTDLL_NtDeleteKey.h"
+#include "./Dispatch_NTDLL_NtDeleteValueKey.h"
+#include "./Dispatch_NTDLL_NtEnumerateKey.h"
+#include "./Dispatch_NTDLL_NtEnumerateValueKey.h"
+#include "./Dispatch_NTDLL_NtFsControlFile.h"
+#include "./Dispatch_NTDLL_NtGetContextThread.h"
+#include "./Dispatch_NTDLL_NtLoadDriver.h"
+#include "./Dispatch_NTDLL_NtNotifyChangeKey.h"
+#include "./Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h"
+#include "./Dispatch_NTDLL_NtOpenEvent.h"
+#include "./Dispatch_NTDLL_NtOpenFile.h"
+#include "./Dispatch_NTDLL_NtOpenKey.h"
+#include "./Dispatch_NTDLL_NtOpenMutant.h"
+#include "./Dispatch_NTDLL_NtOpenProcess.h"
+#include "./Dispatch_NTDLL_NtOpenSection.h"
+#include "./Dispatch_NTDLL_NtOpenSemaphore.h"
+#include "./Dispatch_NTDLL_NtOpenThread.h"
+#include "./Dispatch_NTDLL_NtProtectVirtualMemory.h"
+#include "./Dispatch_NTDLL_NtQueryAttributesFile.h"
+#include "./Dispatch_NTDLL_NtQueryDirectoryFile.h"
+#include "./Dispatch_NTDLL_NtQueryFullAttributesFile.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtQueryInformationProcess.h"
+#include "./Dispatch_NTDLL_NtQueryInformationThread.h"
+#include "./Dispatch_NTDLL_NtQueryKey.h"
+#include "./Dispatch_NTDLL_NtQueryMultipleValueKey.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./Dispatch_NTDLL_NtQuerySystemInformation.h"
+#include "./Dispatch_NTDLL_NtQueryValueKey.h"
+#include "./Dispatch_NTDLL_NtReadFile.h"
+#include "./Dispatch_NTDLL_NtRenameKey.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtSaveKey.h"
+#include "./Dispatch_NTDLL_NtSecureConnectPort.h"
+#include "./Dispatch_NTDLL_NtSetInformationFile.h"
+#include "./Dispatch_NTDLL_NtSetInformationToken.h"
+#include "./Dispatch_NTDLL_NtSetSecurityObject.h"
+#include "./Dispatch_NTDLL_NtSetSystemInformation.h"
+#include "./Dispatch_NTDLL_NtSetValueKey.h"
+#include "./Dispatch_NTDLL_NtSystemDebugControl.h"
+#include "./Dispatch_NTDLL_NtWriteFile.h"
+#include "./Dispatch_NTDLL_NtWriteVirtualMemory.h"
+
+
+
+//
+//Global
+//
+BOOL bNTDLLPatched = FALSE;
+
+
+
+//
+//Dispatch_NTDLL Functions
+//
+int Dispatch_NTDLL_Start(void)
+{
+	//Return Value:
+	//-1 = error
+	//0 = patched
+	//1 = succeed
+
+	if( bNTDLLPatched == TRUE )
+	{
+		return 0;
+	}
+
+	HINSTANCE hNTDLL = NULL;
+	hNTDLL = LoadLibrary(L"ntdll.dll");
+
+	//
+	//Patch API
+	//
+
+	//LdrLoadDll
+	InlineHook(
+		(__pfnLdrLoadDll)GetProcAddress(hNTDLL,"LdrLoadDll"),
+		OnLdrLoadDll,
+		(void **)&pfnLdrLoadDll
+		);
+
+	//LdrUnloadDll
+	InlineHook(
+		(__pfnLdrUnloadDll)GetProcAddress(hNTDLL,"LdrUnloadDll"),
+		OnLdrUnloadDll,
+		(void **)&pfnLdrUnloadDll
+		);
+
+	//NtAdjustPrivilegesToken
+	InlineHook(
+		(__pfnNtAdjustPrivilegesToken)GetProcAddress(hNTDLL,"NtAdjustPrivilegesToken"),
+		OnNtAdjustPrivilegesToken,
+		(void **)&pfnNtAdjustPrivilegesToken
+		);
+
+	////NtAllocateVirtualMemory
+	//InlineHook(
+	//	(__pfnNtAllocateVirtualMemory)GetProcAddress(hNTDLL,"NtAllocateVirtualMemory"),
+	//	OnNtAllocateVirtualMemory,
+	//	(void **)&pfnNtAllocateVirtualMemory
+	//	);
+
+	//NtClose
+	InlineHook(
+		(__pfnNtClose)GetProcAddress(hNTDLL,"NtClose"),
+		OnNtClose,
+		(void **)&pfnNtClose
+		);
+
+	//NtConnectPort
+	InlineHook(
+		(__pfnNtConnectPort)GetProcAddress(hNTDLL,"NtConnectPort"),
+		OnNtConnectPort,
+		(void **)&pfnNtConnectPort
+		);
+
+	//NtCreateEvent
+	InlineHook(
+		(__pfnNtCreateEvent)GetProcAddress(hNTDLL,"NtCreateEvent"),
+		OnNtCreateEvent,
+		(void **)&pfnNtCreateEvent
+		);
+
+	//NtCreateFile
+	InlineHook(
+		(__pfnNtCreateFile)GetProcAddress(hNTDLL,"NtCreateFile"),
+		OnNtCreateFile,
+		(void **)&pfnNtCreateFile
+		);
+
+	//NtCreateKey
+	InlineHook(
+		(__pfnNtCreateKey)GetProcAddress(hNTDLL,"NtCreateKey"),
+		OnNtCreateKey,
+		(void **)&pfnNtCreateKey
+		);
+
+	////NtCreateMutant
+	//InlineHook(
+	//	(__pfnNtCreateMutant)GetProcAddress(hNTDLL,"NtCreateMutant"),
+	//	OnNtCreateMutant,
+	//	(void **)&pfnNtCreateMutant
+	//	);
+
+	//NtCreatePort
+	InlineHook(
+		(__pfnNtCreatePort)GetProcAddress(hNTDLL,"NtCreatePort"),
+		OnNtCreatePort,
+		(void **)&pfnNtCreatePort
+		);
+
+	//NtCreateProcess
+	InlineHook(
+		(__pfnNtCreateProcess)GetProcAddress(hNTDLL,"NtCreateProcess"),
+		OnNtCreateProcess,
+		(void **)&pfnNtCreateProcess
+		);
+
+	//NtCreateProcessEx
+	InlineHook(
+		(__pfnNtCreateProcessEx)GetProcAddress(hNTDLL,"NtCreateProcessEx"),
+		OnNtCreateProcessEx,
+		(void **)&pfnNtCreateProcessEx
+		);
+
+	//NtCreateSection
+	InlineHook(
+		(__pfnNtCreateSection)GetProcAddress(hNTDLL,"NtCreateSection"),
+		OnNtCreateSection,
+		(void **)&pfnNtCreateSection
+		);
+
+	////NtCreateSemaphore
+	//InlineHook(
+	//	(__pfnNtCreateSemaphore)GetProcAddress(hNTDLL,"NtCreateSemaphore"),
+	//	OnNtCreateSemaphore,
+	//	(void **)&pfnNtCreateSemaphore
+	//	);
+
+	//NtCreateThread
+	InlineHook(
+		(__pfnNtCreateThread)GetProcAddress(hNTDLL,"NtCreateThread"),
+		OnNtCreateThread,
+		(void **)&pfnNtCreateThread
+		);
+
+	//NtDeleteFile
+	InlineHook(
+		(__pfnNtDeleteFile)GetProcAddress(hNTDLL,"NtDeleteFile"),
+		OnNtDeleteFile,
+		(void **)&pfnNtDeleteFile
+		);
+
+	//NtDeleteKey
+	InlineHook(
+		(__pfnNtDeleteKey)GetProcAddress(hNTDLL,"NtDeleteKey"),
+		OnNtDeleteKey,
+		(void **)&pfnNtDeleteKey
+		);
+
+	//NtDeleteValueKey
+	InlineHook(
+		(__pfnNtDeleteValueKey)GetProcAddress(hNTDLL,"NtDeleteValueKey"),
+		OnNtDeleteValueKey,
+		(void **)&pfnNtDeleteValueKey
+		);
+
+	//NtEnumerateKey
+	InlineHook(
+		(__pfnNtEnumerateKey)GetProcAddress(hNTDLL,"NtEnumerateKey"),
+		OnNtEnumerateKey,
+		(void **)&pfnNtEnumerateKey
+		);
+
+	//NtEnumerateValueKey
+	InlineHook(
+		(__pfnNtEnumerateValueKey)GetProcAddress(hNTDLL,"NtEnumerateValueKey"),
+		OnNtEnumerateValueKey,
+		(void **)&pfnNtEnumerateValueKey
+		);
+
+	//NtFsControlFile
+	InlineHook(
+		(__pfnNtFsControlFile)GetProcAddress(hNTDLL,"NtFsControlFile"),
+		OnNtFsControlFile,
+		(void **)&pfnNtFsControlFile
+		);
+
+	////NtGetContextThread
+	//InlineHook(
+	//	(__pfnNtGetContextThread)GetProcAddress(hNTDLL,"NtGetContextThread"),
+	//	OnNtGetContextThread,
+	//	(void **)&pfnNtGetContextThread
+	//	);
+
+	//NtLoadDriver
+	InlineHook(
+		(__pfnNtLoadDriver)GetProcAddress(hNTDLL,"NtLoadDriver"),
+		OnNtLoadDriver,
+		(void **)&pfnNtLoadDriver
+		);
+
+	//NtNotifyChangeKey
+	InlineHook(
+		(__pfnNtNotifyChangeKey)GetProcAddress(hNTDLL,"NtNotifyChangeKey"),
+		OnNtNotifyChangeKey,
+		(void **)&pfnNtNotifyChangeKey
+		);
+
+	//NtNotifyChangeMultipleKeys
+	InlineHook(
+		(__pfnNtNotifyChangeMultipleKeys)GetProcAddress(hNTDLL,"NtNotifyChangeMultipleKeys"),
+		OnNtNotifyChangeMultipleKeys,
+		(void **)&pfnNtNotifyChangeMultipleKeys
+		);
+
+	//NtOpenEvent
+	InlineHook(
+		(__pfnNtOpenEvent)GetProcAddress(hNTDLL,"NtOpenEvent"),
+		OnNtOpenEvent,
+		(void **)&pfnNtOpenEvent
+		);
+
+	//NtOpenFile
+	InlineHook(
+		(__pfnNtOpenFile)GetProcAddress(hNTDLL,"NtOpenFile"),
+		OnNtOpenFile,
+		(void **)&pfnNtOpenFile
+		);
+
+	//NtOpenKey
+	InlineHook(
+		(__pfnNtOpenKey)GetProcAddress(hNTDLL,"NtOpenKey"),
+		OnNtOpenKey,
+		(void **)&pfnNtOpenKey
+		);
+
+	////NtOpenMutant
+	//InlineHook(
+	//	(__pfnNtOpenMutant)GetProcAddress(hNTDLL,"NtOpenMutant"),
+	//	OnNtOpenMutant,
+	//	(void **)&pfnNtOpenMutant
+	//	);
+
+	//NtOpenProcess
+	InlineHook(
+		(__pfnNtOpenProcess)GetProcAddress(hNTDLL,"NtOpenProcess"),
+		OnNtOpenProcess,
+		(void **)&pfnNtOpenProcess
+		);
+
+	//NtOpenSection
+	InlineHook(
+		(__pfnNtOpenSection)GetProcAddress(hNTDLL,"NtOpenSection"),
+		OnNtOpenSection,
+		(void **)&pfnNtOpenSection
+		);
+
+	////NtOpenSemaphore
+	//InlineHook(
+	//	(__pfnNtOpenSemaphore)GetProcAddress(hNTDLL,"NtOpenSemaphore"),
+	//	OnNtOpenSemaphore,
+	//	(void **)&pfnNtOpenSemaphore
+	//	);
+
+	//NtOpenThread
+	InlineHook(
+		(__pfnNtOpenThread)GetProcAddress(hNTDLL,"NtOpenThread"),
+		OnNtOpenThread,
+		(void **)&pfnNtOpenThread
+		);
+
+	////NtProtectVirtualMemory
+	//InlineHook(
+	//	(__pfnNtProtectVirtualMemory)GetProcAddress(hNTDLL,"NtProtectVirtualMemory"),
+	//	OnNtProtectVirtualMemory,
+	//	(void **)&pfnNtProtectVirtualMemory
+	//	);
+
+	//NtQueryAttributesFile
+	InlineHook(
+		(__pfnNtQueryAttributesFile)GetProcAddress(hNTDLL,"NtQueryAttributesFile"),
+		OnNtQueryAttributesFile,
+		(void **)&pfnNtQueryAttributesFile
+		);
+
+	//NtQueryDirectoryFile
+	InlineHook(
+		(__pfnNtQueryDirectoryFile)GetProcAddress(hNTDLL,"NtQueryDirectoryFile"),
+		OnNtQueryDirectoryFile,
+		(void **)&pfnNtQueryDirectoryFile
+		);
+
+	//NtQueryFullAttributesFile
+	InlineHook(
+		(__pfnNtQueryFullAttributesFile)GetProcAddress(hNTDLL,"NtQueryFullAttributesFile"),
+		OnNtQueryFullAttributesFile,
+		(void **)&pfnNtQueryFullAttributesFile
+		);
+
+	//NtQueryInformationFile
+	InlineHook(
+		(__pfnNtQueryInformationFile)GetProcAddress(hNTDLL,"NtQueryInformationFile"),
+		OnNtQueryInformationFile,
+		(void **)&pfnNtQueryInformationFile
+		);
+
+	//NtQueryInformationProcess
+	InlineHook(
+		(__pfnNtQueryInformationProcess)GetProcAddress(hNTDLL,"NtQueryInformationProcess"),
+		OnNtQueryInformationProcess,
+		(void **)&pfnNtQueryInformationProcess
+		);
+
+	//NtQueryInformationThread
+	InlineHook(
+		(__pfnNtQueryInformationThread)GetProcAddress(hNTDLL,"NtQueryInformationThread"),
+		OnNtQueryInformationThread,
+		(void **)&pfnNtQueryInformationThread
+		);
+
+	//NtQueryKey
+	InlineHook(
+		(__pfnNtQueryKey)GetProcAddress(hNTDLL,"NtQueryKey"),
+		OnNtQueryKey,
+		(void **)&pfnNtQueryKey
+		);
+
+	//NtQueryMultipleValueKey
+	InlineHook(
+		(__pfnNtQueryMultipleValueKey)GetProcAddress(hNTDLL,"NtQueryMultipleValueKey"),
+		OnNtQueryMultipleValueKey,
+		(void **)&pfnNtQueryMultipleValueKey
+		);
+
+	//NtQueryObject
+	InlineHook(
+		(__pfnNtQueryObject)GetProcAddress(hNTDLL,"NtQueryObject"),
+		OnNtQueryObject,
+		(void **)&pfnNtQueryObject
+		);
+
+	//NtQuerySystemInformation
+	InlineHook(
+		(__pfnNtQuerySystemInformation)GetProcAddress(hNTDLL,"NtQuerySystemInformation"),
+		OnNtQuerySystemInformation,
+		(void **)&pfnNtQuerySystemInformation
+		);
+
+	//NtQueryValueKey
+	InlineHook(
+		(__pfnNtQueryValueKey)GetProcAddress(hNTDLL,"NtQueryValueKey"),
+		OnNtQueryValueKey,
+		(void **)&pfnNtQueryValueKey
+		);
+
+	//NtReadFile
+	InlineHook(
+		(__pfnNtReadFile)GetProcAddress(hNTDLL,"NtReadFile"),
+		OnNtReadFile,
+		(void **)&pfnNtReadFile
+		);
+
+	//NtRenameKey
+	InlineHook(
+		(__pfnNtRenameKey)GetProcAddress(hNTDLL,"NtRenameKey"),
+		OnNtRenameKey,
+		(void **)&pfnNtRenameKey
+		);
+
+	//NtResumeThread
+	InlineHook(
+		(__pfnNtResumeThread)GetProcAddress(hNTDLL,"NtResumeThread"),
+		OnNtResumeThread,
+		(void **)&pfnNtResumeThread
+		);
+
+	//NtSaveKey
+	InlineHook(
+		(__pfnNtSaveKey)GetProcAddress(hNTDLL,"NtSaveKey"),
+		OnNtSaveKey,
+		(void **)&pfnNtSaveKey
+		);
+
+	//NtSecureConnectPort
+	InlineHook(
+		(__pfnNtSecureConnectPort)GetProcAddress(hNTDLL,"NtSecureConnectPort"),
+		OnNtSecureConnectPort,
+		(void **)&pfnNtSecureConnectPort
+		);
+
+	//NtSetInformationFile
+	InlineHook(
+		(__pfnNtSetInformationFile)GetProcAddress(hNTDLL,"NtSetInformationFile"),
+		OnNtSetInformationFile,
+		(void **)&pfnNtSetInformationFile
+		);
+
+	//NtSetInformationToken
+	InlineHook(
+		(__pfnNtSetInformationToken)GetProcAddress(hNTDLL,"NtSetInformationToken"),
+		OnNtSetInformationToken,
+		(void **)&pfnNtSetInformationToken
+		);
+
+	//NtSetSecurityObject
+	InlineHook(
+		(__pfnNtSetSecurityObject)GetProcAddress(hNTDLL,"NtSetSecurityObject"),
+		OnNtSetSecurityObject,
+		(void **)&pfnNtSetSecurityObject
+		);
+
+	//NtSetSystemInformation
+	InlineHook(
+		(__pfnNtSetSystemInformation)GetProcAddress(hNTDLL,"NtSetSystemInformation"),
+		OnNtSetSystemInformation,
+		(void **)&pfnNtSetSystemInformation
+		);
+
+	//NtSetValueKey
+	InlineHook(
+		(__pfnNtSetValueKey)GetProcAddress(hNTDLL,"NtSetValueKey"),
+		OnNtSetValueKey,
+		(void **)&pfnNtSetValueKey
+		);
+
+	//NtSystemDebugControl
+	InlineHook(
+		(__pfnNtSystemDebugControl)GetProcAddress(hNTDLL,"NtSystemDebugControl"),
+		OnNtSystemDebugControl,
+		(void **)&pfnNtSystemDebugControl
+		);
+
+	//NtWriteFile
+	InlineHook(
+		(__pfnNtWriteFile)GetProcAddress(hNTDLL,"NtWriteFile"),
+		OnNtWriteFile,
+		(void **)&pfnNtWriteFile
+		);
+
+	//NtWriteVirtualMemory
+	InlineHook(
+		(__pfnNtWriteVirtualMemory)GetProcAddress(hNTDLL,"NtWriteVirtualMemory"),
+		OnNtWriteVirtualMemory,
+		(void **)&pfnNtWriteVirtualMemory
+		);
+
+	return 1;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL.h b/HookPorts/Dispatch_NTDLL.h
new file mode 100644
index 0000000..38141a6
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL.h
@@ -0,0 +1,3 @@
+#pragma once
+
+int Dispatch_NTDLL_Start(void);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_LdrLoadDll.cpp b/HookPorts/Dispatch_NTDLL_LdrLoadDll.cpp
new file mode 100644
index 0000000..1d1aa43
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_LdrLoadDll.cpp
@@ -0,0 +1,75 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_LdrLoadDll.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+
+
+
+//
+//Global
+//
+__pfnLdrLoadDll pfnLdrLoadDll = NULL;
+
+
+
+//
+//Dispatch_NTDLL_LdrLoadDll Functions
+//
+NTSTATUS
+NTAPI
+OnLdrLoadDll(
+  IN PWCHAR               PathToFile OPTIONAL,
+  IN ULONG                Flags OPTIONAL,
+  IN PUNICODE_STRING      ModuleFileName,
+  OUT PHANDLE             ModuleHandle )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnLdrLoadDll(
+			PathToFile,
+			Flags,
+			ModuleFileName,
+			ModuleHandle
+			);
+	}
+
+	nRet = pfnLdrLoadDll(
+		PathToFile,
+		Flags,
+		ModuleFileName,
+		ModuleHandle
+		);
+
+//	__try
+//	{
+//#ifdef Dbg
+//		WCHAR szDebugString[512] = {0};
+//		wsprintf(
+//			szDebugString,
+//			L"PathToFile=[%s]\r\nBuffer of ModuleFileName=[%s]",
+//			PathToFile,
+//			ModuleFileName->Buffer);
+//		DebugLog(DbgInfo,szDebugString);
+//#endif
+//
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"Called");
+//#endif
+//	}
+//	__except(EXCEPTION_EXECUTE_HANDLER)
+//	{
+//	}
+
+	return nRet;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_LdrLoadDll.h b/HookPorts/Dispatch_NTDLL_LdrLoadDll.h
new file mode 100644
index 0000000..485414e
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_LdrLoadDll.h
@@ -0,0 +1,18 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnLdrLoadDll)
+(
+	IN PWCHAR               PathToFile OPTIONAL,
+	IN ULONG                Flags OPTIONAL,
+	IN PUNICODE_STRING      ModuleFileName,
+	OUT PHANDLE             ModuleHandle );
+
+extern __pfnLdrLoadDll pfnLdrLoadDll;
+
+NTSTATUS
+NTAPI
+OnLdrLoadDll(
+	IN PWCHAR               PathToFile OPTIONAL,
+	IN ULONG                Flags OPTIONAL,
+	IN PUNICODE_STRING      ModuleFileName,
+	OUT PHANDLE             ModuleHandle );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_LdrUnloadDll.cpp b/HookPorts/Dispatch_NTDLL_LdrUnloadDll.cpp
new file mode 100644
index 0000000..5a4d14c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_LdrUnloadDll.cpp
@@ -0,0 +1,52 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_LdrUnloadDll.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+
+
+
+//
+//Global
+//
+__pfnLdrUnloadDll pfnLdrUnloadDll = NULL;
+
+
+
+//
+//Dispatch_NTDLL_LdrUnloadDll Functions
+//
+NTSTATUS
+NTAPI
+OnLdrUnloadDll(
+	IN HANDLE               ModuleHandle )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnLdrUnloadDll(
+			ModuleHandle
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnLdrUnloadDll(
+		ModuleHandle
+		);
+
+//#ifdef Dbg
+//	DebugLog(DbgInfo,L"Called");
+//#endif
+
+	return nRet;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_LdrUnloadDll.h b/HookPorts/Dispatch_NTDLL_LdrUnloadDll.h
new file mode 100644
index 0000000..560a2a3
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_LdrUnloadDll.h
@@ -0,0 +1,11 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnLdrUnloadDll)
+(  IN HANDLE               ModuleHandle );
+
+extern __pfnLdrUnloadDll pfnLdrUnloadDll;
+
+NTSTATUS
+NTAPI
+OnLdrUnloadDll(
+	IN HANDLE               ModuleHandle );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp b/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp
new file mode 100644
index 0000000..97bcfa9
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp
@@ -0,0 +1,258 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtAdjustPrivilegesToken.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Global
+//
+__pfnNtAdjustPrivilegesToken pfnNtAdjustPrivilegesToken = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtAdjustPrivilegesToken Functions
+//
+NTSTATUS
+NTAPI
+OnNtAdjustPrivilegesToken(
+	IN HANDLE               TokenHandle,
+	IN BOOLEAN              DisableAllPrivileges,
+	IN PTOKEN_PRIVILEGES    TokenPrivileges,
+	IN ULONG                PreviousPrivilegesLength,
+	OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL,
+	OUT PULONG              RequiredLength OPTIONAL)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtAdjustPrivilegesToken(
+			TokenHandle,
+			DisableAllPrivileges,
+			TokenPrivileges,
+			PreviousPrivilegesLength,
+			PreviousPrivileges,
+			RequiredLength
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if is enable Privileges request
+	//
+	BOOL bBypass = FALSE;
+
+	if( TokenPrivileges->PrivilegeCount == 1 )
+	{
+		if( TokenPrivileges->Privileges[0].Attributes == SE_PRIVILEGE_ENABLED || 
+			TokenPrivileges->Privileges[0].Attributes == SE_PRIVILEGE_ENABLED_BY_DEFAULT
+			)
+		{
+			LONG PrivilegeType = TokenPrivileges->Privileges[0].Luid.LowPart;
+
+			switch( PrivilegeType )
+			{
+				case SE_CREATE_TOKEN_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_ASSIGNPRIMARYTOKEN_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_LOCK_MEMORY_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_INCREASE_QUOTA_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_MACHINE_ACCOUNT_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_TCB_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_SECURITY_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_TAKE_OWNERSHIP_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_LOAD_DRIVER_PRIVILEGE:
+					{
+						bBypass = FALSE;
+					}break;
+
+				case SE_SYSTEM_PROFILE_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_SYSTEMTIME_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_PROF_SINGLE_PROCESS_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_INC_BASE_PRIORITY_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_CREATE_PAGEFILE_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_CREATE_PERMANENT_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_BACKUP_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_RESTORE_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_SHUTDOWN_PRIVILEGE:
+					{
+						bBypass = FALSE;
+					}break;
+
+				case SE_DEBUG_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_AUDIT_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_SYSTEM_ENVIRONMENT_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_CHANGE_NOTIFY_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_REMOTE_SHUTDOWN_PRIVILEGE:
+					{
+						bBypass = FALSE;
+					}break;
+
+				case SE_UNDOCK_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_SYNC_AGENT_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				case SE_ENABLE_DELEGATION_PRIVILEGE:
+					{
+						bBypass = TRUE;
+					}break;
+
+				default:
+					{
+						bBypass = FALSE;
+					}break;
+			}
+		}
+	}
+
+	//
+	//Check if bypass request
+	//
+	if( bBypass == FALSE )
+	{
+		nRet = STATUS_UNSUCCESSFUL;
+		return nRet;
+	}
+
+	//ULONG pri = TokenPrivileges->Privileges[0].Attributes;
+	//LUID Luid = TokenPrivileges->Privileges[0].Luid;
+	//DWORD PrivilegeCount = TokenPrivileges->PrivilegeCount;
+	//DWORD Type = Luid.LowPart;
+
+//#ifdef Dbg
+//	WCHAR szOut[256] = {0};
+//	wsprintf(szOut,L"\r\nPrivilegeCount = [%d] pri = [%d] Type = [%d]",PrivilegeCount,pri,Type);
+//	OutputDebugString(szOut);
+//#endif
+
+	nRet = pfnNtAdjustPrivilegesToken(
+		TokenHandle,
+		DisableAllPrivileges,
+		TokenPrivileges,
+		PreviousPrivilegesLength,
+		PreviousPrivileges,
+		RequiredLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtAdjustPrivilegesToken(
+	IN HANDLE               TokenHandle,
+	IN BOOLEAN              DisableAllPrivileges,
+	IN PTOKEN_PRIVILEGES    TokenPrivileges,
+	IN ULONG                PreviousPrivilegesLength,
+	OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL,
+	OUT PULONG              RequiredLength OPTIONAL)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtAdjustPrivilegesToken addFun = (__pfnNtAdjustPrivilegesToken)GetProcAddress(hDll,"NtAdjustPrivilegesToken");
+	if(addFun)
+	{
+		ret = addFun(TokenHandle,DisableAllPrivileges,TokenPrivileges,PreviousPrivilegesLength,PreviousPrivileges,RequiredLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.h b/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.h
new file mode 100644
index 0000000..0cd821c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtAdjustPrivilegesToken.h
@@ -0,0 +1,80 @@
+#pragma once
+
+//
+// Privilege attributes
+//
+
+#define SE_PRIVILEGE_ENABLED_BY_DEFAULT (0x00000001L)
+#define SE_PRIVILEGE_ENABLED            (0x00000002L)
+#define SE_PRIVILEGE_USED_FOR_ACCESS    (0x80000000L)
+
+//
+// These must be converted to LUIDs before use.
+//
+
+#define SE_MIN_WELL_KNOWN_PRIVILEGE       (2L)
+#define SE_CREATE_TOKEN_PRIVILEGE         (2L)
+#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE   (3L)
+#define SE_LOCK_MEMORY_PRIVILEGE          (4L)
+#define SE_INCREASE_QUOTA_PRIVILEGE       (5L)
+
+//
+// Unsolicited Input is obsolete and unused.
+//
+
+#define SE_UNSOLICITED_INPUT_PRIVILEGE    (6L)
+
+#define SE_MACHINE_ACCOUNT_PRIVILEGE      (6L)
+#define SE_TCB_PRIVILEGE                  (7L)
+#define SE_SECURITY_PRIVILEGE             (8L)
+#define SE_TAKE_OWNERSHIP_PRIVILEGE       (9L)
+#define SE_LOAD_DRIVER_PRIVILEGE          (10L)
+#define SE_SYSTEM_PROFILE_PRIVILEGE       (11L)
+#define SE_SYSTEMTIME_PRIVILEGE           (12L)
+#define SE_PROF_SINGLE_PROCESS_PRIVILEGE  (13L)
+#define SE_INC_BASE_PRIORITY_PRIVILEGE    (14L)
+#define SE_CREATE_PAGEFILE_PRIVILEGE      (15L)
+#define SE_CREATE_PERMANENT_PRIVILEGE     (16L)
+#define SE_BACKUP_PRIVILEGE               (17L)
+#define SE_RESTORE_PRIVILEGE              (18L)
+#define SE_SHUTDOWN_PRIVILEGE             (19L)
+#define SE_DEBUG_PRIVILEGE                (20L)
+#define SE_AUDIT_PRIVILEGE                (21L)
+#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE   (22L)
+#define SE_CHANGE_NOTIFY_PRIVILEGE        (23L)
+#define SE_REMOTE_SHUTDOWN_PRIVILEGE      (24L)
+#define SE_UNDOCK_PRIVILEGE               (25L)
+#define SE_SYNC_AGENT_PRIVILEGE           (26L)
+#define SE_ENABLE_DELEGATION_PRIVILEGE    (27L)
+#define SE_MAX_WELL_KNOWN_PRIVILEGE       (SE_ENABLE_DELEGATION_PRIVILEGE)
+
+typedef NTSTATUS (NTAPI * __pfnNtAdjustPrivilegesToken)
+(
+	IN HANDLE               TokenHandle,
+	IN BOOLEAN              DisableAllPrivileges,
+	IN PTOKEN_PRIVILEGES    TokenPrivileges,
+	IN ULONG                PreviousPrivilegesLength,
+	OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL,
+	OUT PULONG              RequiredLength OPTIONAL);
+
+extern __pfnNtAdjustPrivilegesToken pfnNtAdjustPrivilegesToken;
+
+NTSTATUS
+NTAPI
+OnNtAdjustPrivilegesToken(
+	IN HANDLE               TokenHandle,
+	IN BOOLEAN              DisableAllPrivileges,
+	IN PTOKEN_PRIVILEGES    TokenPrivileges,
+	IN ULONG                PreviousPrivilegesLength,
+	OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL,
+	OUT PULONG              RequiredLength OPTIONAL);
+
+NTSTATUS
+NTAPI
+NtAdjustPrivilegesToken(
+	IN HANDLE               TokenHandle,
+	IN BOOLEAN              DisableAllPrivileges,
+	IN PTOKEN_PRIVILEGES    TokenPrivileges,
+	IN ULONG                PreviousPrivilegesLength,
+	OUT PTOKEN_PRIVILEGES   PreviousPrivileges OPTIONAL,
+	OUT PULONG              RequiredLength OPTIONAL);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.cpp b/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.cpp
new file mode 100644
index 0000000..3f48ed3
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.cpp
@@ -0,0 +1,88 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtAllocateVirtualMemory.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtAllocateVirtualMemory pfnNtAllocateVirtualMemory = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtAllocateVirtualMemory Functions
+//
+NTSTATUS
+NTAPI
+OnNtAllocateVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN ULONG                ZeroBits,
+	IN OUT PULONG           RegionSize,
+	IN ULONG                AllocationType,
+	IN ULONG                Protect )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtAllocateVirtualMemory(
+			ProcessHandle,
+			BaseAddress,
+			ZeroBits,
+			RegionSize,
+			AllocationType,
+			Protect
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtAllocateVirtualMemory(
+		ProcessHandle,
+		BaseAddress,
+		ZeroBits,
+		RegionSize,
+		AllocationType,
+		Protect
+		);
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"Called");
+#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtAllocateVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN ULONG                ZeroBits,
+	IN OUT PULONG           RegionSize,
+	IN ULONG                AllocationType,
+	IN ULONG                Protect )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtAllocateVirtualMemory addFun = (__pfnNtAllocateVirtualMemory)GetProcAddress(hDll,"NtAllocateVirtualMemory");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,BaseAddress,ZeroBits,RegionSize,AllocationType,Protect);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.h b/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.h
new file mode 100644
index 0000000..80f6e91
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtAllocateVirtualMemory.h
@@ -0,0 +1,32 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtAllocateVirtualMemory)
+(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN ULONG                ZeroBits,
+	IN OUT PULONG           RegionSize,
+	IN ULONG                AllocationType,
+	IN ULONG                Protect );
+
+extern __pfnNtAllocateVirtualMemory pfnNtAllocateVirtualMemory;
+
+NTSTATUS
+NTAPI
+OnNtAllocateVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN ULONG                ZeroBits,
+	IN OUT PULONG           RegionSize,
+	IN ULONG                AllocationType,
+	IN ULONG                Protect );
+
+NTSTATUS
+NTAPI
+NtAllocateVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN ULONG                ZeroBits,
+	IN OUT PULONG           RegionSize,
+	IN ULONG                AllocationType,
+	IN ULONG                Protect );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtClose.cpp b/HookPorts/Dispatch_NTDLL_NtClose.cpp
new file mode 100644
index 0000000..08a5a68
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtClose.cpp
@@ -0,0 +1,68 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtClose.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtClose pfnNtClose = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtClose Functions
+//
+NTSTATUS
+NTAPI
+OnNtClose(
+    IN HANDLE  Handle
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtClose(
+			Handle
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtClose(
+		Handle
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtClose(
+    IN HANDLE  Handle
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtClose addFun = (__pfnNtClose)GetProcAddress(hDll,"NtClose");
+	if(addFun)
+	{
+		ret = addFun(Handle);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtClose.h b/HookPorts/Dispatch_NTDLL_NtClose.h
new file mode 100644
index 0000000..9c54a66
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtClose.h
@@ -0,0 +1,20 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtClose)
+(
+    IN HANDLE  Handle
+    );
+
+extern __pfnNtClose pfnNtClose;
+
+NTSTATUS
+NTAPI
+OnNtClose(
+    IN HANDLE  Handle
+    );
+
+NTSTATUS
+NTAPI
+NtClose(
+    IN HANDLE  Handle
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtConnectPort.cpp b/HookPorts/Dispatch_NTDLL_NtConnectPort.cpp
new file mode 100644
index 0000000..222239f
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtConnectPort.cpp
@@ -0,0 +1,96 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtConnectPort.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtConnectPort pfnNtConnectPort = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtConnectPort Functions
+//
+NTSTATUS
+NTAPI
+OnNtConnectPort(
+	OUT PHANDLE             ClientPortHandle,
+	IN PUNICODE_STRING      ServerPortName,
+	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
+	OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
+	OUT PULONG              MaximumMessageLength OPTIONAL,
+	IN PVOID                ConnectionInfo OPTIONAL,
+	IN PULONG               ConnectionInfoLength OPTIONAL
+	)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtConnectPort(
+			ClientPortHandle,
+			ServerPortName,
+			SecurityQos,
+			ClientSharedMemory,
+			ServerSharedMemory,
+			MaximumMessageLength,
+			ConnectionInfo,
+			ConnectionInfoLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtConnectPort(
+		ClientPortHandle,
+		ServerPortName,
+		SecurityQos,
+		ClientSharedMemory,
+		ServerSharedMemory,
+		MaximumMessageLength,
+		ConnectionInfo,
+		ConnectionInfoLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtConnectPort(
+	OUT PHANDLE             ClientPortHandle,
+	IN PUNICODE_STRING      ServerPortName,
+	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
+	OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
+	OUT PULONG              MaximumMessageLength OPTIONAL,
+	IN PVOID                ConnectionInfo OPTIONAL,
+	IN PULONG               ConnectionInfoLength OPTIONAL
+	)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtConnectPort addFun = (__pfnNtConnectPort)GetProcAddress(hDll,"NtConnectPort");
+	if(addFun)
+	{
+		ret = addFun(ClientPortHandle,ServerPortName,SecurityQos,ClientSharedMemory,ServerSharedMemory,MaximumMessageLength,ConnectionInfo,ConnectionInfoLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtConnectPort.h b/HookPorts/Dispatch_NTDLL_NtConnectPort.h
new file mode 100644
index 0000000..42d6c49
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtConnectPort.h
@@ -0,0 +1,55 @@
+#pragma once
+
+typedef struct _LPC_SECTION_OWNER_MEMORY {
+	ULONG                   Length;
+	HANDLE                  SectionHandle;
+	ULONG                   OffsetInSection;
+	ULONG                   ViewSize;
+	PVOID                   ViewBase;
+	PVOID                   OtherSideViewBase;
+} LPC_SECTION_OWNER_MEMORY, *PLPC_SECTION_OWNER_MEMORY;
+
+typedef struct _LPC_SECTION_MEMORY {
+  ULONG                   Length;
+  ULONG                   ViewSize;
+  PVOID                   ViewBase;
+} LPC_SECTION_MEMORY, *PLPC_SECTION_MEMORY;
+
+typedef NTSTATUS (NTAPI * __pfnNtConnectPort)
+(
+	OUT PHANDLE             ClientPortHandle,
+	IN PUNICODE_STRING      ServerPortName,
+	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
+	OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
+	OUT PULONG              MaximumMessageLength OPTIONAL,
+	IN PVOID                ConnectionInfo OPTIONAL,
+	IN PULONG               ConnectionInfoLength OPTIONAL
+	);
+
+extern __pfnNtConnectPort pfnNtConnectPort;
+
+NTSTATUS
+NTAPI
+OnNtConnectPort(
+	OUT PHANDLE             ClientPortHandle,
+	IN PUNICODE_STRING      ServerPortName,
+	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
+	OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
+	OUT PULONG              MaximumMessageLength OPTIONAL,
+	IN PVOID                ConnectionInfo OPTIONAL,
+	IN PULONG               ConnectionInfoLength OPTIONAL
+	);
+NTSTATUS
+NTAPI
+NtConnectPort(
+	OUT PHANDLE             ClientPortHandle,
+	IN PUNICODE_STRING      ServerPortName,
+	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
+	IN OUT PLPC_SECTION_OWNER_MEMORY ClientSharedMemory OPTIONAL,
+	OUT PLPC_SECTION_MEMORY ServerSharedMemory OPTIONAL,
+	OUT PULONG              MaximumMessageLength OPTIONAL,
+	IN PVOID                ConnectionInfo OPTIONAL,
+	IN PULONG               ConnectionInfoLength OPTIONAL
+	);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateEvent.cpp b/HookPorts/Dispatch_NTDLL_NtCreateEvent.cpp
new file mode 100644
index 0000000..7521800
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateEvent.cpp
@@ -0,0 +1,81 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateEvent.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateEvent pfnNtCreateEvent = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateEvent Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN EVENT_TYPE           EventType,
+	IN BOOLEAN              InitialState)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateEvent(
+			EventHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			EventType,
+			InitialState
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateEvent(
+		EventHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		EventType,
+		InitialState
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN EVENT_TYPE           EventType,
+	IN BOOLEAN              InitialState)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateEvent addFun = (__pfnNtCreateEvent)GetProcAddress(hDll,"NtCreateEvent");
+	if(addFun)
+	{
+		ret = addFun(EventHandle,DesiredAccess,ObjectAttributes,EventType,InitialState);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateEvent.h b/HookPorts/Dispatch_NTDLL_NtCreateEvent.h
new file mode 100644
index 0000000..b8f5408
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateEvent.h
@@ -0,0 +1,40 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+//
+// Event type
+//
+
+typedef enum _EVENT_TYPE {
+    NotificationEvent,
+    SynchronizationEvent
+    } EVENT_TYPE;
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateEvent)
+(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN EVENT_TYPE           EventType,
+	IN BOOLEAN              InitialState);
+
+extern __pfnNtCreateEvent pfnNtCreateEvent;
+
+NTSTATUS
+NTAPI
+OnNtCreateEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN EVENT_TYPE           EventType,
+	IN BOOLEAN              InitialState);
+
+NTSTATUS
+NTAPI
+NtCreateEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN EVENT_TYPE           EventType,
+	IN BOOLEAN              InitialState);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateFile.cpp b/HookPorts/Dispatch_NTDLL_NtCreateFile.cpp
new file mode 100644
index 0000000..6e7fdae
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateFile.cpp
@@ -0,0 +1,529 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <winbase.h>
+
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "../Common///DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryAttributesFile.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./Dispatch_NTDLL_NtDeleteFile.h"
+#include "./Dispatch_NTDLL_NtSetInformationFile.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateFile pfnNtCreateFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateFile(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,
+    IN ULONG  FileAttributes,
+    IN ULONG  ShareAccess,
+    IN ULONG  CreateDisposition,
+    IN ULONG  CreateOptions,
+    IN PVOID  EaBuffer  OPTIONAL,
+    IN ULONG  EaLength)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			AllocationSize,
+			FileAttributes,
+			ShareAccess,
+			CreateDisposition,
+			CreateOptions,
+			EaBuffer,
+			EaLength
+			);
+
+		return nRet;
+	}
+
+	NTSTATUS nStatusQuery;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+	nStatusQuery = NtQueryAttributesFile(ObjectAttributes,&fbiFileAttributes);
+	if( nStatusQuery != STATUS_OBJECT_NAME_NOT_FOUND &&
+		nStatusQuery != STATUS_SUCCESS
+		)
+	{
+		nRet = pfnNtCreateFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			AllocationSize,
+			FileAttributes,
+			ShareAccess,
+			CreateDisposition,
+			CreateOptions,
+			EaBuffer,
+			EaLength
+			);
+
+		return nRet;
+	}
+
+	//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+	UNICODE_STRING usDispatchNtPath;
+
+	WCHAR szBuffer[MAX_NAME] = {NULL};
+	lstrcpyW(szBuffer,ObjectAttributes->ObjectName->Buffer);
+
+	if( GetLongNtPathName(NULL,ObjectAttributes->RootDirectory,szBuffer,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 )
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"GetLongNtPathName failed! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = pfnNtCreateFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			AllocationSize,
+			FileAttributes,
+			ShareAccess,
+			CreateDisposition,
+			CreateOptions,
+			EaBuffer,
+			EaLength
+			);
+
+		return nRet;
+	}
+
+	//
+	//Init UNICODE_STRING
+	//
+	RtlInitUnicodeString(&usDispatchNtPath,szDispatchNtPath);
+
+	////OutputDebugString(L"\r\nNtCreateFile szLongNtPath=");
+	////OutputDebugString(szLongNtPath);
+
+	//
+	//Check if request in SandBox
+	//
+	if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 )
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"request in SandBox! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = pfnNtCreateFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			AllocationSize,
+			FileAttributes,
+			ShareAccess,
+			CreateDisposition,
+			CreateOptions,
+			EaBuffer,
+			EaLength
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if file dispatched
+	//
+	HANDLE hFile = NULL;
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+	IO_STATUS_BLOCK IoSB;
+	NTSTATUS nCreateFile;
+
+	int iFileDispatch = -1;
+	iFileDispatch = QueryDispatchedFile(szDispatchNtPath);
+	if( iFileDispatch == -1 )
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"iFileDispatch == -1! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		//
+		//Check if CreateDisposition includes [FILE_SUPERSEDE]\[FILE_CREATE]\[FILE_OPEN_IF]\[FILE_OVERWRITE_IF]
+		//
+		if( CreateDisposition == FILE_SUPERSEDE ||
+			CreateDisposition == FILE_CREATE ||
+			CreateDisposition == FILE_OPEN_IF ||
+			CreateDisposition == FILE_OVERWRITE_IF									
+			)
+		{
+			//
+			//Dispatch
+			//
+			if( oaObjAttrib.RootDirectory != NULL )
+			{
+				oaObjAttrib.RootDirectory = NULL;
+			}
+			oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+			oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+			oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"Deleted file Dispatch! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+
+			nRet = pfnNtCreateFile(
+				FileHandle,
+				DesiredAccess,
+				&oaObjAttrib,
+				IoStatusBlock,
+				AllocationSize,
+				FileAttributes,
+				ShareAccess,
+				CreateDisposition,
+				CreateOptions,
+				EaBuffer,
+				EaLength
+				);
+
+			//
+			//Set new CreationTime
+			//
+			NTSTATUS nStatus;
+			FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+
+			if( nRet == STATUS_SUCCESS )
+			{
+				nStatus = NtQueryInformationFile(
+					*(PHANDLE)FileHandle,
+					&IoSB,
+					&stFileBasicInfo,
+					sizeof(FILE_BASIC_INFORMATION),
+					FileBasicInformation);
+
+				if( nStatus == STATUS_SUCCESS )
+				{
+					stFileBasicInfo.CreationTime.QuadPart = stFileBasicInfo.LastAccessTime.QuadPart;
+
+					nStatus = NtSetInformationFile(
+						*(PHANDLE)FileHandle,
+						&IoSB,
+						&stFileBasicInfo,
+						sizeof(FILE_BASIC_INFORMATION),
+						FileBasicInformation
+						);
+				}
+			}
+
+			return nRet;
+		}
+
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"Deleted file FILE_DOES_NOT_EXIST! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = FILE_DOES_NOT_EXIST;
+		return nRet;
+	}
+	else
+	if( iFileDispatch == 1 )
+	{
+		//
+		//Dispatch
+		//
+		if( oaObjAttrib.RootDirectory != NULL )
+		{
+			oaObjAttrib.RootDirectory = NULL;
+		}
+		oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+		oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+		oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"Dispatch! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = pfnNtCreateFile(
+			FileHandle,
+			DesiredAccess,
+			&oaObjAttrib,
+			IoStatusBlock,
+			AllocationSize,
+			FileAttributes,
+			ShareAccess,
+			CreateDisposition,
+			CreateOptions,
+			EaBuffer,
+			EaLength
+			);
+
+		return nRet;
+	}
+
+	//
+	//Get FileName
+	//
+	if( nStatusQuery == STATUS_OBJECT_NAME_NOT_FOUND )//FILE_DOES_NOT_EXIST
+	{
+		nCreateFile = NtCreateFile(
+					&hFile,
+					FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE,
+					&oaObjAttrib,
+					&IoSB,
+					NULL,
+					FILE_ATTRIBUTE_NORMAL,
+					FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+					FILE_OPEN_IF,
+					FILE_SYNCHRONOUS_IO_NONALERT,
+					NULL,
+					NULL
+					);
+		if( nCreateFile == STATUS_SUCCESS &&
+			IoSB.Information == FILE_CREATED
+			)//Get FileName succeed
+		{
+			NtClose(hFile);
+			NtDeleteFile(&oaObjAttrib);
+
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"Get FileName succeed! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+
+			//
+			//Check if CreateDisposition includes [FILE_SUPERSEDE]\[FILE_CREATE]\[FILE_OPEN_IF]\[FILE_OVERWRITE_IF]
+			//
+			if( CreateDisposition == FILE_SUPERSEDE ||
+				CreateDisposition == FILE_CREATE ||
+				CreateDisposition == FILE_OPEN_IF ||
+				CreateDisposition == FILE_OVERWRITE_IF									
+				)
+			{
+				//
+				//Init Directory
+				//
+				InitDirectoryForFileDispatch(szDispatchNtPath);
+
+				//
+				//The file is a directory
+				//
+				if( CreateOptions & FILE_DIRECTORY_FILE )
+				{
+					nRet = pfnNtCreateFile(
+						FileHandle,
+						DesiredAccess,
+						ObjectAttributes,
+						IoStatusBlock,
+						AllocationSize,
+						FileAttributes,
+						ShareAccess,
+						CreateDisposition,
+						CreateOptions,
+						EaBuffer,
+						EaLength
+						);
+
+					//return nRet;
+				}
+
+				//
+				//Dispatch
+				//
+				if( oaObjAttrib.RootDirectory != NULL )
+				{
+					oaObjAttrib.RootDirectory = NULL;
+				}
+				oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+				oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+				oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+#ifdef Dbg
+				//DebugLog(DbgInfo,L"File create dispatch! szLongNtPath=");
+				//OutputDebugString(szLongNtPath);
+				//OutputDebugString(szDispatchNtPath);
+#endif
+
+				nRet = pfnNtCreateFile(
+					FileHandle,
+					DesiredAccess,
+					&oaObjAttrib,
+					IoStatusBlock,
+					AllocationSize,
+					FileAttributes,
+					ShareAccess,
+					CreateDisposition,
+					CreateOptions,
+					EaBuffer,
+					EaLength
+					);
+
+				if( CreateOptions & FILE_DELETE_ON_CLOSE )
+				{
+					//DebugLog(DbgInfo,L"FUCK! FILE_DELETE_ON_CLOSE!!!");
+				}
+
+#ifdef Dbg
+				WCHAR szStatusCode[128] = {0};
+				wsprintf(szStatusCode,L"\r\n nRet = [0x%08X]",nRet);
+				//DebugLog(DbgInfo,szStatusCode);
+#endif
+
+				return nRet;
+			}
+
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"CreateDisposition does not includes CREATE! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+		}
+		else//Get FileName failed
+		{
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"Get FileName failed! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+		}
+		NtClose(hFile);
+	}
+	else
+	if( nStatusQuery == STATUS_SUCCESS )//FILE_EXISTS
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"nStatusQuery == STATUS_SUCCESS! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+		//
+		//Check if the file is a directory
+		//Check if DesiredAccess includes [FILE_WRITE_DATA]\[FILE_WRITE_ATTRIBUTES]\[FILE_WRITE_EA]\[FILE_APPEND_DATA]
+		//
+		if( (CreateOptions & FILE_DIRECTORY_FILE ) == 0 &&
+			CreateDisposition == FILE_OVERWRITE_IF
+			)
+		{
+			//
+			//Init Directory
+			//
+			InitDirectoryForFileDispatch(szDispatchNtPath);
+
+			//
+			//Copy file
+			//
+			CloneFileToDispatchPath(szLongNtPath,szDispatchNtPath,FILE_ATTRIBUTE_ARCHIVE);
+
+			//
+			//Dispatch
+			//
+			if( oaObjAttrib.RootDirectory != NULL )
+			{
+				oaObjAttrib.RootDirectory = NULL;
+			}
+			oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+			oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+			oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"File write dispatch! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+
+			nRet = pfnNtCreateFile(
+				FileHandle,
+				DesiredAccess,
+				&oaObjAttrib,
+				IoStatusBlock,
+				AllocationSize,
+				FileAttributes,
+				ShareAccess,
+				CreateDisposition,
+				CreateOptions,
+				EaBuffer,
+				EaLength
+				);
+
+			return nRet;
+		}
+
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"Not includes FILE_OVERWRITE_IF! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+	}
+
+	nRet = pfnNtCreateFile(
+		FileHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		IoStatusBlock,
+		AllocationSize,
+		FileAttributes,
+		ShareAccess,
+		CreateDisposition,
+		CreateOptions,
+		EaBuffer,
+		EaLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateFile(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,
+    IN ULONG  FileAttributes,
+    IN ULONG  ShareAccess,
+    IN ULONG  CreateDisposition,
+    IN ULONG  CreateOptions,
+    IN PVOID  EaBuffer  OPTIONAL,
+    IN ULONG  EaLength)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateFile addFun = (__pfnNtCreateFile)GetProcAddress(hDll,"NtCreateFile");
+	if(addFun)
+	{
+		ret = addFun(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateFile.h b/HookPorts/Dispatch_NTDLL_NtCreateFile.h
new file mode 100644
index 0000000..5429d8f
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateFile.h
@@ -0,0 +1,169 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+
+//
+// Define the create disposition values
+//
+
+#define FILE_SUPERSEDE                  0x00000000
+#define FILE_OPEN                       0x00000001
+#define FILE_CREATE                     0x00000002
+#define FILE_OPEN_IF                    0x00000003
+#define FILE_OVERWRITE                  0x00000004
+#define FILE_OVERWRITE_IF               0x00000005
+#define FILE_MAXIMUM_DISPOSITION        0x00000005
+
+//
+// Define the create/open option flags
+//
+
+#define FILE_DIRECTORY_FILE                     0x00000001
+#define FILE_WRITE_THROUGH                      0x00000002
+#define FILE_SEQUENTIAL_ONLY                    0x00000004
+#define FILE_NO_INTERMEDIATE_BUFFERING          0x00000008
+
+#define FILE_SYNCHRONOUS_IO_ALERT               0x00000010
+#define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020
+#define FILE_NON_DIRECTORY_FILE                 0x00000040
+#define FILE_CREATE_TREE_CONNECTION             0x00000080
+
+#define FILE_COMPLETE_IF_OPLOCKED               0x00000100
+#define FILE_NO_EA_KNOWLEDGE                    0x00000200
+#define FILE_OPEN_FOR_RECOVERY                  0x00000400
+#define FILE_RANDOM_ACCESS                      0x00000800
+
+#define FILE_DELETE_ON_CLOSE                    0x00001000
+#define FILE_OPEN_BY_FILE_ID                    0x00002000
+#define FILE_OPEN_FOR_BACKUP_INTENT             0x00004000
+#define FILE_NO_COMPRESSION                     0x00008000
+
+#define FILE_RESERVE_OPFILTER                   0x00100000
+#define FILE_OPEN_REPARSE_POINT                 0x00200000
+#define FILE_OPEN_NO_RECALL                     0x00400000
+#define FILE_OPEN_FOR_FREE_SPACE_QUERY          0x00800000
+
+#define FILE_COPY_STRUCTURED_STORAGE            0x00000041
+#define FILE_STRUCTURED_STORAGE                 0x00000441
+
+#define FILE_VALID_OPTION_FLAGS                 0x00ffffff
+#define FILE_VALID_PIPE_OPTION_FLAGS            0x00000032
+#define FILE_VALID_MAILSLOT_OPTION_FLAGS        0x00000032
+#define FILE_VALID_SET_FLAGS                    0x00000036
+
+//
+// Define the I/O status information return values for NtCreateFile/NtOpenFile
+//
+
+#define FILE_SUPERSEDED                 0x00000000
+#define FILE_OPENED                     0x00000001
+#define FILE_CREATED                    0x00000002
+#define FILE_OVERWRITTEN                0x00000003
+#define FILE_EXISTS                     0x00000004
+#define FILE_DOES_NOT_EXIST             0x00000005
+
+//
+// Valid values for the Attributes field
+//
+
+#define OBJ_INHERIT             0x00000002L
+#define OBJ_PERMANENT           0x00000010L
+#define OBJ_EXCLUSIVE           0x00000020L
+#define OBJ_CASE_INSENSITIVE    0x00000040L
+#define OBJ_OPENIF              0x00000080L
+#define OBJ_OPENLINK            0x00000100L
+#define OBJ_KERNEL_HANDLE       0x00000200L
+#define OBJ_VALID_ATTRIBUTES    0x000003F2L
+
+#define InitializeObjectAttributes( p, n, a, r, s ) { \
+    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
+    (p)->RootDirectory = r;                             \
+    (p)->Attributes = a;                                \
+    (p)->ObjectName = n;                                \
+    (p)->SecurityDescriptor = s;                        \
+    (p)->SecurityQualityOfService = NULL;               \
+    }
+
+//
+// Define the file attributes values
+//
+// Note:  0x00000008 is reserved for use for the old DOS VOLID (volume ID)
+//        and is therefore not considered valid in NT.
+//
+// Note:  0x00000010 is reserved for use for the old DOS SUBDIRECTORY flag
+//        and is therefore not considered valid in NT.  This flag has
+//        been disassociated with file attributes since the other flags are
+//        protected with READ_ and WRITE_ATTRIBUTES access to the file.
+//
+// Note:  Note also that the order of these flags is set to allow both the
+//        FAT and the Pinball File Systems to directly set the attributes
+//        flags in attributes words without having to pick each flag out
+//        individually.  The order of these flags should not be changed!
+//
+
+#define FILE_ATTRIBUTE_READONLY             0x00000001  // winnt
+#define FILE_ATTRIBUTE_HIDDEN               0x00000002  // winnt
+#define FILE_ATTRIBUTE_SYSTEM               0x00000004  // winnt
+//OLD DOS VOLID                             0x00000008
+
+#define FILE_ATTRIBUTE_DIRECTORY            0x00000010  // winnt
+#define FILE_ATTRIBUTE_ARCHIVE              0x00000020  // winnt
+#define FILE_ATTRIBUTE_DEVICE               0x00000040  // winnt
+#define FILE_ATTRIBUTE_NORMAL               0x00000080  // winnt
+
+#define FILE_ATTRIBUTE_TEMPORARY            0x00000100  // winnt
+#define FILE_ATTRIBUTE_SPARSE_FILE          0x00000200  // winnt
+#define FILE_ATTRIBUTE_REPARSE_POINT        0x00000400  // winnt
+#define FILE_ATTRIBUTE_COMPRESSED           0x00000800  // winnt
+
+#define FILE_ATTRIBUTE_OFFLINE              0x00001000  // winnt
+#define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED  0x00002000  // winnt
+#define FILE_ATTRIBUTE_ENCRYPTED            0x00004000  // winnt
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateFile)
+(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,
+    IN ULONG  FileAttributes,
+    IN ULONG  ShareAccess,
+    IN ULONG  CreateDisposition,
+    IN ULONG  CreateOptions,
+    IN PVOID  EaBuffer  OPTIONAL,
+    IN ULONG  EaLength);
+
+extern __pfnNtCreateFile pfnNtCreateFile;
+
+NTSTATUS
+NTAPI
+OnNtCreateFile(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,
+    IN ULONG  FileAttributes,
+    IN ULONG  ShareAccess,
+    IN ULONG  CreateDisposition,
+    IN ULONG  CreateOptions,
+    IN PVOID  EaBuffer  OPTIONAL,
+    IN ULONG  EaLength);
+
+NTSTATUS
+NTAPI
+NtCreateFile(
+    OUT PHANDLE  FileHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN PLARGE_INTEGER  AllocationSize  OPTIONAL,
+    IN ULONG  FileAttributes,
+    IN ULONG  ShareAccess,
+    IN ULONG  CreateDisposition,
+    IN ULONG  CreateOptions,
+    IN PVOID  EaBuffer  OPTIONAL,
+    IN ULONG  EaLength);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateKey.cpp b/HookPorts/Dispatch_NTDLL_NtCreateKey.cpp
new file mode 100644
index 0000000..050385f
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateKey.cpp
@@ -0,0 +1,206 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <shlwapi.h>
+#pragma comment(lib,"shlwapi.lib")
+
+#include "./Dispatch_NTDLL_NtCreateKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_Reg.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "./Dispatch_NTDLL_NtOpenKey.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateKey pfnNtCreateKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	IN ULONG  TitleIndex,
+	IN PUNICODE_STRING  Class  OPTIONAL,
+	IN ULONG  CreateOptions,
+	OUT PULONG  Disposition  OPTIONAL
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateKey(
+			KeyHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			TitleIndex,
+			Class,
+			CreateOptions,
+			Disposition
+			);
+
+		return nRet;
+	}
+
+	WCHAR szRegKrnlPath[MAX_NAME] = {NULL};
+	WCHAR szDispatchRegKrnlPath[MAX_NAME] = {NULL};
+	WCHAR szDispatchRegUserPath[MAX_NAME] = {NULL};
+
+	WCHAR szObjectName[MAX_NAME] = {NULL};
+	lstrcpyW(szObjectName,ObjectAttributes->ObjectName->Buffer);
+
+	if( GetRegistryPathName(NULL,ObjectAttributes->RootDirectory,szObjectName,g_szRestoreRegPath,szRegKrnlPath,szDispatchRegKrnlPath,szDispatchRegUserPath) != 0 )
+	{
+		nRet = pfnNtCreateKey(
+			KeyHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			TitleIndex,
+			Class,
+			CreateOptions,
+			Disposition
+			);
+
+		return nRet;
+	}
+
+//#ifdef Dbg
+//	WCHAR szDebugString[2048] = {0};
+//	wsprintf(
+//		szDebugString,
+//		L"szRegKrnlPath = [%s]\r\nszDispatchRegKrnlPath = [%s]\r\nszDispatchRegUserPath = [%s]",
+//		szRegKrnlPath,
+//		szDispatchRegKrnlPath,
+//		szDispatchRegUserPath
+//		);
+//	DebugLog(DbgInfo,szDebugString);
+//#endif
+
+	//
+	//Check if request in SandBox
+	//
+	if( wcsnicmp(szRegKrnlPath,g_szRestoreFullRegKrnlPath,lstrlenW(g_szRestoreFullRegKrnlPath)) == 0 )
+	{
+		nRet = pfnNtCreateKey(
+			KeyHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			TitleIndex,
+			Class,
+			CreateOptions,
+			Disposition
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if opens an existing key
+	//
+	NTSTATUS nOpenKey;
+	HANDLE hKeyHandle = NULL;
+
+	nOpenKey = NtOpenKey(&hKeyHandle, KEY_READ, ObjectAttributes);
+
+	if( nOpenKey == STATUS_SUCCESS )//key exists
+	{
+		NtClose(hKeyHandle);
+
+		nRet = pfnNtCreateKey(
+			KeyHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			TitleIndex,
+			Class,
+			CreateOptions,
+			Disposition
+			);
+
+		return nRet;
+	}
+	NtClose(hKeyHandle);
+
+	////
+	////Dispatch
+	////
+	//UNICODE_STRING usDispatchRegPath;
+
+	////
+	////Init UNICODE_STRING
+	////
+	//RtlInitUnicodeString(&usDispatchRegPath,szDispatchRegKrnlPath);
+
+	//OBJECT_ATTRIBUTES oaObjAttrib;
+
+	//InitializeObjectAttributes(
+	//	&oaObjAttrib,
+	//	&usDispatchRegPath,
+	//	OBJ_CASE_INSENSITIVE,
+	//	NULL,
+	//	NULL);
+
+	//nRet = pfnNtCreateKey(
+	//	KeyHandle,
+	//	DesiredAccess,
+	//	&oaObjAttrib,
+	//	TitleIndex,
+	//	Class,
+	//	CreateOptions,
+	//	Disposition
+	//	);
+
+	nRet = pfnNtCreateKey(
+		KeyHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		TitleIndex,
+		Class,
+		CreateOptions,
+		Disposition
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	IN ULONG  TitleIndex,
+	IN PUNICODE_STRING  Class  OPTIONAL,
+	IN ULONG  CreateOptions,
+	OUT PULONG  Disposition  OPTIONAL
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateKey addFun = (__pfnNtCreateKey)GetProcAddress(hDll,"NtCreateKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,DesiredAccess,ObjectAttributes,TitleIndex,Class,CreateOptions,Disposition);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateKey.h b/HookPorts/Dispatch_NTDLL_NtCreateKey.h
new file mode 100644
index 0000000..f45a71c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateKey.h
@@ -0,0 +1,40 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateKey)
+(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	IN ULONG  TitleIndex,
+	IN PUNICODE_STRING  Class  OPTIONAL,
+	IN ULONG  CreateOptions,
+	OUT PULONG  Disposition  OPTIONAL
+    );
+
+extern __pfnNtCreateKey pfnNtCreateKey;
+
+NTSTATUS
+NTAPI
+OnNtCreateKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	IN ULONG  TitleIndex,
+	IN PUNICODE_STRING  Class  OPTIONAL,
+	IN ULONG  CreateOptions,
+	OUT PULONG  Disposition  OPTIONAL
+    );
+
+NTSTATUS
+NTAPI
+NtCreateKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	IN ULONG  TitleIndex,
+	IN PUNICODE_STRING  Class  OPTIONAL,
+	IN ULONG  CreateOptions,
+	OUT PULONG  Disposition  OPTIONAL
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateMutant.cpp b/HookPorts/Dispatch_NTDLL_NtCreateMutant.cpp
new file mode 100644
index 0000000..cae8098
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateMutant.cpp
@@ -0,0 +1,135 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateMutant.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateMutant pfnNtCreateMutant = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateMutant Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN BOOLEAN              InitialOwner)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateMutant(
+			MutantHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			InitialOwner
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if Address Valid
+	//
+	if( IsBadCodePtr((FARPROC)ObjectAttributes) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName->Buffer)
+		)
+	{
+		nRet = pfnNtCreateMutant(
+			MutantHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			InitialOwner
+			);
+
+		return nRet;
+	}
+
+	//
+	//Dispatch
+	//
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	WCHAR szMutantName[MAX_NAME] = {NULL};
+	if( ObjectAttributes->ObjectName->Buffer != NULL )
+	{
+		lstrcpy(szMutantName,ObjectAttributes->ObjectName->Buffer);
+
+		wsprintfW(szMutantName,L"%s_%s",g_szSandBoxName,ObjectAttributes->ObjectName->Buffer);
+
+		UNICODE_STRING usMutantName;
+
+		//
+		//Init UNICODE_STRING
+		//
+		RtlInitUnicodeString(&usMutantName,szMutantName);
+
+		oaObjAttrib.ObjectName->Length = usMutantName.Length;
+		oaObjAttrib.ObjectName->MaximumLength = usMutantName.MaximumLength;
+		oaObjAttrib.ObjectName->Buffer = usMutantName.Buffer;
+
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ObjectAttributes->ObjectName->Buffer=");
+		OutputDebugString(szMutantName);
+#endif
+
+		nRet = pfnNtCreateMutant(
+			MutantHandle,
+			DesiredAccess,
+			&oaObjAttrib,
+			InitialOwner
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateMutant(
+		MutantHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		InitialOwner
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN BOOLEAN              InitialOwner)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateMutant addFun = (__pfnNtCreateMutant)GetProcAddress(hDll,"NtCreateMutant");
+	if(addFun)
+	{
+		ret = addFun(MutantHandle,DesiredAccess,ObjectAttributes,InitialOwner);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateMutant.h b/HookPorts/Dispatch_NTDLL_NtCreateMutant.h
new file mode 100644
index 0000000..3ee9290
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateMutant.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateMutant)
+(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN BOOLEAN              InitialOwner);
+
+extern __pfnNtCreateMutant pfnNtCreateMutant;
+
+NTSTATUS
+NTAPI
+OnNtCreateMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN BOOLEAN              InitialOwner);
+
+NTSTATUS
+NTAPI
+NtCreateMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN BOOLEAN              InitialOwner);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreatePort.cpp b/HookPorts/Dispatch_NTDLL_NtCreatePort.cpp
new file mode 100644
index 0000000..d7e3e0c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreatePort.cpp
@@ -0,0 +1,84 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreatePort.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreatePort pfnNtCreatePort = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreatePort Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreatePort(
+	OUT PHANDLE             PortHandle,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN ULONG                MaxConnectInfoLength,
+	IN ULONG                MaxDataLength,
+	IN OUT PULONG           Reserved OPTIONAL
+	)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreatePort(
+			PortHandle,
+			ObjectAttributes,
+			MaxConnectInfoLength,
+			MaxDataLength,
+			Reserved
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreatePort(
+		PortHandle,
+		ObjectAttributes,
+		MaxConnectInfoLength,
+		MaxDataLength,
+		Reserved
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreatePort(
+	OUT PHANDLE             PortHandle,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN ULONG                MaxConnectInfoLength,
+	IN ULONG                MaxDataLength,
+	IN OUT PULONG           Reserved OPTIONAL
+	)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreatePort addFun = (__pfnNtCreatePort)GetProcAddress(hDll,"NtCreatePort");
+	if(addFun)
+	{
+		ret = addFun(PortHandle,ObjectAttributes,MaxConnectInfoLength,MaxDataLength,Reserved);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreatePort.h b/HookPorts/Dispatch_NTDLL_NtCreatePort.h
new file mode 100644
index 0000000..9e014d8
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreatePort.h
@@ -0,0 +1,33 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreatePort)
+(
+	OUT PHANDLE             PortHandle,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN ULONG                MaxConnectInfoLength,
+	IN ULONG                MaxDataLength,
+	IN OUT PULONG           Reserved OPTIONAL
+	);
+
+extern __pfnNtCreatePort pfnNtCreatePort;
+
+NTSTATUS
+NTAPI
+OnNtCreatePort(
+	OUT PHANDLE             PortHandle,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN ULONG                MaxConnectInfoLength,
+	IN ULONG                MaxDataLength,
+	IN OUT PULONG           Reserved OPTIONAL
+	);
+NTSTATUS
+NTAPI
+NtCreatePort(
+	OUT PHANDLE             PortHandle,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN ULONG                MaxConnectInfoLength,
+	IN ULONG                MaxDataLength,
+	IN OUT PULONG           Reserved OPTIONAL
+	);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateProcess.cpp b/HookPorts/Dispatch_NTDLL_NtCreateProcess.cpp
new file mode 100644
index 0000000..916ae21
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateProcess.cpp
@@ -0,0 +1,92 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateProcess.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateProcess pfnNtCreateProcess = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateProcess Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateProcess(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle,
+	IN HANDLE DebugPort,
+	IN HANDLE ExceptionPort)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateProcess(
+			ProcessHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			ParentProcess,
+			InheritObjectTable,
+			SectionHandle,
+			DebugPort,
+			ExceptionPort
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateProcess(
+		ProcessHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		ParentProcess,
+		InheritObjectTable,
+		SectionHandle,
+		DebugPort,
+		ExceptionPort
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateProcess(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle,
+	IN HANDLE DebugPort,
+	IN HANDLE ExceptionPort)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateProcess addFun = (__pfnNtCreateProcess)GetProcAddress(hDll,"NtCreateProcess");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateProcess.h b/HookPorts/Dispatch_NTDLL_NtCreateProcess.h
new file mode 100644
index 0000000..7715019
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateProcess.h
@@ -0,0 +1,41 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateProcess)
+(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle,
+	IN HANDLE DebugPort,
+	IN HANDLE ExceptionPort);
+
+extern __pfnNtCreateProcess pfnNtCreateProcess;
+
+NTSTATUS
+NTAPI
+OnNtCreateProcess(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle,
+	IN HANDLE DebugPort,
+	IN HANDLE ExceptionPort);
+
+NTSTATUS
+NTAPI
+NtCreateProcess(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle,
+	IN HANDLE DebugPort,
+	IN HANDLE ExceptionPort);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.cpp b/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.cpp
new file mode 100644
index 0000000..63befb0
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.cpp
@@ -0,0 +1,100 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateProcessEx.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtQueryInformationProcess.h"
+#include "./Main.h"
+#include "./RemoteInjection.h"
+#include "./Initalization.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateProcessEx pfnNtCreateProcessEx = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateProcessEx Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateProcessEx(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle OPTIONAL,
+	IN HANDLE DebugPort OPTIONAL,
+	IN HANDLE ExceptionPort OPTIONAL,
+	IN HANDLE Unknown)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateProcessEx(
+			ProcessHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			ParentProcess,
+			InheritObjectTable,
+			SectionHandle,
+			DebugPort,
+			ExceptionPort,
+			Unknown
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateProcessEx(
+		ProcessHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		ParentProcess,
+		InheritObjectTable,
+		SectionHandle,
+		DebugPort,
+		ExceptionPort,
+		Unknown
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateProcessEx(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle OPTIONAL,
+	IN HANDLE DebugPort OPTIONAL,
+	IN HANDLE ExceptionPort OPTIONAL,
+	IN HANDLE Unknown)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateProcessEx addFun = (__pfnNtCreateProcessEx)GetProcAddress(hDll,"NtCreateProcessEx");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,DesiredAccess,ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort,Unknown);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.h b/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.h
new file mode 100644
index 0000000..b889f37
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateProcessEx.h
@@ -0,0 +1,44 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateProcessEx)
+(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle OPTIONAL,
+	IN HANDLE DebugPort OPTIONAL,
+	IN HANDLE ExceptionPort OPTIONAL,
+	IN HANDLE Unknown);
+
+extern __pfnNtCreateProcessEx pfnNtCreateProcessEx;
+
+NTSTATUS
+NTAPI
+OnNtCreateProcessEx(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle OPTIONAL,
+	IN HANDLE DebugPort OPTIONAL,
+	IN HANDLE ExceptionPort OPTIONAL,
+	IN HANDLE Unknown);
+
+NTSTATUS
+NTAPI
+NtCreateProcessEx(
+	OUT PHANDLE ProcessHandle,
+	IN ACCESS_MASK DesiredAccess,
+	IN POBJECT_ATTRIBUTES ObjectAttributes,
+	IN HANDLE ParentProcess,
+	IN BOOLEAN InheritObjectTable,
+	IN HANDLE SectionHandle OPTIONAL,
+	IN HANDLE DebugPort OPTIONAL,
+	IN HANDLE ExceptionPort OPTIONAL,
+	IN HANDLE Unknown);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateSection.cpp b/HookPorts/Dispatch_NTDLL_NtCreateSection.cpp
new file mode 100644
index 0000000..434672f
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateSection.cpp
@@ -0,0 +1,89 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateSection.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateSection pfnNtCreateSection = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateSection Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateSection(
+	OUT PHANDLE             SectionHandle,
+	IN ULONG                DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+	IN ULONG                PageAttributess,
+	IN ULONG                SectionAttributes,
+	IN HANDLE               FileHandle OPTIONAL)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateSection(
+			SectionHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			MaximumSize,
+			PageAttributess,
+			SectionAttributes,
+			FileHandle
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateSection(
+		SectionHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		MaximumSize,
+		PageAttributess,
+		SectionAttributes,
+		FileHandle
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateSection(
+	OUT PHANDLE             SectionHandle,
+	IN ULONG                DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+	IN ULONG                PageAttributess,
+	IN ULONG                SectionAttributes,
+	IN HANDLE               FileHandle OPTIONAL)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateSection addFun = (__pfnNtCreateSection)GetProcAddress(hDll,"NtCreateSection");
+	if(addFun)
+	{
+		ret = addFun(SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,PageAttributess,SectionAttributes,FileHandle);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateSection.h b/HookPorts/Dispatch_NTDLL_NtCreateSection.h
new file mode 100644
index 0000000..e06c463
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateSection.h
@@ -0,0 +1,37 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateSection)
+(
+	OUT PHANDLE             SectionHandle,
+	IN ULONG                DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+	IN ULONG                PageAttributess,
+	IN ULONG                SectionAttributes,
+	IN HANDLE               FileHandle OPTIONAL);
+
+extern __pfnNtCreateSection pfnNtCreateSection;
+
+NTSTATUS
+NTAPI
+OnNtCreateSection(
+	OUT PHANDLE             SectionHandle,
+	IN ULONG                DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+	IN ULONG                PageAttributess,
+	IN ULONG                SectionAttributes,
+	IN HANDLE               FileHandle OPTIONAL);
+
+NTSTATUS
+NTAPI
+NtCreateSection(
+	OUT PHANDLE             SectionHandle,
+	IN ULONG                DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN PLARGE_INTEGER       MaximumSize OPTIONAL,
+	IN ULONG                PageAttributess,
+	IN ULONG                SectionAttributes,
+	IN HANDLE               FileHandle OPTIONAL);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.cpp b/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.cpp
new file mode 100644
index 0000000..0b1ffe9
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.cpp
@@ -0,0 +1,141 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateSemaphore.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateSemaphore pfnNtCreateSemaphore = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateSemaphore Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN ULONG                InitialCount,
+	IN ULONG                MaximumCount)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			InitialCount,
+			MaximumCount
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if Address Valid
+	//
+	if( IsBadCodePtr((FARPROC)ObjectAttributes) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName->Buffer)
+		)
+	{
+		nRet = pfnNtCreateSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			InitialCount,
+			MaximumCount
+			);
+
+		return nRet;
+	}
+
+	//
+	//Dispatch
+	//
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	WCHAR szSemaphoreName[MAX_NAME] = {NULL};
+	if( ObjectAttributes->ObjectName->Buffer != NULL )
+	{
+		lstrcpy(szSemaphoreName,ObjectAttributes->ObjectName->Buffer);
+
+		wsprintfW(szSemaphoreName,L"%s_%s",g_szSandBoxName,ObjectAttributes->ObjectName->Buffer);
+
+		UNICODE_STRING usMutantName;
+
+		//
+		//Init UNICODE_STRING
+		//
+		RtlInitUnicodeString(&usMutantName,szSemaphoreName);
+
+		oaObjAttrib.ObjectName->Length = usMutantName.Length;
+		oaObjAttrib.ObjectName->MaximumLength = usMutantName.MaximumLength;
+		oaObjAttrib.ObjectName->Buffer = usMutantName.Buffer;
+
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ObjectAttributes->ObjectName->Buffer=");
+		OutputDebugString(szSemaphoreName);
+#endif
+
+		nRet = pfnNtCreateSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			&oaObjAttrib,
+			InitialCount,
+			MaximumCount
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateSemaphore(
+		SemaphoreHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		InitialCount,
+		MaximumCount
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN ULONG                InitialCount,
+	IN ULONG                MaximumCount)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateSemaphore addFun = (__pfnNtCreateSemaphore)GetProcAddress(hDll,"NtCreateSemaphore");
+	if(addFun)
+	{
+		ret = addFun(SemaphoreHandle,DesiredAccess,ObjectAttributes,InitialCount,MaximumCount);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.h b/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.h
new file mode 100644
index 0000000..31c7ad6
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateSemaphore.h
@@ -0,0 +1,31 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateSemaphore)
+(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN ULONG                InitialCount,
+	IN ULONG                MaximumCount);
+
+extern __pfnNtCreateSemaphore pfnNtCreateSemaphore;
+
+NTSTATUS
+NTAPI
+OnNtCreateSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN ULONG                InitialCount,
+	IN ULONG                MaximumCount);
+
+NTSTATUS
+NTAPI
+NtCreateSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN ULONG                InitialCount,
+	IN ULONG                MaximumCount);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateThread.cpp b/HookPorts/Dispatch_NTDLL_NtCreateThread.cpp
new file mode 100644
index 0000000..419a0c2
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateThread.cpp
@@ -0,0 +1,113 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationProcess.h"
+
+
+
+//
+//Global
+//
+__pfnNtCreateThread pfnNtCreateThread = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateThread Functions
+//
+NTSTATUS
+NTAPI
+OnNtCreateThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN HANDLE               ProcessHandle,
+	OUT PCLIENT_ID          ClientId,
+	IN PCONTEXT             ThreadContext,
+	IN PINITIAL_TEB         InitialTeb,
+	IN BOOLEAN              CreateSuspended )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtCreateThread(
+			ThreadHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			ProcessHandle,
+			ClientId,
+			ThreadContext,
+			InitialTeb,
+			CreateSuspended
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtCreateThread(
+		ThreadHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		ProcessHandle,
+		ClientId,
+		ThreadContext,
+		InitialTeb,
+		CreateSuspended
+		);
+
+	if(nRet == STATUS_SUCCESS)
+	{
+#ifdef Dbg
+	DWORD dwProcessId = (DWORD)(ClientId->UniqueProcess);
+
+	WCHAR szDebugString[256] = {0};
+	wsprintf(
+		szDebugString,
+		L"OnNtCreateThread dwProcessId=[%d]",
+		dwProcessId
+		);
+	DebugLog(DbgInfo,szDebugString);
+#endif
+	}
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"Called");
+#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtCreateThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN HANDLE               ProcessHandle,
+	OUT PCLIENT_ID          ClientId,
+	IN PCONTEXT             ThreadContext,
+	IN PINITIAL_TEB         InitialTeb,
+	IN BOOLEAN              CreateSuspended )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtCreateThread addFun = (__pfnNtCreateThread)GetProcAddress(hDll,"NtCreateThread");
+	if(addFun)
+	{
+		ret = addFun(ThreadHandle,DesiredAccess,ObjectAttributes,ProcessHandle,ClientId,ThreadContext,InitialTeb,CreateSuspended);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtCreateThread.h b/HookPorts/Dispatch_NTDLL_NtCreateThread.h
new file mode 100644
index 0000000..21c4536
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtCreateThread.h
@@ -0,0 +1,73 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+typedef struct _INITIAL_TEB {
+	PVOID                StackBase;
+	PVOID                StackLimit;
+	PVOID                StackCommit;
+	PVOID                StackCommitMax;
+	PVOID                StackReserved;
+} INITIAL_TEB, *PINITIAL_TEB;
+
+
+//
+// ClientId
+//
+
+//typedef struct _CLIENT_ID {
+//    HANDLE UniqueProcess;
+//    HANDLE UniqueThread;
+//} CLIENT_ID;
+//typedef CLIENT_ID *PCLIENT_ID;
+
+//
+// Object Attributes structure
+//
+
+typedef struct _OBJECT_ATTRIBUTES {
+    ULONG Length;
+    HANDLE RootDirectory;
+    PUNICODE_STRING ObjectName;
+    ULONG Attributes;
+    PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
+    PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
+} OBJECT_ATTRIBUTES;
+typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
+
+typedef NTSTATUS (NTAPI * __pfnNtCreateThread)
+(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN HANDLE               ProcessHandle,
+	OUT PCLIENT_ID          ClientId,
+	IN PCONTEXT             ThreadContext,
+	IN PINITIAL_TEB         InitialTeb,
+	IN BOOLEAN              CreateSuspended );
+
+extern __pfnNtCreateThread pfnNtCreateThread;
+
+NTSTATUS
+NTAPI
+OnNtCreateThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN HANDLE               ProcessHandle,
+	OUT PCLIENT_ID          ClientId,
+	IN PCONTEXT             ThreadContext,
+	IN PINITIAL_TEB         InitialTeb,
+	IN BOOLEAN              CreateSuspended );
+
+NTSTATUS
+NTAPI
+NtCreateThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
+	IN HANDLE               ProcessHandle,
+	OUT PCLIENT_ID          ClientId,
+	IN PCONTEXT             ThreadContext,
+	IN PINITIAL_TEB         InitialTeb,
+	IN BOOLEAN              CreateSuspended );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteFile.cpp b/HookPorts/Dispatch_NTDLL_NtDeleteFile.cpp
new file mode 100644
index 0000000..e605eab
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteFile.cpp
@@ -0,0 +1,65 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtDeleteFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Global
+//
+__pfnNtDeleteFile pfnNtDeleteFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtDeleteFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtDeleteFile(
+    IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtDeleteFile(
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtDeleteFile(
+		ObjectAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtDeleteFile(
+    IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtDeleteFile addFun = (__pfnNtDeleteFile)GetProcAddress(hDll,"NtDeleteFile");
+	if(addFun)
+	{
+		ret = addFun(ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteFile.h b/HookPorts/Dispatch_NTDLL_NtDeleteFile.h
new file mode 100644
index 0000000..a850834
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteFile.h
@@ -0,0 +1,20 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateProcess.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtDeleteFile)
+(
+    IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+extern __pfnNtDeleteFile pfnNtDeleteFile;
+
+NTSTATUS
+NTAPI
+OnNtDeleteFile(
+    IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+NTSTATUS
+NTAPI
+NtDeleteFile(
+    IN POBJECT_ATTRIBUTES   ObjectAttributes);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteKey.cpp b/HookPorts/Dispatch_NTDLL_NtDeleteKey.cpp
new file mode 100644
index 0000000..d288f38
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteKey.cpp
@@ -0,0 +1,68 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtDeleteKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtDeleteKey pfnNtDeleteKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtDeleteKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtDeleteKey(
+	IN HANDLE  KeyHandle
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtDeleteKey(
+			KeyHandle
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtDeleteKey(
+		KeyHandle
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtDeleteKey(
+	IN HANDLE  KeyHandle
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtDeleteKey addFun = (__pfnNtDeleteKey)GetProcAddress(hDll,"NtDeleteKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteKey.h b/HookPorts/Dispatch_NTDLL_NtDeleteKey.h
new file mode 100644
index 0000000..600e7ab
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteKey.h
@@ -0,0 +1,20 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtDeleteKey)
+(
+	IN HANDLE  KeyHandle
+    );
+
+extern __pfnNtDeleteKey pfnNtDeleteKey;
+
+NTSTATUS
+NTAPI
+OnNtDeleteKey(
+	IN HANDLE  KeyHandle
+    );
+
+NTSTATUS
+NTAPI
+NtDeleteKey(
+	IN HANDLE  KeyHandle
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.cpp
new file mode 100644
index 0000000..a8480e2
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.cpp
@@ -0,0 +1,72 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtDeleteValueKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtDeleteValueKey pfnNtDeleteValueKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtDeleteValueKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtDeleteValueKey(
+	IN HANDLE  KeyHandle,
+	IN PUNICODE_STRING  ValueName
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtDeleteValueKey(
+			KeyHandle,
+			ValueName
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtDeleteValueKey(
+		KeyHandle,
+		ValueName
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtDeleteValueKey(
+	IN HANDLE  KeyHandle,
+	IN PUNICODE_STRING  ValueName
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtDeleteValueKey addFun = (__pfnNtDeleteValueKey)GetProcAddress(hDll,"NtDeleteValueKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,ValueName);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.h b/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.h
new file mode 100644
index 0000000..6631c55
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtDeleteValueKey.h
@@ -0,0 +1,23 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtDeleteValueKey)
+(
+	IN HANDLE  KeyHandle,
+	IN PUNICODE_STRING  ValueName
+    );
+
+extern __pfnNtDeleteValueKey pfnNtDeleteValueKey;
+
+NTSTATUS
+NTAPI
+OnNtDeleteValueKey(
+	IN HANDLE  KeyHandle,
+	IN PUNICODE_STRING  ValueName
+    );
+
+NTSTATUS
+NTAPI
+NtDeleteValueKey(
+	IN HANDLE  KeyHandle,
+	IN PUNICODE_STRING  ValueName
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtEnumerateKey.cpp b/HookPorts/Dispatch_NTDLL_NtEnumerateKey.cpp
new file mode 100644
index 0000000..6ac3f3a
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtEnumerateKey.cpp
@@ -0,0 +1,88 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtEnumerateKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtEnumerateKey pfnNtEnumerateKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtEnumerateKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtEnumerateKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtEnumerateKey(
+			KeyHandle,
+			Index,
+			KeyInformationClass,
+			KeyInformation,
+			Length,
+			ResultLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtEnumerateKey(
+		KeyHandle,
+		Index,
+		KeyInformationClass,
+		KeyInformation,
+		Length,
+		ResultLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtEnumerateKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtEnumerateKey addFun = (__pfnNtEnumerateKey)GetProcAddress(hDll,"NtEnumerateKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,Index,KeyInformationClass,KeyInformation,Length,ResultLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtEnumerateKey.h b/HookPorts/Dispatch_NTDLL_NtEnumerateKey.h
new file mode 100644
index 0000000..a41548e
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtEnumerateKey.h
@@ -0,0 +1,42 @@
+#pragma once
+
+typedef enum _KEY_INFORMATION_CLASS {
+    KeyBasicInformation,
+    KeyNodeInformation,
+    KeyFullInformation,
+    KeyNameInformation
+} KEY_INFORMATION_CLASS;
+
+typedef NTSTATUS (NTAPI * __pfnNtEnumerateKey)
+(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
+
+extern __pfnNtEnumerateKey pfnNtEnumerateKey;
+
+NTSTATUS
+NTAPI
+OnNtEnumerateKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
+
+NTSTATUS
+NTAPI
+NtEnumerateKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.cpp
new file mode 100644
index 0000000..848717b
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.cpp
@@ -0,0 +1,88 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtEnumerateValueKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtEnumerateValueKey pfnNtEnumerateValueKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtEnumerateValueKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtEnumerateValueKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_VALUE_INFORMATION_CLASS  KeyValueInformationClass,
+	OUT PVOID  KeyValueInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtEnumerateValueKey(
+			KeyHandle,
+			Index,
+			KeyValueInformationClass,
+			KeyValueInformation,
+			Length,
+			ResultLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtEnumerateValueKey(
+		KeyHandle,
+		Index,
+		KeyValueInformationClass,
+		KeyValueInformation,
+		Length,
+		ResultLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtEnumerateValueKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_VALUE_INFORMATION_CLASS  KeyValueInformationClass,
+	OUT PVOID  KeyValueInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtEnumerateValueKey addFun = (__pfnNtEnumerateValueKey)GetProcAddress(hDll,"NtEnumerateValueKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,Index,KeyValueInformationClass,KeyValueInformation,Length,ResultLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.h b/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.h
new file mode 100644
index 0000000..0bcec76
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtEnumerateValueKey.h
@@ -0,0 +1,43 @@
+#pragma once
+
+typedef enum _KEY_VALUE_INFORMATION_CLASS {
+    KeyValueBasicInformation,
+    KeyValueFullInformation,
+    KeyValuePartialInformation,
+    KeyValueFullInformationAlign64,
+    KeyValuePartialInformationAlign64
+} KEY_VALUE_INFORMATION_CLASS;
+
+typedef NTSTATUS (NTAPI * __pfnNtEnumerateValueKey)
+(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_VALUE_INFORMATION_CLASS  KeyValueInformationClass,
+	OUT PVOID  KeyValueInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
+
+extern __pfnNtEnumerateValueKey pfnNtEnumerateValueKey;
+
+NTSTATUS
+NTAPI
+OnNtEnumerateValueKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_VALUE_INFORMATION_CLASS  KeyValueInformationClass,
+	OUT PVOID  KeyValueInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
+
+NTSTATUS
+NTAPI
+NtEnumerateValueKey(
+	IN HANDLE  KeyHandle,
+	IN ULONG  Index,
+	IN KEY_VALUE_INFORMATION_CLASS  KeyValueInformationClass,
+	OUT PVOID  KeyValueInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtFsControlFile.cpp b/HookPorts/Dispatch_NTDLL_NtFsControlFile.cpp
new file mode 100644
index 0000000..1b31f26
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtFsControlFile.cpp
@@ -0,0 +1,104 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtFsControlFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtFsControlFile pfnNtFsControlFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtFsControlFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtFsControlFile(
+    IN HANDLE  FileHandle,
+    IN HANDLE  Event OPTIONAL,
+    IN PIO_APC_ROUTINE  ApcRoutine OPTIONAL,
+    IN PVOID  ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  FsControlCode,
+    IN PVOID  InputBuffer OPTIONAL,
+    IN ULONG  InputBufferLength,
+    OUT PVOID  OutputBuffer OPTIONAL,
+    IN ULONG  OutputBufferLength
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtFsControlFile(
+			FileHandle,
+			Event,
+			ApcRoutine,
+			ApcContext,
+			IoStatusBlock,
+			FsControlCode,
+			InputBuffer,
+			InputBufferLength,
+			OutputBuffer,
+			OutputBufferLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtFsControlFile(
+		FileHandle,
+		Event,
+		ApcRoutine,
+		ApcContext,
+		IoStatusBlock,
+		FsControlCode,
+		InputBuffer,
+		InputBufferLength,
+		OutputBuffer,
+		OutputBufferLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtFsControlFile(
+    IN HANDLE  FileHandle,
+    IN HANDLE  Event OPTIONAL,
+    IN PIO_APC_ROUTINE  ApcRoutine OPTIONAL,
+    IN PVOID  ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  FsControlCode,
+    IN PVOID  InputBuffer OPTIONAL,
+    IN ULONG  InputBufferLength,
+    OUT PVOID  OutputBuffer OPTIONAL,
+    IN ULONG  OutputBufferLength
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtFsControlFile addFun = (__pfnNtFsControlFile)GetProcAddress(hDll,"NtFsControlFile");
+	if(addFun)
+	{
+		ret = addFun(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FsControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtFsControlFile.h b/HookPorts/Dispatch_NTDLL_NtFsControlFile.h
new file mode 100644
index 0000000..1ec215c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtFsControlFile.h
@@ -0,0 +1,62 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+
+//
+// Define an Asynchronous Procedure Call from I/O viewpoint
+//
+
+typedef
+VOID
+(NTAPI *PIO_APC_ROUTINE) (
+    IN PVOID ApcContext,
+    IN PIO_STATUS_BLOCK IoStatusBlock,
+    IN ULONG Reserved
+    );
+#define PIO_APC_ROUTINE_DEFINED
+
+typedef NTSTATUS (NTAPI * __pfnNtFsControlFile)
+(
+    IN HANDLE  FileHandle,
+    IN HANDLE  Event OPTIONAL,
+    IN PIO_APC_ROUTINE  ApcRoutine OPTIONAL,
+    IN PVOID  ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  FsControlCode,
+    IN PVOID  InputBuffer OPTIONAL,
+    IN ULONG  InputBufferLength,
+    OUT PVOID  OutputBuffer OPTIONAL,
+    IN ULONG  OutputBufferLength
+    );
+
+extern __pfnNtFsControlFile pfnNtFsControlFile;
+
+NTSTATUS
+NTAPI
+OnNtFsControlFile(
+    IN HANDLE  FileHandle,
+    IN HANDLE  Event OPTIONAL,
+    IN PIO_APC_ROUTINE  ApcRoutine OPTIONAL,
+    IN PVOID  ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  FsControlCode,
+    IN PVOID  InputBuffer OPTIONAL,
+    IN ULONG  InputBufferLength,
+    OUT PVOID  OutputBuffer OPTIONAL,
+    IN ULONG  OutputBufferLength
+    );
+
+NTSTATUS
+NTAPI
+NtFsControlFile(
+    IN HANDLE  FileHandle,
+    IN HANDLE  Event OPTIONAL,
+    IN PIO_APC_ROUTINE  ApcRoutine OPTIONAL,
+    IN PVOID  ApcContext OPTIONAL,
+    OUT PIO_STATUS_BLOCK  IoStatusBlock,
+    IN ULONG  FsControlCode,
+    IN PVOID  InputBuffer OPTIONAL,
+    IN ULONG  InputBufferLength,
+    OUT PVOID  OutputBuffer OPTIONAL,
+    IN ULONG  OutputBufferLength
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtGetContextThread.cpp b/HookPorts/Dispatch_NTDLL_NtGetContextThread.cpp
new file mode 100644
index 0000000..907d3e2
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtGetContextThread.cpp
@@ -0,0 +1,72 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtGetContextThread.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtGetContextThread pfnNtGetContextThread = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtGetContextThread Functions
+//
+NTSTATUS
+NTAPI
+OnNtGetContextThread(
+	IN HANDLE               ThreadHandle,
+	OUT PCONTEXT            pContext )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtGetContextThread(
+			ThreadHandle,
+			pContext
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtGetContextThread(
+		ThreadHandle,
+		pContext
+		);
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"Called");
+#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtGetContextThread(
+	IN HANDLE               ThreadHandle,
+	OUT PCONTEXT            pContext )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtGetContextThread addFun = (__pfnNtGetContextThread)GetProcAddress(hDll,"NtGetContextThread");
+	if(addFun)
+	{
+		ret = addFun(ThreadHandle,pContext);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtGetContextThread.h b/HookPorts/Dispatch_NTDLL_NtGetContextThread.h
new file mode 100644
index 0000000..2a164b1
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtGetContextThread.h
@@ -0,0 +1,20 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtGetContextThread)
+(
+	IN HANDLE               ThreadHandle,
+	OUT PCONTEXT            pContext );
+
+extern __pfnNtGetContextThread pfnNtGetContextThread;
+
+NTSTATUS
+NTAPI
+OnNtGetContextThread(
+	IN HANDLE               ThreadHandle,
+	OUT PCONTEXT            pContext );
+
+NTSTATUS
+NTAPI
+NtGetContextThread(
+	IN HANDLE               ThreadHandle,
+	OUT PCONTEXT            pContext );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtLoadDriver.cpp b/HookPorts/Dispatch_NTDLL_NtLoadDriver.cpp
new file mode 100644
index 0000000..45a1407
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtLoadDriver.cpp
@@ -0,0 +1,64 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtLoadDriver.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Global
+//
+__pfnNtLoadDriver pfnNtLoadDriver = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtCreateThread Functions
+//
+NTSTATUS
+NTAPI
+OnNtLoadDriver(
+	IN PUNICODE_STRING DriverServiceName )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtLoadDriver(
+			DriverServiceName
+			);
+
+		return nRet;
+	}
+
+	//
+	//Refuse directly
+	//
+	return STATUS_ACCESS_DENIED;
+}
+
+NTSTATUS
+NTAPI
+NtLoadDriver(
+	IN PUNICODE_STRING DriverServiceName )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtLoadDriver addFun = (__pfnNtLoadDriver)GetProcAddress(hDll,"NtLoadDriver");
+	if(addFun)
+	{
+		ret = addFun(DriverServiceName);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtLoadDriver.h b/HookPorts/Dispatch_NTDLL_NtLoadDriver.h
new file mode 100644
index 0000000..7700f73
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtLoadDriver.h
@@ -0,0 +1,19 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtLoadDriver)
+(
+	IN PUNICODE_STRING DriverServiceName );
+
+extern __pfnNtLoadDriver pfnNtLoadDriver;
+
+NTSTATUS
+NTAPI
+OnNtLoadDriver(
+	IN PUNICODE_STRING DriverServiceName );
+
+NTSTATUS
+NTAPI
+NtLoadDriver(
+	IN PUNICODE_STRING DriverServiceName );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.cpp b/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.cpp
new file mode 100644
index 0000000..e722455
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.cpp
@@ -0,0 +1,104 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtNotifyChangeKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtNotifyChangeKey pfnNtNotifyChangeKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtNotifyChangeKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtNotifyChangeKey(
+	IN HANDLE               KeyHandle,
+	IN HANDLE               EventHandle,
+	IN PIO_APC_ROUTINE      ApcRoutine,
+	IN PVOID                ApcRoutineContext,
+	IN PIO_STATUS_BLOCK     IoStatusBlock,
+	IN ULONG                NotifyFilter,
+	IN BOOLEAN              WatchSubtree,
+	OUT PVOID               RegChangesDataBuffer,
+	IN ULONG                RegChangesDataBufferLength,
+	IN BOOLEAN              Asynchronous
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtNotifyChangeKey(
+			KeyHandle,
+			EventHandle,
+			ApcRoutine,
+			ApcRoutineContext,
+			IoStatusBlock,
+			NotifyFilter,
+			WatchSubtree,
+			RegChangesDataBuffer,
+			RegChangesDataBufferLength,
+			Asynchronous
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtNotifyChangeKey(
+		KeyHandle,
+		EventHandle,
+		ApcRoutine,
+		ApcRoutineContext,
+		IoStatusBlock,
+		NotifyFilter,
+		WatchSubtree,
+		RegChangesDataBuffer,
+		RegChangesDataBufferLength,
+		Asynchronous
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtNotifyChangeKey(
+	IN HANDLE               KeyHandle,
+	IN HANDLE               EventHandle,
+	IN PIO_APC_ROUTINE      ApcRoutine,
+	IN PVOID                ApcRoutineContext,
+	IN PIO_STATUS_BLOCK     IoStatusBlock,
+	IN ULONG                NotifyFilter,
+	IN BOOLEAN              WatchSubtree,
+	OUT PVOID               RegChangesDataBuffer,
+	IN ULONG                RegChangesDataBufferLength,
+	IN BOOLEAN              Asynchronous
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtNotifyChangeKey addFun = (__pfnNtNotifyChangeKey)GetProcAddress(hDll,"NtNotifyChangeKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,EventHandle,ApcRoutine,ApcRoutineContext,IoStatusBlock,NotifyFilter,WatchSubtree,RegChangesDataBuffer,RegChangesDataBufferLength,Asynchronous);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.h b/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.h
new file mode 100644
index 0000000..c2e4535
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtNotifyChangeKey.h
@@ -0,0 +1,49 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtFsControlFile.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtNotifyChangeKey)
+(
+	IN HANDLE               KeyHandle,
+	IN HANDLE               EventHandle,
+	IN PIO_APC_ROUTINE      ApcRoutine,
+	IN PVOID                ApcRoutineContext,
+	IN PIO_STATUS_BLOCK     IoStatusBlock,
+	IN ULONG                NotifyFilter,
+	IN BOOLEAN              WatchSubtree,
+	OUT PVOID               RegChangesDataBuffer,
+	IN ULONG                RegChangesDataBufferLength,
+	IN BOOLEAN              Asynchronous
+    );
+
+extern __pfnNtNotifyChangeKey pfnNtNotifyChangeKey;
+
+NTSTATUS
+NTAPI
+OnNtNotifyChangeKey(
+	IN HANDLE               KeyHandle,
+	IN HANDLE               EventHandle,
+	IN PIO_APC_ROUTINE      ApcRoutine,
+	IN PVOID                ApcRoutineContext,
+	IN PIO_STATUS_BLOCK     IoStatusBlock,
+	IN ULONG                NotifyFilter,
+	IN BOOLEAN              WatchSubtree,
+	OUT PVOID               RegChangesDataBuffer,
+	IN ULONG                RegChangesDataBufferLength,
+	IN BOOLEAN              Asynchronous
+    );
+
+NTSTATUS
+NTAPI
+NtNotifyChangeKey(
+	IN HANDLE               KeyHandle,
+	IN HANDLE               EventHandle,
+	IN PIO_APC_ROUTINE      ApcRoutine,
+	IN PVOID                ApcRoutineContext,
+	IN PIO_STATUS_BLOCK     IoStatusBlock,
+	IN ULONG                NotifyFilter,
+	IN BOOLEAN              WatchSubtree,
+	OUT PVOID               RegChangesDataBuffer,
+	IN ULONG                RegChangesDataBufferLength,
+	IN BOOLEAN              Asynchronous
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp b/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp
new file mode 100644
index 0000000..50e7ed6
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp
@@ -0,0 +1,112 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtNotifyChangeMultipleKeys pfnNtNotifyChangeMultipleKeys = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtNotifyChangeMultipleKeys Functions
+//
+NTSTATUS
+NTAPI
+OnNtNotifyChangeMultipleKeys(
+	IN HANDLE               MasterKeyHandle,
+	IN ULONG			    Count,
+	IN OBJECT_ATTRIBUTES    SubordinateObjects,
+	IN HANDLE               Event,
+	IN PIO_APC_ROUTINE		ApcRoutine,
+	IN PVOID				ApcContext,
+	OUT PIO_STATUS_BLOCK	IoStatusBlock,
+	IN ULONG				CompletionFilter,
+	IN BOOLEAN				WatchTree,
+	OUT PVOID				Buffer,
+	IN ULONG				BufferSize,
+	IN BOOLEAN				Asynchronous
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtNotifyChangeMultipleKeys(
+			MasterKeyHandle,
+			Count,
+			SubordinateObjects,
+			Event,
+			ApcRoutine,
+			ApcContext,
+			IoStatusBlock,
+			CompletionFilter,
+			WatchTree,
+			Buffer,
+			BufferSize,
+			Asynchronous
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtNotifyChangeMultipleKeys(
+		MasterKeyHandle,
+		Count,
+		SubordinateObjects,
+		Event,
+		ApcRoutine,
+		ApcContext,
+		IoStatusBlock,
+		CompletionFilter,
+		WatchTree,
+		Buffer,
+		BufferSize,
+		Asynchronous
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtNotifyChangeMultipleKeys(
+	IN HANDLE               MasterKeyHandle,
+	IN ULONG			    Count,
+	IN OBJECT_ATTRIBUTES    SubordinateObjects,
+	IN HANDLE               Event,
+	IN PIO_APC_ROUTINE		ApcRoutine,
+	IN PVOID				ApcContext,
+	OUT PIO_STATUS_BLOCK	IoStatusBlock,
+	IN ULONG				CompletionFilter,
+	IN BOOLEAN				WatchTree,
+	OUT PVOID				Buffer,
+	IN ULONG				BufferSize,
+	IN BOOLEAN				Asynchronous
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtNotifyChangeMultipleKeys addFun = (__pfnNtNotifyChangeMultipleKeys)GetProcAddress(hDll,"NtNotifyChangeMultipleKeys");
+	if(addFun)
+	{
+		ret = addFun(MasterKeyHandle,Count,SubordinateObjects,Event,ApcRoutine,ApcContext,IoStatusBlock,CompletionFilter,WatchTree,Buffer,BufferSize,Asynchronous);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h b/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h
new file mode 100644
index 0000000..cd03dbd
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h
@@ -0,0 +1,56 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtFsControlFile.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtNotifyChangeMultipleKeys)
+(
+	IN HANDLE               MasterKeyHandle,
+	IN ULONG			    Count,
+	IN OBJECT_ATTRIBUTES    SubordinateObjects,
+	IN HANDLE               Event,
+	IN PIO_APC_ROUTINE		ApcRoutine,
+	IN PVOID				ApcContext,
+	OUT PIO_STATUS_BLOCK	IoStatusBlock,
+	IN ULONG				CompletionFilter,
+	IN BOOLEAN				WatchTree,
+	OUT PVOID				Buffer,
+	IN ULONG				BufferSize,
+	IN BOOLEAN				Asynchronous
+    );
+
+extern __pfnNtNotifyChangeMultipleKeys pfnNtNotifyChangeMultipleKeys;
+
+NTSTATUS
+NTAPI
+OnNtNotifyChangeMultipleKeys(
+	IN HANDLE               MasterKeyHandle,
+	IN ULONG			    Count,
+	IN OBJECT_ATTRIBUTES    SubordinateObjects,
+	IN HANDLE               Event,
+	IN PIO_APC_ROUTINE		ApcRoutine,
+	IN PVOID				ApcContext,
+	OUT PIO_STATUS_BLOCK	IoStatusBlock,
+	IN ULONG				CompletionFilter,
+	IN BOOLEAN				WatchTree,
+	OUT PVOID				Buffer,
+	IN ULONG				BufferSize,
+	IN BOOLEAN				Asynchronous
+    );
+
+NTSTATUS
+NTAPI
+NtNotifyChangeMultipleKeys(
+	IN HANDLE               MasterKeyHandle,
+	IN ULONG			    Count,
+	IN OBJECT_ATTRIBUTES    SubordinateObjects,
+	IN HANDLE               Event,
+	IN PIO_APC_ROUTINE		ApcRoutine,
+	IN PVOID				ApcContext,
+	OUT PIO_STATUS_BLOCK	IoStatusBlock,
+	IN ULONG				CompletionFilter,
+	IN BOOLEAN				WatchTree,
+	OUT PVOID				Buffer,
+	IN ULONG				BufferSize,
+	IN BOOLEAN				Asynchronous
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenEvent.cpp b/HookPorts/Dispatch_NTDLL_NtOpenEvent.cpp
new file mode 100644
index 0000000..655335b
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenEvent.cpp
@@ -0,0 +1,73 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenEvent.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenEvent pfnNtOpenEvent = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenEvent Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenEvent(
+			EventHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtOpenEvent(
+		EventHandle,
+		DesiredAccess,
+		ObjectAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenEvent addFun = (__pfnNtOpenEvent)GetProcAddress(hDll,"NtOpenEvent");
+	if(addFun)
+	{
+		ret = addFun(EventHandle,DesiredAccess,ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenEvent.h b/HookPorts/Dispatch_NTDLL_NtOpenEvent.h
new file mode 100644
index 0000000..abe10a4
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenEvent.h
@@ -0,0 +1,26 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtCreateEvent.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenEvent)
+(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+extern __pfnNtOpenEvent pfnNtOpenEvent;
+
+NTSTATUS
+NTAPI
+OnNtOpenEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+NTSTATUS
+NTAPI
+NtOpenEvent(
+	OUT PHANDLE             EventHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenFile.cpp b/HookPorts/Dispatch_NTDLL_NtOpenFile.cpp
new file mode 100644
index 0000000..14c7782
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenFile.cpp
@@ -0,0 +1,302 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <winbase.h>
+
+#include "./Dispatch_NTDLL_NtOpenFile.h"
+#include "../Common///DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryAttributesFile.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./Dispatch_NTDLL_NtDeleteFile.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenFile pfnNtOpenFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenFile(
+	OUT PHANDLE  FileHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PIO_STATUS_BLOCK  IoStatusBlock,
+	IN ULONG  ShareAccess,
+	IN ULONG  OpenOptions)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			ShareAccess,
+			OpenOptions
+			);
+
+		return nRet;
+	}
+
+	NTSTATUS nStatusQuery;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+	nStatusQuery = NtQueryAttributesFile(ObjectAttributes,&fbiFileAttributes);
+	if( nStatusQuery != STATUS_OBJECT_NAME_NOT_FOUND &&
+		nStatusQuery != STATUS_SUCCESS
+		)
+	{
+		nRet = pfnNtOpenFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			ShareAccess,
+			OpenOptions
+			);
+
+		return nRet;
+	}
+
+	//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+	UNICODE_STRING usDispatchNtPath;
+
+	WCHAR szBuffer[MAX_NAME] = {NULL};
+	lstrcpyW(szBuffer,ObjectAttributes->ObjectName->Buffer);
+
+	if( GetLongNtPathName(NULL,ObjectAttributes->RootDirectory,szBuffer,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 )
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"GetLongNtPathName failed! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = pfnNtOpenFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			ShareAccess,
+			OpenOptions
+			);
+
+		return nRet;
+	}
+
+	//
+	//Init UNICODE_STRING
+	//
+	RtlInitUnicodeString(&usDispatchNtPath,szDispatchNtPath);
+
+	////OutputDebugString(L"\r\nNtOpenFile szLongNtPath=");
+	////OutputDebugString(szLongNtPath);
+
+	//
+	//Check if request in SandBox
+	//
+	if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 )
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"request in SandBox! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		nRet = pfnNtOpenFile(
+			FileHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			IoStatusBlock,
+			ShareAccess,
+			OpenOptions
+			);
+
+		return nRet;
+	}
+
+	//
+	//Get FileName
+	//
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	if( nStatusQuery == STATUS_OBJECT_NAME_NOT_FOUND )//FILE_DOES_NOT_EXIST
+	{
+		int iFileDispatch = -1;
+		iFileDispatch = QueryDispatchedFile(szDispatchNtPath);
+		if( iFileDispatch == -1 )
+		{
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"iFileDispatch == -1! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+
+			nRet = FILE_DOES_NOT_EXIST;
+			return nRet;
+		}
+		else
+		if( iFileDispatch == 1 )
+		{
+			//
+			//Dispatch
+			//
+			if( oaObjAttrib.RootDirectory != NULL )
+			{
+				oaObjAttrib.RootDirectory = NULL;
+			}
+			oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+			oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+			oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+#ifdef Dbg
+			//DebugLog(DbgInfo,L"Dispatch! szLongNtPath=");
+			//OutputDebugString(szLongNtPath);
+#endif
+
+			nRet = pfnNtOpenFile(
+				FileHandle,
+				DesiredAccess,
+				&oaObjAttrib,
+				IoStatusBlock,
+				ShareAccess,
+				OpenOptions
+				);
+
+			return nRet;
+		}
+	}
+	else
+	if(	nStatusQuery == STATUS_SUCCESS )//FILE_EXISTS
+	{
+#ifdef Dbg
+		//DebugLog(DbgInfo,L"nStatusQuery == STATUS_SUCCESS! szLongNtPath=");
+		//OutputDebugString(szLongNtPath);
+#endif
+
+		int iFileDispatch = -1;
+		iFileDispatch = QueryDispatchedFile(szDispatchNtPath);
+		if( iFileDispatch == -1 )
+		{
+			nRet = STATUS_UNSUCCESSFUL;
+			return nRet;
+		}
+		else
+		if( iFileDispatch == 1 )
+		{
+			HANDLE hFile = NULL;
+			IO_STATUS_BLOCK IoSB;
+			NTSTATUS nCreateFile;
+
+			//
+			//Check if the file is a directory
+			//
+			nCreateFile = NtCreateFile(
+						&hFile,
+						FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE,
+						&oaObjAttrib,
+						&IoSB,
+						NULL,
+						FILE_ATTRIBUTE_NORMAL,
+						FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+						FILE_OPEN,
+						FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,
+						NULL,
+						NULL
+						);
+			if( nCreateFile == STATUS_SUCCESS &&
+				IoSB.Information == FILE_OPENED
+				)
+			{
+				NtClose(hFile);
+
+				nRet = pfnNtOpenFile(
+					FileHandle,
+					DesiredAccess,
+					&oaObjAttrib,
+					IoStatusBlock,
+					ShareAccess,
+					OpenOptions
+					);
+
+				return nRet;
+			}
+
+			//
+			//Dispatch
+			//
+			if( oaObjAttrib.RootDirectory != NULL )
+			{
+				oaObjAttrib.RootDirectory = NULL;
+			}
+			oaObjAttrib.ObjectName->Length = usDispatchNtPath.Length;
+			oaObjAttrib.ObjectName->MaximumLength = usDispatchNtPath.MaximumLength;
+			oaObjAttrib.ObjectName->Buffer = usDispatchNtPath.Buffer;
+
+			nRet = pfnNtOpenFile(
+				FileHandle,
+				DesiredAccess,
+				&oaObjAttrib,
+				IoStatusBlock,
+				ShareAccess,
+				OpenOptions
+				);
+
+			return nRet;
+		}
+	}
+
+	nRet = pfnNtOpenFile(
+		FileHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		IoStatusBlock,
+		ShareAccess,
+		OpenOptions
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenFile(
+	OUT PHANDLE  FileHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PIO_STATUS_BLOCK  IoStatusBlock,
+	IN ULONG  ShareAccess,
+	IN ULONG  OpenOptions)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenFile addFun = (__pfnNtOpenFile)GetProcAddress(hDll,"NtOpenFile");
+	if(addFun)
+	{
+		ret = addFun(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenFile.h b/HookPorts/Dispatch_NTDLL_NtOpenFile.h
new file mode 100644
index 0000000..4cf43b9
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenFile.h
@@ -0,0 +1,37 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenFile)
+(
+	OUT PHANDLE  FileHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PIO_STATUS_BLOCK  IoStatusBlock,
+	IN ULONG  ShareAccess,
+	IN ULONG  OpenOptions);
+
+extern __pfnNtOpenFile pfnNtOpenFile;
+
+NTSTATUS
+NTAPI
+OnNtOpenFile(
+	OUT PHANDLE  FileHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PIO_STATUS_BLOCK  IoStatusBlock,
+	IN ULONG  ShareAccess,
+	IN ULONG  OpenOptions);
+
+NTSTATUS
+NTAPI
+NtOpenFile(
+	OUT PHANDLE  FileHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PIO_STATUS_BLOCK  IoStatusBlock,
+	IN ULONG  ShareAccess,
+	IN ULONG  OpenOptions);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenKey.cpp b/HookPorts/Dispatch_NTDLL_NtOpenKey.cpp
new file mode 100644
index 0000000..bc74c85
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenKey.cpp
@@ -0,0 +1,76 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenKey pfnNtOpenKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenKey(
+			KeyHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtOpenKey(
+		KeyHandle,
+		DesiredAccess,
+		ObjectAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenKey addFun = (__pfnNtOpenKey)GetProcAddress(hDll,"NtOpenKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,DesiredAccess,ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenKey.h b/HookPorts/Dispatch_NTDLL_NtOpenKey.h
new file mode 100644
index 0000000..1c2c572
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenKey.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenKey)
+(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+
+extern __pfnNtOpenKey pfnNtOpenKey;
+
+NTSTATUS
+NTAPI
+OnNtOpenKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+
+NTSTATUS
+NTAPI
+NtOpenKey(
+	OUT PHANDLE  KeyHandle,
+	IN ACCESS_MASK  DesiredAccess,
+	IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenMutant.cpp b/HookPorts/Dispatch_NTDLL_NtOpenMutant.cpp
new file mode 100644
index 0000000..d1c58cf
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenMutant.cpp
@@ -0,0 +1,129 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenMutant.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenMutant pfnNtOpenMutant = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenMutant Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenMutant(
+			MutantHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if Address Valid
+	//
+	if( IsBadCodePtr((FARPROC)ObjectAttributes) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName->Buffer)
+		)
+	{
+		nRet = pfnNtOpenMutant(
+			MutantHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Dispatch
+	//
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	WCHAR szMutantName[MAX_NAME] = {NULL};
+	if( ObjectAttributes->ObjectName->Buffer != NULL )
+	{
+		lstrcpy(szMutantName,ObjectAttributes->ObjectName->Buffer);
+
+		wsprintfW(szMutantName,L"%s_%s",g_szSandBoxName,ObjectAttributes->ObjectName->Buffer);
+
+		UNICODE_STRING usMutantName;
+
+		//
+		//Init UNICODE_STRING
+		//
+		RtlInitUnicodeString(&usMutantName,szMutantName);
+
+		oaObjAttrib.ObjectName->Length = usMutantName.Length;
+		oaObjAttrib.ObjectName->MaximumLength = usMutantName.MaximumLength;
+		oaObjAttrib.ObjectName->Buffer = usMutantName.Buffer;
+
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ObjectAttributes->ObjectName->Buffer=");
+		OutputDebugString(szMutantName);
+#endif
+
+		nRet = pfnNtOpenMutant(
+			MutantHandle,
+			DesiredAccess,
+			&oaObjAttrib
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtOpenMutant(
+		MutantHandle,
+		DesiredAccess,
+		ObjectAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenMutant addFun = (__pfnNtOpenMutant)GetProcAddress(hDll,"NtOpenMutant");
+	if(addFun)
+	{
+		ret = addFun(MutantHandle,DesiredAccess,ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenMutant.h b/HookPorts/Dispatch_NTDLL_NtOpenMutant.h
new file mode 100644
index 0000000..7013f31
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenMutant.h
@@ -0,0 +1,25 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenMutant)
+(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+extern __pfnNtOpenMutant pfnNtOpenMutant;
+
+NTSTATUS
+NTAPI
+OnNtOpenMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+NTSTATUS
+NTAPI
+NtOpenMutant(
+	OUT PHANDLE             MutantHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenProcess.cpp b/HookPorts/Dispatch_NTDLL_NtOpenProcess.cpp
new file mode 100644
index 0000000..522bbcc
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenProcess.cpp
@@ -0,0 +1,114 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenProcess.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenProcess pfnNtOpenProcess = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenProcess Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenProcess(
+    OUT PHANDLE ProcessHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    IN PCLIENT_ID ClientId OPTIONAL
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenProcess(
+			ProcessHandle,
+			DesiredAccess,
+			ObjectAttributes,
+			ClientId
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if target process in SandBox
+	//
+	if( ClientId != NULL )
+	{
+		if( IsProcessPatched((DWORD)ClientId->UniqueProcess,FALSE) == FALSE )
+		{
+			if(DesiredAccess & (PROCESS_TERMINATE |
+								PROCESS_CREATE_PROCESS|
+								PROCESS_CREATE_THREAD |
+								PROCESS_SET_SESSIONID |
+								PROCESS_VM_OPERATION |
+								PROCESS_VM_READ |
+								PROCESS_VM_WRITE |
+								/*PROCESS_DUP_HANDLE |*/
+								PROCESS_SET_INFORMATION |
+								DELETE |
+								WRITE_DAC |
+								WRITE_OWNER |
+								PROCESS_SUSPEND_RESUME |
+								PROCESS_SET_QUOTA)
+								)
+			{
+				return STATUS_ACCESS_DENIED;
+			}
+		}
+	}
+
+	nRet = pfnNtOpenProcess(
+		ProcessHandle,
+		DesiredAccess,
+		ObjectAttributes,
+		ClientId
+		);
+
+//#ifdef Dbg
+//	DebugLog(DbgInfo,L"Called");
+//#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenProcess(
+    OUT PHANDLE ProcessHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    IN PCLIENT_ID ClientId OPTIONAL
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenProcess addFun = (__pfnNtOpenProcess)GetProcAddress(hDll,"NtOpenProcess");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenProcess.h b/HookPorts/Dispatch_NTDLL_NtOpenProcess.h
new file mode 100644
index 0000000..391c1f5
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenProcess.h
@@ -0,0 +1,48 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+#define PROCESS_TERMINATE         (0x0001)  // winnt
+#define PROCESS_CREATE_THREAD     (0x0002)  // winnt
+#define PROCESS_SET_SESSIONID     (0x0004)  // winnt
+#define PROCESS_VM_OPERATION      (0x0008)  // winnt
+#define PROCESS_VM_READ           (0x0010)  // winnt
+#define PROCESS_VM_WRITE          (0x0020)  // winnt
+// begin_ntddk begin_wdm begin_ntifs
+#define PROCESS_DUP_HANDLE        (0x0040)  // winnt
+// end_ntddk end_wdm end_ntifs
+#define PROCESS_CREATE_PROCESS    (0x0080)  // winnt
+#define PROCESS_SET_QUOTA         (0x0100)  // winnt
+#define PROCESS_SET_INFORMATION   (0x0200)  // winnt
+#define PROCESS_QUERY_INFORMATION (0x0400)  // winnt
+#define PROCESS_SET_PORT          (0x0800)
+#define PROCESS_SUSPEND_RESUME    (0x0800)  // winnt
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenProcess)
+(
+    OUT PHANDLE ProcessHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    IN PCLIENT_ID ClientId OPTIONAL
+    );
+
+extern __pfnNtOpenProcess pfnNtOpenProcess;
+
+NTSTATUS
+NTAPI
+OnNtOpenProcess(
+    OUT PHANDLE ProcessHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    IN PCLIENT_ID ClientId OPTIONAL
+    );
+
+NTSTATUS
+NTAPI
+NtOpenProcess(
+    OUT PHANDLE ProcessHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN POBJECT_ATTRIBUTES ObjectAttributes,
+    IN PCLIENT_ID ClientId OPTIONAL
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenSection.cpp b/HookPorts/Dispatch_NTDLL_NtOpenSection.cpp
new file mode 100644
index 0000000..5af1d62
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenSection.cpp
@@ -0,0 +1,92 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenSection.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenSection pfnNtOpenSection = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenSection Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenSection(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenSection(
+			SectionHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check DesiredAccess
+	//
+	//if(DesiredAccess & (SECTION_MAP_WRITE))
+	//{
+	//	return STATUS_ACCESS_DENIED;
+	//}
+
+	nRet = pfnNtOpenSection(
+		SectionHandle,
+		DesiredAccess,
+		ObjectAttributes
+		);
+
+#ifdef Dbg
+	//WCHAR szDebugString[512] = {0};
+	//wsprintf(
+	//	szDebugString,
+	//	L"NtOpenSection ObjectName=[%s]",
+	//	ObjectAttributes->ObjectName->Buffer
+	//	);
+	//DebugLog(DbgInfo,L"test");
+#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenSection(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenSection addFun = (__pfnNtOpenSection)GetProcAddress(hDll,"NtOpenSection");
+	if(addFun)
+	{
+		ret = addFun(SectionHandle,DesiredAccess,ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenSection.h b/HookPorts/Dispatch_NTDLL_NtOpenSection.h
new file mode 100644
index 0000000..a9e72d5
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenSection.h
@@ -0,0 +1,48 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+//
+// Section Access Rights.
+//
+
+// begin_winnt
+#define SECTION_QUERY                0x0001
+#define SECTION_MAP_WRITE            0x0002
+#define SECTION_MAP_READ             0x0004
+#define SECTION_MAP_EXECUTE          0x0008
+#define SECTION_EXTEND_SIZE          0x0010
+#define SECTION_MAP_EXECUTE_EXPLICIT 0x0020 // not included in SECTION_ALL_ACCESS
+
+#define SECTION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|\
+                            SECTION_MAP_WRITE |      \
+                            SECTION_MAP_READ |       \
+                            SECTION_MAP_EXECUTE |    \
+                            SECTION_EXTEND_SIZE)
+// end_winnt
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenSection)
+(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+
+extern __pfnNtOpenSection pfnNtOpenSection;
+
+NTSTATUS
+NTAPI
+OnNtOpenSection(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+
+NTSTATUS
+NTAPI
+NtOpenSection(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.cpp b/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.cpp
new file mode 100644
index 0000000..451f305
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.cpp
@@ -0,0 +1,129 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenSemaphore.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./NativeAPI_NTDLL.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenSemaphore pfnNtOpenSemaphore = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenSemaphore Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if Address Valid
+	//
+	if( IsBadCodePtr((FARPROC)ObjectAttributes) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName) ||
+		IsBadCodePtr((FARPROC)ObjectAttributes->ObjectName->Buffer)
+		)
+	{
+		nRet = pfnNtOpenSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			ObjectAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Dispatch
+	//
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	WCHAR szSemaphoreName[MAX_NAME] = {NULL};
+	if( ObjectAttributes->ObjectName->Buffer != NULL )
+	{
+		lstrcpy(szSemaphoreName,ObjectAttributes->ObjectName->Buffer);
+
+		wsprintfW(szSemaphoreName,L"%s_%s",g_szSandBoxName,ObjectAttributes->ObjectName->Buffer);
+
+		UNICODE_STRING usMutantName;
+
+		//
+		//Init UNICODE_STRING
+		//
+		RtlInitUnicodeString(&usMutantName,szSemaphoreName);
+
+		oaObjAttrib.ObjectName->Length = usMutantName.Length;
+		oaObjAttrib.ObjectName->MaximumLength = usMutantName.MaximumLength;
+		oaObjAttrib.ObjectName->Buffer = usMutantName.Buffer;
+
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ObjectAttributes->ObjectName->Buffer=");
+		OutputDebugString(szSemaphoreName);
+#endif
+
+		nRet = pfnNtOpenSemaphore(
+			SemaphoreHandle,
+			DesiredAccess,
+			&oaObjAttrib
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtOpenSemaphore(
+		SemaphoreHandle,
+		DesiredAccess,
+		ObjectAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenSemaphore addFun = (__pfnNtOpenSemaphore)GetProcAddress(hDll,"NtOpenSemaphore");
+	if(addFun)
+	{
+		ret = addFun(SemaphoreHandle,DesiredAccess,ObjectAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.h b/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.h
new file mode 100644
index 0000000..f4ad016
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenSemaphore.h
@@ -0,0 +1,25 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenSemaphore)
+(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+extern __pfnNtOpenSemaphore pfnNtOpenSemaphore;
+
+NTSTATUS
+NTAPI
+OnNtOpenSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
+
+NTSTATUS
+NTAPI
+NtOpenSemaphore(
+	OUT PHANDLE             SemaphoreHandle,
+	IN ACCESS_MASK          DesiredAccess,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenThread.cpp b/HookPorts/Dispatch_NTDLL_NtOpenThread.cpp
new file mode 100644
index 0000000..6c03bbf
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenThread.cpp
@@ -0,0 +1,161 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtOpenThread.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtQueryInformationThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtOpenProcess.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+
+
+
+//
+//Global
+//
+__pfnNtOpenThread pfnNtOpenThread = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtOpenThread Functions
+//
+NTSTATUS
+NTAPI
+OnNtOpenThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          AccessMask,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN PCLIENT_ID           ClientId )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtOpenThread(
+			ThreadHandle,
+			AccessMask,
+			ObjectAttributes,
+			ClientId
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check AccessMask
+	//
+	if (AccessMask & (DELETE|
+						WRITE_DAC |
+						WRITE_OWNER |
+						THREAD_TERMINATE|
+						THREAD_SUSPEND_RESUME|
+						THREAD_ALERT|
+						THREAD_SET_CONTEXT|
+						THREAD_SET_INFORMATION|
+						THREAD_SET_THREAD_TOKEN))
+	{
+		//
+		//OpenThread to query information
+		//
+		NTSTATUS nNtOpenThreadStatus;
+		HANDLE hThread = NULL;
+		ACCESS_MASK ThreadAccessMask = THREAD_QUERY_INFORMATION;
+		nNtOpenThreadStatus = NtOpenThread(
+											&hThread,
+											ThreadAccessMask,
+											ObjectAttributes,
+											ClientId
+											);
+
+		if(nNtOpenThreadStatus == STATUS_SUCCESS)
+		{
+			//
+			//Query ProcessId of Caller
+			//
+			NTSTATUS nStatus;
+			THREAD_BASIC_INFORMATION threadinfo;
+			DWORD dwProcessId = 0;
+
+			//Query information of thread
+			nStatus = NtQueryInformationThread(
+				hThread,
+				ThreadBasicInformation,
+				(PVOID)&threadinfo,
+				sizeof(THREAD_BASIC_INFORMATION),
+				NULL);
+
+			if(nStatus == STATUS_SUCCESS)
+			{
+#ifdef Dbg
+				dwProcessId = (DWORD)(threadinfo.ClientId.UniqueProcess);
+
+				WCHAR szDebugString[256] = {0};
+				wsprintf(
+					szDebugString,
+					L"OnNtOpenThread dwProcessId=[%d]",
+					dwProcessId
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+				if( IsProcessPatched(dwProcessId,FALSE) == FALSE )//Outside SandBox
+				{
+					NtClose(hThread);
+					return STATUS_ACCESS_DENIED;
+				}
+				else//Inside SandBox
+				{
+					NtClose(hThread);
+					nRet = pfnNtOpenThread(
+						ThreadHandle,
+						AccessMask,
+						ObjectAttributes,
+						ClientId
+						);
+
+					return nRet;
+				}
+			}//nStatus
+		}//nNtOpenThreadStatus
+		NtClose(hThread);
+	}
+
+	nRet = pfnNtOpenThread(
+		ThreadHandle,
+		AccessMask,
+		ObjectAttributes,
+		ClientId
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtOpenThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          AccessMask,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN PCLIENT_ID           ClientId )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtOpenThread addFun = (__pfnNtOpenThread)GetProcAddress(hDll,"NtOpenThread");
+	if(addFun)
+	{
+		ret = addFun(ThreadHandle,AccessMask,ObjectAttributes,ClientId);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtOpenThread.h b/HookPorts/Dispatch_NTDLL_NtOpenThread.h
new file mode 100644
index 0000000..a46bb64
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtOpenThread.h
@@ -0,0 +1,45 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtOpenProcess.h"
+
+#define THREAD_TERMINATE               (0x0001)  // winnt
+// end_ntddk end_wdm end_ntifs
+#define THREAD_SUSPEND_RESUME          (0x0002)  // winnt
+#define THREAD_ALERT                   (0x0004)
+#define THREAD_GET_CONTEXT             (0x0008)  // winnt
+#define THREAD_SET_CONTEXT             (0x0010)  // winnt
+// begin_ntddk begin_wdm begin_ntifs
+#define THREAD_SET_INFORMATION         (0x0020)  // winnt
+// end_ntddk end_wdm end_ntifs
+#define THREAD_QUERY_INFORMATION       (0x0040)  // winnt
+// begin_winnt
+#define THREAD_SET_THREAD_TOKEN        (0x0080)
+#define THREAD_IMPERSONATE             (0x0100)
+#define THREAD_DIRECT_IMPERSONATION    (0x0200)
+
+typedef NTSTATUS (NTAPI * __pfnNtOpenThread)
+(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          AccessMask,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN PCLIENT_ID           ClientId );
+
+extern __pfnNtOpenThread pfnNtOpenThread;
+
+NTSTATUS
+NTAPI
+OnNtOpenThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          AccessMask,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN PCLIENT_ID           ClientId );
+
+NTSTATUS
+NTAPI
+NtOpenThread(
+	OUT PHANDLE             ThreadHandle,
+	IN ACCESS_MASK          AccessMask,
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	IN PCLIENT_ID           ClientId );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.cpp b/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.cpp
new file mode 100644
index 0000000..496dcb8
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.cpp
@@ -0,0 +1,80 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtProtectVirtualMemory.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtProtectVirtualMemory pfnNtProtectVirtualMemory = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtProtectVirtualMemory Functions
+//
+NTSTATUS
+NTAPI
+OnNtProtectVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN OUT PULONG           NumberOfBytesToProtect,
+	IN ULONG                NewAccessProtection,
+	OUT PULONG              OldAccessProtection )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtProtectVirtualMemory(
+			ProcessHandle,
+			BaseAddress,
+			NumberOfBytesToProtect,
+			NewAccessProtection,
+			OldAccessProtection
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtProtectVirtualMemory(
+		ProcessHandle,
+		BaseAddress,
+		NumberOfBytesToProtect,
+		NewAccessProtection,
+		OldAccessProtection
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtProtectVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN OUT PULONG           NumberOfBytesToProtect,
+	IN ULONG                NewAccessProtection,
+	OUT PULONG              OldAccessProtection )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtProtectVirtualMemory addFun = (__pfnNtProtectVirtualMemory)GetProcAddress(hDll,"NtProtectVirtualMemory");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,BaseAddress,NumberOfBytesToProtect,NewAccessProtection,OldAccessProtection);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.h b/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.h
new file mode 100644
index 0000000..e8e3b03
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtProtectVirtualMemory.h
@@ -0,0 +1,29 @@
+#pragma once
+
+typedef NTSTATUS (NTAPI * __pfnNtProtectVirtualMemory)
+(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN OUT PULONG           NumberOfBytesToProtect,
+	IN ULONG                NewAccessProtection,
+	OUT PULONG              OldAccessProtection );
+
+extern __pfnNtProtectVirtualMemory pfnNtProtectVirtualMemory;
+
+NTSTATUS
+NTAPI
+OnNtProtectVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN OUT PULONG           NumberOfBytesToProtect,
+	IN ULONG                NewAccessProtection,
+	OUT PULONG              OldAccessProtection );
+
+NTSTATUS
+NTAPI
+NtProtectVirtualMemory(
+	IN HANDLE               ProcessHandle,
+	IN OUT PVOID            *BaseAddress,
+	IN OUT PULONG           NumberOfBytesToProtect,
+	IN ULONG                NewAccessProtection,
+	OUT PULONG              OldAccessProtection );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.cpp b/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.cpp
new file mode 100644
index 0000000..dc48c24
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.cpp
@@ -0,0 +1,137 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryAttributesFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryAttributesFile pfnNtQueryAttributesFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryAttributesFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryAttributesFile(
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	OUT PFILE_BASIC_INFORMATION FileAttributes)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryAttributesFile(
+			ObjectAttributes,
+			FileAttributes
+			);
+
+		return nRet;
+	}
+
+	//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+
+	WCHAR szBuffer[MAX_NAME] = {NULL};
+	lstrcpyW(szBuffer,ObjectAttributes->ObjectName->Buffer);
+
+	if( GetLongNtPathName(NULL,ObjectAttributes->RootDirectory,szBuffer,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 )
+	{
+		nRet = pfnNtQueryAttributesFile(
+			ObjectAttributes,
+			FileAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if request in SandBox
+	//
+	if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 )
+	{
+		nRet = pfnNtQueryAttributesFile(
+			ObjectAttributes,
+			FileAttributes
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if file dispatched
+	//
+	HANDLE hFile = NULL;
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	int iFileDispatch = -1;
+	iFileDispatch = QueryDispatchedFile(szDispatchNtPath);
+	if( iFileDispatch == -1 )
+	{
+		nRet = STATUS_UNSUCCESSFUL;
+		return nRet;
+	}
+	else
+	if( iFileDispatch == 1 )
+	{
+		//
+		//Dispatch
+		//
+		if( oaObjAttrib.RootDirectory != NULL )
+		{
+			oaObjAttrib.RootDirectory = NULL;
+		}
+		oaObjAttrib.ObjectName->Length = (USHORT) lstrlenW(szDispatchNtPath)*2;
+		oaObjAttrib.ObjectName->MaximumLength =  (USHORT) lstrlenW(szDispatchNtPath)*2;
+		oaObjAttrib.ObjectName->Buffer = szDispatchNtPath;
+
+		nRet = pfnNtQueryAttributesFile(
+			&oaObjAttrib,
+			FileAttributes
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryAttributesFile(
+		ObjectAttributes,
+		FileAttributes
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryAttributesFile(
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	OUT PFILE_BASIC_INFORMATION FileAttributes)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryAttributesFile addFun = (__pfnNtQueryAttributesFile)GetProcAddress(hDll,"NtQueryAttributesFile");
+	if(addFun)
+	{
+		ret = addFun(ObjectAttributes,FileAttributes);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.h b/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.h
new file mode 100644
index 0000000..84f38c4
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryAttributesFile.h
@@ -0,0 +1,24 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryAttributesFile)
+(
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	OUT PFILE_BASIC_INFORMATION FileAttributes);
+
+extern __pfnNtQueryAttributesFile pfnNtQueryAttributesFile;
+
+NTSTATUS
+NTAPI
+OnNtQueryAttributesFile(
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	OUT PFILE_BASIC_INFORMATION FileAttributes);
+
+NTSTATUS
+NTAPI
+NtQueryAttributesFile(
+	IN POBJECT_ATTRIBUTES   ObjectAttributes,
+	OUT PFILE_BASIC_INFORMATION FileAttributes);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.cpp b/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.cpp
new file mode 100644
index 0000000..90f7069
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.cpp
@@ -0,0 +1,330 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <winbase.h>
+#include <stdio.h>
+
+#include "./Dispatch_NTDLL_NtQueryDirectoryFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "./GetProcAddressEx.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryDirectoryFile pfnNtQueryDirectoryFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryDirectoryFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryDirectoryFile(
+	IN HANDLE               FileHandle,
+	IN HANDLE               Event OPTIONAL,
+	IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+	IN PVOID                ApcContext OPTIONAL,
+	OUT PIO_STATUS_BLOCK    IoStatusBlock,
+	OUT PVOID               FileInformation,
+	IN ULONG                Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass,
+	IN BOOLEAN              ReturnSingleEntry,
+	IN PUNICODE_STRING      FileMask OPTIONAL,
+	IN BOOLEAN              RestartScan)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryDirectoryFile(
+			FileHandle,
+			Event,
+			ApcRoutine,
+			ApcContext,
+			IoStatusBlock,
+			FileInformation,
+			Length,
+			FileInformationClass,
+			ReturnSingleEntry,
+			FileMask,
+			RestartScan
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryDirectoryFile(
+		FileHandle,
+		Event,
+		ApcRoutine,
+		ApcContext,
+		IoStatusBlock,
+		FileInformation,
+		Length,
+		FileInformationClass,
+		ReturnSingleEntry,
+		FileMask,
+		RestartScan
+		);
+
+	//
+	//Check if is succeed or [STATUS_NO_MORE_FILES]
+	//
+	if( nRet < 0 ||
+		nRet == STATUS_NO_MORE_FILES
+		)
+	{
+		return nRet;
+	}
+
+	//
+	//Check if only a single entry
+	//
+	if( ReturnSingleEntry == TRUE )
+	{
+		return nRet;
+	}
+
+//#ifdef Dbg
+//	WCHAR szDebugLine[512] = {0};
+//	wsprintf(
+//		szDebugLine,
+//		L"NtQueryDirFile nRet=[0x%08X] Length=[%d] FileInformationClass=[%d] IoStatusBlock->Information=[%d] ReturnSingleEntry=[%d] RestartScan=[%d]",
+//		nRet,
+//		Length,
+//		FileInformationClass,
+//		IoStatusBlock->Information,
+//		ReturnSingleEntry,
+//		RestartScan
+//		);
+//	DebugLog(DbgInfo,szDebugLine);
+//#endif
+
+	//
+	//Check if is a file request
+	//
+	ULONG NameOffset;
+	ULONG NameSizeOffset;
+
+	WCHAR *FileNamePtr;
+	PULONG FileNameLength;
+
+	PBYTE Curr,Prev;
+	PULONG DeltaCurr, DeltaPrev;
+
+	Curr = (PBYTE)FileInformation;
+
+	switch( FileInformationClass )
+	{
+		case FileDirectoryInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_DIRECTORY_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_DIRECTORY_INFORMATION)Curr)->FileNameLength)) - ((ULONG)Curr);
+			}break;
+
+		case FileFullDirectoryInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_FULL_DIR_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_FULL_DIR_INFORMATION)Curr)->FileNameLength))	- ((ULONG)Curr);
+			}break;
+
+		case FileBothDirectoryInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_BOTH_DIR_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_BOTH_DIR_INFORMATION)Curr)->FileNameLength))	- ((ULONG)Curr);
+			}break;
+
+		case FileNamesInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_NAMES_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_NAMES_INFORMATION)Curr)->FileNameLength)) - ((ULONG)Curr);
+			}break;
+
+		case FileIdBothDirectoryInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_ID_BOTH_DIR_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_ID_BOTH_DIR_INFORMATION)Curr)->FileNameLength)) - ((ULONG)Curr);
+			}break;
+
+		case FileIdFullDirectoryInformation:
+			{
+				NameOffset = ((ULONG)&(((PFILE_ID_FULL_DIR_INFORMATION)Curr)->FileName)) - ((ULONG)Curr);
+				NameSizeOffset = ((ULONG)&(((PFILE_ID_FULL_DIR_INFORMATION)Curr)->FileNameLength)) - ((ULONG)Curr);
+			}break;
+
+		default:
+			{
+				return nRet;
+			}
+	}
+
+	//
+	//Get Directory Path
+	//
+	//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+
+	GetLongNtPathName(FileHandle,NULL,NULL,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath);
+
+	int iFileToHide = 0;
+
+	int iDispatchPathExist = -1;
+	iDispatchPathExist = NtPathExist(szDispatchNtPath);
+	if( iDispatchPathExist == 0 )//FILE_DOES_NOT_EXIST
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"Dispatch path does not exist!");
+#endif
+
+		return nRet;
+	}
+	else
+	if( iDispatchPathExist == 1 )//FILE_EXISTS
+	{
+		iFileToHide = GetDirectoryMarkAsDeletedFileCount(szDispatchNtPath);
+
+//#ifdef Dbg
+//		WCHAR szDebugLine[MAX_NAME] = {0};
+//		swprintf(
+//			szDebugLine,
+//			L"\r\niDeletedFileCount = [%d]",
+//			iFileToHide
+//			);
+//		OutputDebugString(szDebugLine);
+//#endif
+	}
+
+	//
+	//Fake the data
+	//
+	int i;
+	for(i=0; i<iFileToHide; i++)
+	{
+		Curr = (PBYTE)FileInformation;
+		Prev = NULL;
+
+		while( Curr )
+		{
+			//Get the NextEntryOffsets
+			DeltaCurr = (PULONG)Curr;
+			DeltaPrev = (PULONG)Prev;
+
+			FileNamePtr = (WCHAR*)((PBYTE)Curr + NameOffset);
+			FileNameLength = (PULONG)((PBYTE)Curr + NameSizeOffset);
+
+//#ifdef Dbg
+//			WCHAR szDebugLine[MAX_NAME] = {0};
+//			swprintf(
+//				szDebugLine,
+//				L"\r\nFileNamePtr = [%s]",
+//				FileNamePtr
+//				);
+//			OutputDebugString(szDebugLine);
+//#endif
+
+			if( FileNamePtr != NULL &&
+				GetFileDeletedMark(szDispatchNtPath,FileNamePtr,*FileNameLength) == 1
+				)
+			{
+#ifdef Dbg
+				WCHAR szDebugString[MAX_NAME] = {0};
+				wsprintf(
+					szDebugString,
+					L"HideFileName = [%s]",
+					FileNamePtr
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+
+				//File to hide
+				if( Prev )
+				{
+					if( *DeltaCurr )
+					{
+						//NextEntryOffset of the Previous entry "points" to the next
+						*DeltaPrev += *DeltaCurr;
+					}
+					else
+					{
+						//Is last file
+						*DeltaPrev = 0;
+					}
+				}//Prev
+				else
+				{
+					//Is first of the list
+					if( *DeltaCurr )
+					{
+						//There's a next entry
+						//*(PBYTE)FileInformation += *DeltaCurr;
+						FileInformation = (PBYTE)((PBYTE)FileInformation + *DeltaCurr);
+					}
+					else
+					{
+						//No file
+						FileInformation = NULL;
+					}
+				}
+			}
+			else
+			{
+				//Ff Curr is not to hide, Prev becomes Curr
+				Prev = Curr;
+			}
+
+			if( *DeltaCurr )
+			{
+				Curr += *DeltaCurr;
+			}
+			else
+			{
+				Curr = NULL;
+			}
+		}//while
+	}//for
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryDirectoryFile(
+	IN HANDLE               FileHandle,
+	IN HANDLE               Event OPTIONAL,
+	IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+	IN PVOID                ApcContext OPTIONAL,
+	OUT PIO_STATUS_BLOCK    IoStatusBlock,
+	OUT PVOID               FileInformation,
+	IN ULONG                Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass,
+	IN BOOLEAN              ReturnSingleEntry,
+	IN PUNICODE_STRING      FileMask OPTIONAL,
+	IN BOOLEAN              RestartScan)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryDirectoryFile addFun = (__pfnNtQueryDirectoryFile)GetProcAddress(hDll,"NtQueryDirectoryFile");
+	if(addFun)
+	{
+		ret = addFun(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,FileInformation,Length,FileInformationClass,ReturnSingleEntry,FileMask,RestartScan);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.h b/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.h
new file mode 100644
index 0000000..07d00c6
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryDirectoryFile.h
@@ -0,0 +1,149 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtReadFile.h"
+
+//
+// NtQueryDirectoryFile return types:
+//
+//      FILE_DIRECTORY_INFORMATION
+//      FILE_FULL_DIR_INFORMATION
+//      FILE_ID_FULL_DIR_INFORMATION
+//      FILE_BOTH_DIR_INFORMATION
+//      FILE_ID_BOTH_DIR_INFORMATION
+//      FILE_NAMES_INFORMATION
+//      FILE_OBJECTID_INFORMATION
+//
+
+typedef struct _FILE_DIRECTORY_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER EndOfFile;
+    LARGE_INTEGER AllocationSize;
+    ULONG FileAttributes;
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
+
+typedef struct _FILE_FULL_DIR_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER EndOfFile;
+    LARGE_INTEGER AllocationSize;
+    ULONG FileAttributes;
+    ULONG FileNameLength;
+    ULONG EaSize;
+    WCHAR FileName[1];
+} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_ID_FULL_DIR_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER EndOfFile;
+    LARGE_INTEGER AllocationSize;
+    ULONG FileAttributes;
+    ULONG FileNameLength;
+    ULONG EaSize;
+    LARGE_INTEGER FileId;
+    WCHAR FileName[1];
+} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
+
+typedef struct _FILE_BOTH_DIR_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER EndOfFile;
+    LARGE_INTEGER AllocationSize;
+    ULONG FileAttributes;
+    ULONG FileNameLength;
+    ULONG EaSize;
+    CCHAR ShortNameLength;
+    WCHAR ShortName[12];
+    WCHAR FileName[1];
+} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER EndOfFile;
+    LARGE_INTEGER AllocationSize;
+    ULONG FileAttributes;
+    ULONG FileNameLength;
+    ULONG EaSize;
+    CCHAR ShortNameLength;
+    WCHAR ShortName[12];
+    LARGE_INTEGER FileId;
+    WCHAR FileName[1];
+} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
+
+typedef struct _FILE_NAMES_INFORMATION {
+    ULONG NextEntryOffset;
+    ULONG FileIndex;
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryDirectoryFile)
+(
+	IN HANDLE               FileHandle,
+	IN HANDLE               Event OPTIONAL,
+	IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+	IN PVOID                ApcContext OPTIONAL,
+	OUT PIO_STATUS_BLOCK    IoStatusBlock,
+	OUT PVOID               FileInformation,
+	IN ULONG                Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass,
+	IN BOOLEAN              ReturnSingleEntry,
+	IN PUNICODE_STRING      FileMask OPTIONAL,
+	IN BOOLEAN              RestartScan);
+
+extern __pfnNtQueryDirectoryFile pfnNtQueryDirectoryFile;
+
+NTSTATUS
+NTAPI
+OnNtQueryDirectoryFile(
+	IN HANDLE               FileHandle,
+	IN HANDLE               Event OPTIONAL,
+	IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+	IN PVOID                ApcContext OPTIONAL,
+	OUT PIO_STATUS_BLOCK    IoStatusBlock,
+	OUT PVOID               FileInformation,
+	IN ULONG                Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass,
+	IN BOOLEAN              ReturnSingleEntry,
+	IN PUNICODE_STRING      FileMask OPTIONAL,
+	IN BOOLEAN              RestartScan);
+
+NTSTATUS
+NTAPI
+NtQueryDirectoryFile(
+	IN HANDLE               FileHandle,
+	IN HANDLE               Event OPTIONAL,
+	IN PIO_APC_ROUTINE      ApcRoutine OPTIONAL,
+	IN PVOID                ApcContext OPTIONAL,
+	OUT PIO_STATUS_BLOCK    IoStatusBlock,
+	OUT PVOID               FileInformation,
+	IN ULONG                Length,
+	IN FILE_INFORMATION_CLASS FileInformationClass,
+	IN BOOLEAN              ReturnSingleEntry,
+	IN PUNICODE_STRING      FileMask OPTIONAL,
+	IN BOOLEAN              RestartScan);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.cpp b/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.cpp
new file mode 100644
index 0000000..dfca65c
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.cpp
@@ -0,0 +1,136 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryFullAttributesFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "./GetProcAddressEx.h"
+#include "./Main.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryFullAttributesFile pfnNtQueryFullAttributesFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryFullAttributesFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryFullAttributesFile(
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PFILE_NETWORK_OPEN_INFORMATION  FileInformation)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryFullAttributesFile(
+			ObjectAttributes,
+			FileInformation
+			);
+
+		return nRet;
+	}
+
+	//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+
+	WCHAR szBuffer[MAX_NAME] = {NULL};
+	lstrcpyW(szBuffer,ObjectAttributes->ObjectName->Buffer);
+
+	if( GetLongNtPathName(NULL,ObjectAttributes->RootDirectory,szBuffer,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 )
+	{
+		nRet = pfnNtQueryFullAttributesFile(
+			ObjectAttributes,
+			FileInformation
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if request in SandBox
+	//
+	if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 )
+	{
+		nRet = pfnNtQueryFullAttributesFile(
+			ObjectAttributes,
+			FileInformation
+			);
+
+		return nRet;
+	}
+
+	//
+	//Check if file dispatched
+	//
+	HANDLE hFile = NULL;
+	OBJECT_ATTRIBUTES oaObjAttrib = *(POBJECT_ATTRIBUTES)ObjectAttributes;
+
+	int iFileDispatch = -1;
+	iFileDispatch = QueryDispatchedFile(szDispatchNtPath);
+	if( iFileDispatch == -1 )
+	{
+		nRet = STATUS_UNSUCCESSFUL;
+		return nRet;
+	}
+	else
+	if( iFileDispatch == 1 )
+	{
+		//
+		//Dispatch
+		//
+		if( oaObjAttrib.RootDirectory != NULL )
+		{
+			oaObjAttrib.RootDirectory = NULL;
+		}
+		oaObjAttrib.ObjectName->Length = (USHORT) lstrlenW(szDispatchNtPath)*2;
+		oaObjAttrib.ObjectName->MaximumLength =  (USHORT) lstrlenW(szDispatchNtPath)*2;
+		oaObjAttrib.ObjectName->Buffer = szDispatchNtPath;
+
+		nRet = pfnNtQueryFullAttributesFile(
+			&oaObjAttrib,
+			FileInformation
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryFullAttributesFile(
+		ObjectAttributes,
+		FileInformation
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryFullAttributesFile(
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PFILE_NETWORK_OPEN_INFORMATION  FileInformation)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryFullAttributesFile addFun = (__pfnNtQueryFullAttributesFile)GetProcAddress(hDll,"NtQueryFullAttributesFile");
+	if(addFun)
+	{
+		ret = addFun(ObjectAttributes,FileInformation);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.h b/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.h
new file mode 100644
index 0000000..bb1703a
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryFullAttributesFile.h
@@ -0,0 +1,32 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef struct _FILE_NETWORK_OPEN_INFORMATION {
+    LARGE_INTEGER CreationTime;
+    LARGE_INTEGER LastAccessTime;
+    LARGE_INTEGER LastWriteTime;
+    LARGE_INTEGER ChangeTime;
+    LARGE_INTEGER AllocationSize;
+    LARGE_INTEGER EndOfFile;
+    ULONG FileAttributes;
+} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryFullAttributesFile)
+(
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PFILE_NETWORK_OPEN_INFORMATION  FileInformation);
+
+extern __pfnNtQueryFullAttributesFile pfnNtQueryFullAttributesFile;
+
+NTSTATUS
+NTAPI
+OnNtQueryFullAttributesFile(
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PFILE_NETWORK_OPEN_INFORMATION  FileInformation);
+
+NTSTATUS
+NTAPI
+NtQueryFullAttributesFile(
+	IN POBJECT_ATTRIBUTES  ObjectAttributes,
+	OUT PFILE_NETWORK_OPEN_INFORMATION  FileInformation);
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.cpp b/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.cpp
new file mode 100644
index 0000000..a84ae66
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.cpp
@@ -0,0 +1,116 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./HookHelp_File.h"
+#include "../Config/Config.h"
+#include "./Main.h"
+#include "./GetProcAddressEx.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryInformationFile pfnNtQueryInformationFile = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryInformationFile Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryInformationFile(
+    IN HANDLE FileHandle,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    OUT PVOID FileInformation,
+    IN ULONG Length,
+    IN FILE_INFORMATION_CLASS FileInformationClass)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryInformationFile(
+			FileHandle,
+			IoStatusBlock,
+			FileInformation,
+			Length,
+			FileInformationClass
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryInformationFile(
+		FileHandle,
+		IoStatusBlock,
+		FileInformation,
+		Length,
+		FileInformationClass
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryInformationFile(
+    IN HANDLE FileHandle,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    OUT PVOID FileInformation,
+    IN ULONG Length,
+    IN FILE_INFORMATION_CLASS FileInformationClass)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryInformationFile addFun = (__pfnNtQueryInformationFile)GetProcAddress(hDll,"NtQueryInformationFile");
+	if(addFun)
+	{
+		ret = addFun(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
+	}
+	return ret;
+}
+
+int QueryFileNameByNtQueryInformationFile( IN HANDLE FileHandle, OUT WCHAR * lpszFileName )
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = -1;
+
+	//
+	//Query info by call NtQueryInformationFile
+	//
+	NTSTATUS nStatus;
+    IO_STATUS_BLOCK IoStatus = {NULL};
+	WCHAR szFileNameInfo[MAX_NAME] = {NULL};
+	PFILE_NAME_INFORMATION szFileName = (PFILE_NAME_INFORMATION)szFileNameInfo;
+
+    nStatus = NtQueryInformationFile(
+		FileHandle,
+		&IoStatus,
+		szFileName,
+		sizeof(szFileNameInfo),
+		FileNameInformation
+		);
+    if(nStatus == STATUS_SUCCESS)
+	{
+		lstrcpyW(lpszFileName,szFileName->FileName);
+
+		iRet = 0;
+	}
+
+	return iRet;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.h b/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.h
new file mode 100644
index 0000000..29d6674
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationFile.h
@@ -0,0 +1,163 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+//
+// Define the base asynchronous I/O argument types
+//
+
+typedef struct _IO_STATUS_BLOCK {
+    union
+	{
+        NTSTATUS Status;
+        PVOID Pointer;
+    };
+
+    ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+
+//
+// Define the file information class values
+//
+// WARNING:  The order of the following values are assumed by the I/O system.
+//           Any changes made here should be reflected there as well.
+//
+
+typedef enum _FILE_INFORMATION_CLASS {
+    FileDirectoryInformation		= 1,
+    FileFullDirectoryInformation,   // 2
+    FileBothDirectoryInformation,   // 3
+    FileBasicInformation,           // 4  wdm
+    FileStandardInformation,        // 5  wdm
+    FileInternalInformation,        // 6
+    FileEaInformation,              // 7
+    FileAccessInformation,          // 8
+    FileNameInformation,            // 9
+    FileRenameInformation,          // 10
+    FileLinkInformation,            // 11
+    FileNamesInformation,           // 12
+    FileDispositionInformation,     // 13
+    FilePositionInformation,        // 14 wdm
+    FileFullEaInformation,          // 15
+    FileModeInformation,            // 16
+    FileAlignmentInformation,       // 17
+    FileAllInformation,             // 18
+    FileAllocationInformation,      // 19
+    FileEndOfFileInformation,       // 20 wdm
+    FileAlternateNameInformation,   // 21
+    FileStreamInformation,          // 22
+    FilePipeInformation,            // 23
+    FilePipeLocalInformation,       // 24
+    FilePipeRemoteInformation,      // 25
+    FileMailslotQueryInformation,   // 26
+    FileMailslotSetInformation,     // 27
+    FileCompressionInformation,     // 28
+    FileObjectIdInformation,        // 29
+    FileCompletionInformation,      // 30
+    FileMoveClusterInformation,     // 31
+    FileQuotaInformation,           // 32
+    FileReparsePointInformation,    // 33
+    FileNetworkOpenInformation,     // 34
+    FileAttributeTagInformation,    // 35
+    FileTrackingInformation,        // 36
+    FileIdBothDirectoryInformation, // 37
+    FileIdFullDirectoryInformation, // 38
+    FileMaximumInformation
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
+
+typedef struct _FILE_NAME_INFORMATION {
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+typedef struct _OBJECT_NAME_INFORMATION {
+    UNICODE_STRING Name;
+} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
+
+//
+// NtQuery(Set)InformationFile return types:
+//
+//      FILE_BASIC_INFORMATION
+//      FILE_STANDARD_INFORMATION
+//      FILE_INTERNAL_INFORMATION
+//      FILE_EA_INFORMATION
+//      FILE_ACCESS_INFORMATION
+//      FILE_POSITION_INFORMATION
+//      FILE_MODE_INFORMATION
+//      FILE_ALIGNMENT_INFORMATION
+//      FILE_NAME_INFORMATION
+//      FILE_ALL_INFORMATION
+//
+//      FILE_NETWORK_OPEN_INFORMATION
+//
+//      FILE_ALLOCATION_INFORMATION
+//      FILE_COMPRESSION_INFORMATION
+//      FILE_DISPOSITION_INFORMATION
+//      FILE_END_OF_FILE_INFORMATION
+//      FILE_LINK_INFORMATION
+//      FILE_MOVE_CLUSTER_INFORMATION
+//      FILE_RENAME_INFORMATION
+//      FILE_STREAM_INFORMATION
+//      FILE_COMPLETION_INFORMATION
+//
+//      FILE_PIPE_INFORMATION
+//      FILE_PIPE_LOCAL_INFORMATION
+//      FILE_PIPE_REMOTE_INFORMATION
+//
+//      FILE_MAILSLOT_QUERY_INFORMATION
+//      FILE_MAILSLOT_SET_INFORMATION
+//      FILE_REPARSE_POINT_INFORMATION
+//
+
+typedef struct _FILE_BASIC_INFORMATION {
+    LARGE_INTEGER CreationTime;//Specifies the time that the file was created.
+    LARGE_INTEGER LastAccessTime;//Specifies the time that the file was last accessed.
+    LARGE_INTEGER LastWriteTime;//Specifies the time that the file was last written to.
+    LARGE_INTEGER ChangeTime;//Specifies the last time the file was changed.
+    ULONG FileAttributes;//Specifies one or more FILE_ATTRIBUTE_XXX flags. For descriptions of these flags, see the documentation for the GetFileAttributes function in the Microsoft Windows SDK.
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+typedef struct _FILE_STANDARD_INFORMATION {
+    LARGE_INTEGER AllocationSize;//The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device.
+    LARGE_INTEGER EndOfFile;//The end of file location as a byte offset. 
+    ULONG NumberOfLinks;//The number of hard links to the file.
+    BOOLEAN DeletePending;//The delete pending status. TRUE indicates that a file deletion has been requested.
+    BOOLEAN Directory;//The file directory status. TRUE indicates the file object represents a directory.
+} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
+
+typedef struct _FILE_RENAME_INFORMATION {
+    BOOLEAN ReplaceIfExists;
+    HANDLE RootDirectory;
+    ULONG FileNameLength;
+    WCHAR FileName[1];
+} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryInformationFile)
+(
+    IN HANDLE FileHandle,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    OUT PVOID FileInformation,
+    IN ULONG Length,
+    IN FILE_INFORMATION_CLASS FileInformationClass);
+
+extern __pfnNtQueryInformationFile pfnNtQueryInformationFile;
+
+NTSTATUS
+NTAPI
+OnNtQueryInformationFile(
+    IN HANDLE FileHandle,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    OUT PVOID FileInformation,
+    IN ULONG Length,
+    IN FILE_INFORMATION_CLASS FileInformationClass);
+
+NTSTATUS
+NTAPI
+NtQueryInformationFile(
+    IN HANDLE FileHandle,
+    OUT PIO_STATUS_BLOCK IoStatusBlock,
+    OUT PVOID FileInformation,
+    IN ULONG Length,
+    IN FILE_INFORMATION_CLASS FileInformationClass);
+
+int QueryFileNameByNtQueryInformationFile( IN HANDLE FileHandle, OUT WCHAR * lpszFileName );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.cpp b/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.cpp
new file mode 100644
index 0000000..097bb9b
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.cpp
@@ -0,0 +1,80 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryInformationProcess.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryInformationProcess pfnNtQueryInformationProcess = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryInformationProcess Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryInformationProcess(
+	IN HANDLE               ProcessHandle,
+	IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
+	OUT PVOID               ProcessInformation,
+	IN ULONG                ProcessInformationLength,
+	OUT PULONG              ReturnLength )
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryInformationProcess(
+			ProcessHandle,
+			ProcessInformationClass,
+			ProcessInformation,
+			ProcessInformationLength,
+			ReturnLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryInformationProcess(
+		ProcessHandle,
+		ProcessInformationClass,
+		ProcessInformation,
+		ProcessInformationLength,
+		ReturnLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryInformationProcess(
+	IN HANDLE               ProcessHandle,
+	IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
+	OUT PVOID               ProcessInformation,
+	IN ULONG                ProcessInformationLength,
+	OUT PULONG              ReturnLength )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryInformationProcess addFun = (__pfnNtQueryInformationProcess)GetProcAddress(hDll,"NtQueryInformationProcess");
+	if(addFun)
+	{
+		ret = addFun(ProcessHandle,ProcessInformationClass,ProcessInformation,ProcessInformationLength,ReturnLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.h b/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.h
new file mode 100644
index 0000000..a385fb8
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationProcess.h
@@ -0,0 +1,75 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+typedef struct _PEB *PPEB;
+
+//
+// Basic Process Information
+//  NtQueryInformationProcess using ProcessBasicInfo
+//
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+    NTSTATUS ExitStatus;
+    PPEB PebBaseAddress;
+    ULONG_PTR AffinityMask;
+    KPRIORITY BasePriority;
+    ULONG_PTR UniqueProcessId;
+    ULONG_PTR InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION;
+typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
+
+typedef enum _PROCESS_INFORMATION_CLASS {
+	ProcessBasicInformation,
+	ProcessQuotaLimits,
+	ProcessIoCounters,
+	ProcessVmCounters,
+	ProcessTimes,
+	ProcessBasePriority,
+	ProcessRaisePriority,
+	ProcessDebugPort,
+	ProcessExceptionPort,
+	ProcessAccessToken,
+	ProcessLdtInformation,
+	ProcessLdtSize,
+	ProcessDefaultHardErrorMode,
+	ProcessIoPortHandlers,
+	ProcessPooledUsageAndLimits,
+	ProcessWorkingSetWatch,
+	ProcessUserModeIOPL,
+	ProcessEnableAlignmentFaultFixup,
+	ProcessPriorityClass,
+	ProcessWx86Information,
+	ProcessHandleCount,
+	ProcessAffinityMask,
+	ProcessPriorityBoost,
+	MaxProcessInfoClass
+} PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryInformationProcess)
+(
+	IN HANDLE               ProcessHandle,
+	IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
+	OUT PVOID               ProcessInformation,
+	IN ULONG                ProcessInformationLength,
+	OUT PULONG              ReturnLength );
+
+extern __pfnNtQueryInformationProcess pfnNtQueryInformationProcess;
+
+NTSTATUS
+NTAPI
+OnNtQueryInformationProcess(
+	IN HANDLE               ProcessHandle,
+	IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
+	OUT PVOID               ProcessInformation,
+	IN ULONG                ProcessInformationLength,
+	OUT PULONG              ReturnLength );
+
+NTSTATUS
+NTAPI
+NtQueryInformationProcess(
+	IN HANDLE               ProcessHandle,
+	IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
+	OUT PVOID               ProcessInformation,
+	IN ULONG                ProcessInformationLength,
+	OUT PULONG              ReturnLength );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.cpp b/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.cpp
new file mode 100644
index 0000000..9d59668
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.cpp
@@ -0,0 +1,84 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryInformationThread.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryInformationThread pfnNtQueryInformationThread = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryInformationThread Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryInformationThread(
+	IN HANDLE               ThreadHandle,
+	IN THREAD_INFORMATION_CLASS ThreadInformationClass,
+	OUT PVOID               ThreadInformation,
+	IN ULONG                ThreadInformationLength,
+	OUT PULONG              ReturnLength OPTIONAL )
+{
+	NTSTATUS nRet;
+
+	//DWORD dwRetAddr = 0;
+	//__asm
+	//{
+	//	mov eax, [ebp+4];
+	//	sub eax, 5;
+	//	mov dwRetAddr, eax;
+	//}
+	//if( IsBypassCaller(dwRetAddr) )
+	//{
+	//	nRet = pfnNtQueryInformationThread(
+	//		ThreadHandle,
+	//		ThreadInformationClass,
+	//		ThreadInformation,
+	//		ThreadInformationLength,
+	//		ReturnLength
+	//		);
+
+	//	return nRet;
+	//}
+
+	nRet = pfnNtQueryInformationThread(
+		ThreadHandle,
+		ThreadInformationClass,
+		ThreadInformation,
+		ThreadInformationLength,
+		ReturnLength
+		);
+
+//#ifdef Dbg
+//	DebugLog(DbgInfo,L"Called");
+//#endif
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryInformationThread(
+	IN HANDLE               ThreadHandle,
+	IN THREAD_INFORMATION_CLASS ThreadInformationClass,
+	OUT PVOID               ThreadInformation,
+	IN ULONG                ThreadInformationLength,
+	OUT PULONG              ReturnLength OPTIONAL )
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryInformationThread addFun = (__pfnNtQueryInformationThread)GetProcAddressEx(hDll,"NtQueryInformationThread");
+	if(addFun)
+	{
+		ret = addFun(ThreadHandle,ThreadInformationClass,ThreadInformation,ThreadInformationLength,ReturnLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.h b/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.h
new file mode 100644
index 0000000..febaa4a
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryInformationThread.h
@@ -0,0 +1,51 @@
+#pragma once
+
+typedef enum _THREAD_INFORMATION_CLASS {
+	ThreadBasicInformation,
+	ThreadTimes,
+	ThreadPriority,
+	ThreadBasePriority,
+	ThreadAffinityMask,
+	ThreadImpersonationToken,
+	ThreadDescriptorTableEntry,
+	ThreadEnableAlignmentFaultFixup,
+	ThreadEventPair,
+	ThreadQuerySetWin32StartAddress,
+	ThreadZeroTlsCell,
+	ThreadPerformanceCount,
+	ThreadAmILastThread,
+	ThreadIdealProcessor,
+	ThreadPriorityBoost,
+	ThreadSetTlsArrayAddress,
+	ThreadIsIoPending,
+	ThreadHideFromDebugger
+} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;
+
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryInformationThread)
+(
+	IN HANDLE               ThreadHandle,
+	IN THREAD_INFORMATION_CLASS ThreadInformationClass,
+	OUT PVOID               ThreadInformation,
+	IN ULONG                ThreadInformationLength,
+	OUT PULONG              ReturnLength OPTIONAL );
+
+extern __pfnNtQueryInformationThread pfnNtQueryInformationThread;
+
+NTSTATUS
+NTAPI
+OnNtQueryInformationThread(
+	IN HANDLE               ThreadHandle,
+	IN THREAD_INFORMATION_CLASS ThreadInformationClass,
+	OUT PVOID               ThreadInformation,
+	IN ULONG                ThreadInformationLength,
+	OUT PULONG              ReturnLength OPTIONAL );
+
+NTSTATUS
+NTAPI
+NtQueryInformationThread(
+	IN HANDLE               ThreadHandle,
+	IN THREAD_INFORMATION_CLASS ThreadInformationClass,
+	OUT PVOID               ThreadInformation,
+	IN ULONG                ThreadInformationLength,
+	OUT PULONG              ReturnLength OPTIONAL );
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryKey.cpp b/HookPorts/Dispatch_NTDLL_NtQueryKey.cpp
new file mode 100644
index 0000000..3ea251d
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryKey.cpp
@@ -0,0 +1,84 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./Dispatch_NTDLL_NtQueryKey.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Initalization.h"
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Global
+//
+__pfnNtQueryKey pfnNtQueryKey = NULL;
+
+
+
+//
+//Dispatch_NTDLL_NtQueryKey Functions
+//
+NTSTATUS
+NTAPI
+OnNtQueryKey(
+	IN HANDLE  KeyHandle,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+	)
+{
+	NTSTATUS nRet;
+
+	DWORD dwRetAddr = 0;
+	__asm
+	{
+		mov eax, [ebp+4];
+		sub eax, 5;
+		mov dwRetAddr, eax;
+	}
+	if( IsBypassCaller(dwRetAddr) )
+	{
+		nRet = pfnNtQueryKey(
+			KeyHandle,
+			KeyInformationClass,
+			KeyInformation,
+			Length,
+			ResultLength
+			);
+
+		return nRet;
+	}
+
+	nRet = pfnNtQueryKey(
+		KeyHandle,
+		KeyInformationClass,
+		KeyInformation,
+		Length,
+		ResultLength
+		);
+
+	return nRet;
+}
+
+NTSTATUS
+NTAPI
+NtQueryKey(
+	IN HANDLE  KeyHandle,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+	)
+{
+	NTSTATUS ret;
+	HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll");
+	__pfnNtQueryKey addFun = (__pfnNtQueryKey)GetProcAddress(hDll,"NtQueryKey");
+	if(addFun)
+	{
+		ret = addFun(KeyHandle,KeyInformationClass,KeyInformation,Length,ResultLength);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/Dispatch_NTDLL_NtQueryKey.h b/HookPorts/Dispatch_NTDLL_NtQueryKey.h
new file mode 100644
index 0000000..1a3d57e
--- /dev/null
+++ b/HookPorts/Dispatch_NTDLL_NtQueryKey.h
@@ -0,0 +1,35 @@
+#pragma once
+
+#include "./Dispatch_NTDLL_NtEnumerateKey.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+
+typedef NTSTATUS (NTAPI * __pfnNtQueryKey)
+(
+	IN HANDLE  KeyHandle,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+	);
+
+extern __pfnNtQueryKey pfnNtQueryKey;
+
+NTSTATUS
+NTAPI
+OnNtQueryKey(
+	IN HANDLE  KeyHandle,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+	);
+
+NTSTATUS
+NTAPI
+NtQueryKey(
+	IN HANDLE  KeyHandle,
+	IN KEY_INFORMATION_CLASS  KeyInformationClass,
+	OUT PVOID  KeyInformation,
+	IN ULONG  Length,
+	OUT PULONG  ResultLength
+	);
\ No newline at end of file