I want to hook some Native Api functions from ntdll.dll, more specifically NtCreateFile and NtWriteFile. However, according to MS Documentation, the NT functions are subject to change from one release of Windows to the next, and possibly even between service packs for each release. This includes function signatures and even deletion of the functions. So, with this in mind, is it reliable to hook these functions as their signature may change? Does madCodeHook provide workaround for this? If no, is there some other workaround?
That said, hooking the file system in user land comes with some limitations. The biggest problem is that memory mapped files don't run through any APIs in user land. So if a process calls CreateFile + CreateFileMapping + MapViewOfFile, at that point you lose access to the file read & write operations, because they're done by simply accessing RAM. In user land you cannot hook those read & write accesses. In driver land you can, by writing a little file system filter driver.