From 0f188024103360e716c33512823f657d5e654b36 Mon Sep 17 00:00:00 2001
From: Souhardya Sardar <24700571+Souhardya@users.noreply.github.com>
Date: Thu, 30 Dec 2021 07:43:47 +0530
Subject: [PATCH] Add files via upload

---
 HookPorts/BeginDispatch.cpp        |   89 +++
 HookPorts/BeginDispatch.h          |    5 +
 HookPorts/CloneAPI_ADVAPI32.cpp    |   88 ++
 HookPorts/CloneAPI_ADVAPI32.h      |   36 +
 HookPorts/CloneAPI_FLTLIB.cpp      |   42 +
 HookPorts/CloneAPI_FLTLIB.h        |    9 +
 HookPorts/CloneAPI_KERNEL32.cpp    |  386 +++++++++
 HookPorts/CloneAPI_KERNEL32.h      |  169 ++++
 HookPorts/CloneAPI_SHELL32.cpp     |   22 +
 HookPorts/CloneAPI_SHELL32.h       |    3 +
 HookPorts/GetProcAddressEx.cpp     |  139 ++++
 HookPorts/GetProcAddressEx.h       |    5 +
 HookPorts/HookHelp.cpp             | 1128 ++++++++++++++++++++++++++
 HookPorts/HookHelp.h               |   41 +
 HookPorts/HookHelp_File.cpp        | 1198 ++++++++++++++++++++++++++++
 HookPorts/HookHelp_File.h          |   32 +
 HookPorts/HookHelp_Reg.cpp         |  204 +++++
 HookPorts/HookHelp_Reg.h           |   17 +
 HookPorts/HookPort.sln             |   24 +
 HookPorts/HookPort.suo             |  Bin 0 -> 12800 bytes
 HookPorts/HookPort.vcproj          |  835 +++++++++++++++++++
 HookPorts/HookPort.vcxproj         |  300 +++++++
 HookPorts/HookPort.vcxproj.filters |  695 ++++++++++++++++
 HookPorts/HookPort.vcxproj.user    |    4 +
 HookPorts/IATModifier.cpp          |  203 +++++
 HookPorts/IATModifier.h            |   46 ++
 HookPorts/IATProcess.cpp           |  235 ++++++
 HookPorts/IATProcess.h             |   86 ++
 HookPorts/Initalization.cpp        |  524 ++++++++++++
 HookPorts/Initalization.h          |   27 +
 HookPorts/InlineHook.cpp           |  246 ++++++
 HookPorts/InlineHook.h             |   58 ++
 HookPorts/LDasm.h                  |  676 ++++++++++++++++
 HookPorts/Main.cpp                 |  257 ++++++
 HookPorts/Main.h                   |   42 +
 HookPorts/NativeAPI_NTDLL.cpp      |   65 ++
 HookPorts/NativeAPI_NTDLL.h        |   29 +
 HookPorts/Privilege.cpp            |   73 ++
 HookPorts/Privilege.h              |    5 +
 HookPorts/RemoteInjection.cpp      |  400 ++++++++++
 HookPorts/RemoteInjection.h        |   30 +
 41 files changed, 8473 insertions(+)
 create mode 100644 HookPorts/BeginDispatch.cpp
 create mode 100644 HookPorts/BeginDispatch.h
 create mode 100644 HookPorts/CloneAPI_ADVAPI32.cpp
 create mode 100644 HookPorts/CloneAPI_ADVAPI32.h
 create mode 100644 HookPorts/CloneAPI_FLTLIB.cpp
 create mode 100644 HookPorts/CloneAPI_FLTLIB.h
 create mode 100644 HookPorts/CloneAPI_KERNEL32.cpp
 create mode 100644 HookPorts/CloneAPI_KERNEL32.h
 create mode 100644 HookPorts/CloneAPI_SHELL32.cpp
 create mode 100644 HookPorts/CloneAPI_SHELL32.h
 create mode 100644 HookPorts/GetProcAddressEx.cpp
 create mode 100644 HookPorts/GetProcAddressEx.h
 create mode 100644 HookPorts/HookHelp.cpp
 create mode 100644 HookPorts/HookHelp.h
 create mode 100644 HookPorts/HookHelp_File.cpp
 create mode 100644 HookPorts/HookHelp_File.h
 create mode 100644 HookPorts/HookHelp_Reg.cpp
 create mode 100644 HookPorts/HookHelp_Reg.h
 create mode 100644 HookPorts/HookPort.sln
 create mode 100644 HookPorts/HookPort.suo
 create mode 100644 HookPorts/HookPort.vcproj
 create mode 100644 HookPorts/HookPort.vcxproj
 create mode 100644 HookPorts/HookPort.vcxproj.filters
 create mode 100644 HookPorts/HookPort.vcxproj.user
 create mode 100644 HookPorts/IATModifier.cpp
 create mode 100644 HookPorts/IATModifier.h
 create mode 100644 HookPorts/IATProcess.cpp
 create mode 100644 HookPorts/IATProcess.h
 create mode 100644 HookPorts/Initalization.cpp
 create mode 100644 HookPorts/Initalization.h
 create mode 100644 HookPorts/InlineHook.cpp
 create mode 100644 HookPorts/InlineHook.h
 create mode 100644 HookPorts/LDasm.h
 create mode 100644 HookPorts/Main.cpp
 create mode 100644 HookPorts/Main.h
 create mode 100644 HookPorts/NativeAPI_NTDLL.cpp
 create mode 100644 HookPorts/NativeAPI_NTDLL.h
 create mode 100644 HookPorts/Privilege.cpp
 create mode 100644 HookPorts/Privilege.h
 create mode 100644 HookPorts/RemoteInjection.cpp
 create mode 100644 HookPorts/RemoteInjection.h

diff --git a/HookPorts/BeginDispatch.cpp b/HookPorts/BeginDispatch.cpp
new file mode 100644
index 0000000..ff7655f
--- /dev/null
+++ b/HookPorts/BeginDispatch.cpp
@@ -0,0 +1,89 @@
+#include <windows.h>
+#include <stdio.h>
+
+#include "./BeginDispatch.h"
+#include "../Config/Config.h"
+#include "../Common/DebugLog.h"
+#include "./HookHelp.h"
+
+#include "./Dispatch_NTDLL.h"
+#include "./Dispatch_KERNEL32.h"
+#include "./Dispatch_USER32.h"
+#include "./Dispatch_ADVAPI32.h"
+
+
+
+//
+//BeginDispatch Functions
+//
+int BeginDispatchBySandBoxName(IN const WCHAR * lpSandBoxName)
+{
+	//Return Value:
+	//-1 = error
+	//0 = warning
+	//1 = succeed
+
+	int iRet = 0;
+
+	//
+	//Patch DLL
+	//
+	Dispatch_NTDLL_Start();
+
+	Dispatch_KERNEL32_Start();
+
+	Dispatch_USER32_Start();
+
+	Dispatch_ADVAPI32_Start();
+
+	ScanCurrentProcModule();
+
+	return iRet;
+}
+
+int CheckTargetModule( IN const WCHAR * lpModuleName )
+{
+	//
+	//List of Module will be patch
+	//
+	//ntdll.dll kernel32.dll user32.dll gdi32.dll advapi32.dll shell32.dll
+	//ole32.dll ws2_32.dll crypt32.dll msi.dll sxs.dll secur32.dll hnetcfg.dll
+	//setupapi.dll wtsapi32.dll pstorec.dll
+
+//	if( wcsicmp(lpModuleName,L"kernel32.dll") == 0 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"kernel32.dll Patched!");
+//#endif
+//	}
+//
+//	if( wcsicmp(lpModuleName,L"user32.dll") == 0 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"user32.dll Patched!");
+//#endif
+//	}
+//
+//	if( wcsicmp(lpModuleName,L"gdi32.dll") == 0 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"gdi32.dll Patched!");
+//#endif
+//	}
+//
+//	if( wcsicmp(lpModuleName,L"advapi32.dll") == 0 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"advapi32.dll Patched!");
+//#endif
+//	}
+//
+//	if( wcsicmp(lpModuleName,L"shell32.dll") == 0 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"shell32.dll Patched!");
+//#endif
+//	}
+
+	return 0;
+}
\ No newline at end of file
diff --git a/HookPorts/BeginDispatch.h b/HookPorts/BeginDispatch.h
new file mode 100644
index 0000000..b5d2fc5
--- /dev/null
+++ b/HookPorts/BeginDispatch.h
@@ -0,0 +1,5 @@
+#pragma once
+
+int BeginDispatchBySandBoxName(IN const WCHAR * lpSandBoxName);
+
+int CheckTargetModule( IN const WCHAR * lpModuleName );
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_ADVAPI32.cpp b/HookPorts/CloneAPI_ADVAPI32.cpp
new file mode 100644
index 0000000..43e4d02
--- /dev/null
+++ b/HookPorts/CloneAPI_ADVAPI32.cpp
@@ -0,0 +1,88 @@
+#include <windows.h>
+
+#include "./CloneAPI_ADVAPI32.h"
+#include "./Main.h"
+
+
+
+//
+//CloneAPI_ADVAPI32 Functions
+//
+LONG
+WINAPI
+CAPI_RegCreateKeyW(
+    IN HKEY hKey,
+    IN LPCWSTR lpSubKey,
+    OUT PHKEY phkResult
+    )
+{
+	LONG ret = NULL;
+	typedef LONG (WINAPI *lpAddFun)(HKEY,LPCWSTR,PHKEY);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneADVAPI32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RegCreateKeyW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hKey,lpSubKey,phkResult);
+	}
+	return ret;
+}
+
+LONG
+WINAPI
+CAPI_RegCloseKey(
+    IN HKEY hKey
+    )
+{
+	LONG ret = NULL;
+	typedef LONG (WINAPI *lpAddFun)(HKEY);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneADVAPI32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RegCloseKey");
+	if( addFun != NULL )
+	{
+		ret = addFun(hKey);
+	}
+	return ret;
+}
+
+LONG
+WINAPI
+CAPI_RegOpenKeyExW(
+    IN HKEY hKey,
+    IN LPCWSTR lpSubKey,
+    IN DWORD ulOptions,
+    IN REGSAM samDesired,
+    OUT PHKEY phkResult
+    )
+{
+	LONG ret = NULL;
+	typedef LONG (WINAPI *lpAddFun)(HKEY,LPCWSTR,DWORD,REGSAM,PHKEY);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneADVAPI32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RegOpenKeyExW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hKey,lpSubKey,ulOptions,samDesired,phkResult);
+	}
+	return ret;
+}
+
+LONG
+WINAPI
+CAPI_RegQueryValueExW(
+    IN HKEY hKey,
+    IN LPCWSTR lpValueName,
+    IN LPDWORD lpReserved,
+    OUT LPDWORD lpType,
+    IN OUT LPBYTE lpData,
+    IN OUT LPDWORD lpcbData
+    )
+{
+	LONG ret = NULL;
+	typedef LONG (WINAPI *lpAddFun)(HKEY,LPCWSTR,LPDWORD,LPDWORD,LPBYTE,LPDWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneADVAPI32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RegQueryValueExW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hKey,lpValueName,lpReserved,lpType,lpData,lpcbData);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_ADVAPI32.h b/HookPorts/CloneAPI_ADVAPI32.h
new file mode 100644
index 0000000..a3cdde9
--- /dev/null
+++ b/HookPorts/CloneAPI_ADVAPI32.h
@@ -0,0 +1,36 @@
+#pragma once
+
+LONG
+WINAPI
+CAPI_RegCreateKeyW(
+    IN HKEY hKey,
+    IN LPCWSTR lpSubKey,
+    OUT PHKEY phkResult
+    );
+
+LONG
+WINAPI
+CAPI_RegCloseKey(
+    IN HKEY hKey
+    );
+
+LONG
+WINAPI
+CAPI_RegOpenKeyExW(
+    IN HKEY hKey,
+    IN LPCWSTR lpSubKey,
+    IN DWORD ulOptions,
+    IN REGSAM samDesired,
+    OUT PHKEY phkResult
+    );
+
+LONG
+WINAPI
+CAPI_RegQueryValueExW(
+    IN HKEY hKey,
+    IN LPCWSTR lpValueName,
+    IN LPDWORD lpReserved,
+    OUT LPDWORD lpType,
+    IN OUT LPBYTE lpData,
+    IN OUT LPDWORD lpcbData
+    );
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_FLTLIB.cpp b/HookPorts/CloneAPI_FLTLIB.cpp
new file mode 100644
index 0000000..b7fdd96
--- /dev/null
+++ b/HookPorts/CloneAPI_FLTLIB.cpp
@@ -0,0 +1,42 @@
+#include <windows.h>
+
+#include "./CloneAPI_FLTLIB.h"
+#include "./Main.h"
+
+
+
+//
+//CloneAPI_FLTLIB Functions
+//
+HRESULT
+WINAPI
+CAPI_FilterGetDosName(
+	IN LPCWSTR  lpVolumeName,
+	IN OUT LPWSTR  lpDosName,
+	IN DWORD  dwDosNameBufferSize
+	)
+{
+	//
+	//Parameters:
+	//
+	//[lpVolumeName]
+	//The lpVolumeName input string can be any of the following. The trailing backslash (\) is optional. 
+	//
+	//A drive letter, such as "D:\"
+	//A path to a volume mount point, such as "c:\mnt\edrive\"
+	//A unique volume identifier (also called a volume GUID name), such as "\??\Volume{7603f260-142a-11d4-ac67-806d6172696f}\"
+	//A nonpersistent device name (also called a target name or an NT device name), such as "\Device\HarddiskVolume1\"
+	//
+	//[Return Value]
+	//FilterGetDosName returns S_OK if successful. Otherwise, it returns an error value.
+
+	HRESULT ret = NULL;
+	typedef HRESULT (WINAPI *lpAddFun)(LPCWSTR,LPWSTR,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneFLTLIB );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"FilterGetDosName");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpVolumeName,lpDosName,dwDosNameBufferSize);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_FLTLIB.h b/HookPorts/CloneAPI_FLTLIB.h
new file mode 100644
index 0000000..0fa28b9
--- /dev/null
+++ b/HookPorts/CloneAPI_FLTLIB.h
@@ -0,0 +1,9 @@
+#pragma once
+
+HRESULT
+WINAPI
+CAPI_FilterGetDosName(
+	IN LPCWSTR  lpVolumeName,
+	IN OUT LPWSTR  lpDosName,
+	IN DWORD  dwDosNameBufferSize
+	);
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_KERNEL32.cpp b/HookPorts/CloneAPI_KERNEL32.cpp
new file mode 100644
index 0000000..61f8117
--- /dev/null
+++ b/HookPorts/CloneAPI_KERNEL32.cpp
@@ -0,0 +1,386 @@
+#include <windows.h>
+
+#include "./CloneAPI_KERNEL32.h"
+#include "./Main.h"
+
+
+
+//
+//CloneAPI_KERNEL32 Functions
+//
+HANDLE
+WINAPI
+CAPI_OpenProcess(
+    IN DWORD dwDesiredAccess,
+    IN BOOL bInheritHandle,
+    IN DWORD dwProcessId
+    )
+{
+	HANDLE ret = NULL;
+	typedef HANDLE (WINAPI *lpAddFun)(DWORD,BOOL,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"OpenProcess");
+	if( addFun != NULL )
+	{
+		ret = addFun(dwDesiredAccess,bInheritHandle,dwProcessId);
+	}
+	return ret;
+}
+
+LPVOID
+WINAPI
+CAPI_VirtualAllocEx(
+    IN HANDLE hProcess,
+    IN LPVOID lpAddress,
+    IN SIZE_T dwSize,
+    IN DWORD flAllocationType,
+    IN DWORD flProtect
+    )
+{
+	LPVOID ret = NULL;
+	typedef LPVOID (WINAPI *lpAddFun)(HANDLE,LPVOID,SIZE_T,DWORD,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"VirtualAllocEx");
+	if( addFun != NULL )
+	{
+		ret = addFun(hProcess,lpAddress,dwSize,flAllocationType,flProtect);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_WriteProcessMemory(
+    IN HANDLE hProcess,
+    IN LPVOID lpBaseAddress,
+    IN LPCVOID lpBuffer,
+    IN SIZE_T nSize,
+    OUT SIZE_T * lpNumberOfBytesWritten
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T *);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"WriteProcessMemory");
+	if( addFun != NULL )
+	{
+		ret = addFun(hProcess,lpBaseAddress,lpBuffer,nSize,lpNumberOfBytesWritten);
+	}
+	return ret;
+}
+
+HANDLE
+WINAPI
+CAPI_CreateRemoteThread(
+    IN HANDLE hProcess,
+    IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    IN SIZE_T dwStackSize,
+    IN LPTHREAD_START_ROUTINE lpStartAddress,
+    IN LPVOID lpParameter,
+    IN DWORD dwCreationFlags,
+    OUT LPDWORD lpThreadId
+    )
+{
+	HANDLE ret = NULL;
+	typedef HANDLE (WINAPI *lpAddFun)(HANDLE,LPSECURITY_ATTRIBUTES,SIZE_T,LPTHREAD_START_ROUTINE,LPVOID,DWORD,LPDWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"CreateRemoteThread");
+	if( addFun != NULL )
+	{
+		ret = addFun(hProcess,lpThreadAttributes,dwStackSize,lpStartAddress,lpParameter,dwCreationFlags,lpThreadId);
+	}
+	return ret;
+}
+
+DWORD
+WINAPI
+CAPI_WaitForSingleObject(
+    IN HANDLE hHandle,
+    IN DWORD dwMilliseconds
+    )
+{
+	DWORD ret = NULL;
+	typedef DWORD (WINAPI *lpAddFun)(HANDLE,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"WaitForSingleObject");
+	if( addFun != NULL )
+	{
+		ret = addFun(hHandle,dwMilliseconds);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_GetExitCodeThread(
+    IN HANDLE hThread,
+    OUT LPDWORD lpExitCode
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPDWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"GetExitCodeThread");
+	if( addFun != NULL )
+	{
+		ret = addFun(hThread,lpExitCode);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_CloseHandle(
+    IN OUT HANDLE hObject
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"CloseHandle");
+	if( addFun != NULL )
+	{
+		ret = addFun(hObject);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_VirtualFree(
+    IN LPVOID lpAddress,
+    IN SIZE_T dwSize,
+    IN DWORD dwFreeType
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(LPVOID,SIZE_T,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"VirtualFree");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpAddress,dwSize,dwFreeType);
+	}
+	return ret;
+}
+
+HANDLE
+WINAPI
+CAPI_OpenThread(
+    DWORD dwDesiredAccess,
+    BOOL bInheritHandle,
+    DWORD dwThreadId
+    )
+{
+	HANDLE ret = NULL;
+	typedef HANDLE (WINAPI *lpAddFun)(DWORD,BOOL,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"OpenThread");
+	if( addFun != NULL )
+	{
+		ret = addFun(dwDesiredAccess,bInheritHandle,dwThreadId);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_CreateProcessInternalW(
+	HANDLE hToken,
+	LPCWSTR lpApplicationName,
+	LPWSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCWSTR lpCurrentDirectory,
+	LPSTARTUPINFOW lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation,
+	PHANDLE hNewToken)
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPCWSTR,LPWSTR,LPSECURITY_ATTRIBUTES,LPSECURITY_ATTRIBUTES,BOOL,DWORD,LPVOID,LPCWSTR,LPSTARTUPINFOW,LPPROCESS_INFORMATION,PHANDLE);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"CreateProcessInternalW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,hNewToken);
+	}
+	return ret;
+}
+
+DWORD
+WINAPI
+CAPI_QueryDosDeviceW(
+    IN LPCWSTR lpDeviceName,
+    OUT LPWSTR lpTargetPath,
+    IN DWORD ucchMax
+    )
+{
+	DWORD ret = NULL;
+	typedef DWORD (WINAPI *lpAddFun)(LPCWSTR,LPWSTR,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"QueryDosDeviceW");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpDeviceName,lpTargetPath,ucchMax);
+	}
+	return ret;
+}
+
+DWORD
+WINAPI
+CAPI_GetLongPathNameW(
+    IN LPCWSTR lpszShortPath,
+    OUT LPWSTR  lpszLongPath,
+    IN DWORD    cchBuffer
+    )
+{
+	DWORD ret = NULL;
+	typedef DWORD (WINAPI *lpAddFun)(LPCWSTR,LPWSTR,DWORD);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"GetLongPathNameW");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpszShortPath,lpszLongPath,cchBuffer);
+	}
+	return ret;
+}
+
+HANDLE
+WINAPI
+CAPI_FindFirstFileW(
+    IN LPCWSTR lpFileName,
+    OUT LPWIN32_FIND_DATAW lpFindFileData
+    )
+{
+	HANDLE ret = NULL;
+	typedef HANDLE (WINAPI *lpAddFun)(LPCWSTR,LPWIN32_FIND_DATAW);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"FindFirstFileW");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpFileName,lpFindFileData);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_FindNextFileW(
+    IN HANDLE hFindFile,
+    OUT LPWIN32_FIND_DATAW lpFindFileData
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPWIN32_FIND_DATAW);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"FindNextFileW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hFindFile,lpFindFileData);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_FindClose(
+    IN OUT HANDLE hFindFile
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"FindClose");
+	if( addFun != NULL )
+	{
+		ret = addFun(hFindFile);
+	}
+	return ret;
+}
+
+HANDLE
+WINAPI
+CAPI_CreateFileW(
+    IN LPCWSTR lpFileName,
+    IN DWORD dwDesiredAccess,
+    IN DWORD dwShareMode,
+    IN LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+    IN DWORD dwCreationDisposition,
+    IN DWORD dwFlagsAndAttributes,
+    IN HANDLE hTemplateFile
+    )
+{
+	HANDLE ret = NULL;
+	typedef HANDLE (WINAPI *lpAddFun)(LPCWSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"CreateFileW");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_ReadFile(
+    IN HANDLE hFile,
+    OUT LPVOID lpBuffer,
+    IN DWORD nNumberOfBytesToRead,
+    OUT LPDWORD lpNumberOfBytesRead,
+    IN LPOVERLAPPED lpOverlapped
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPVOID,DWORD,LPDWORD,LPOVERLAPPED);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"ReadFile");
+	if( addFun != NULL )
+	{
+		ret = addFun(hFile,lpBuffer,nNumberOfBytesToRead,lpNumberOfBytesRead,lpOverlapped);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_WriteFile(
+    IN HANDLE hFile,
+    IN LPCVOID lpBuffer,
+    IN DWORD nNumberOfBytesToWrite,
+    OUT LPDWORD lpNumberOfBytesWritten,
+    IN LPOVERLAPPED lpOverlapped
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(HANDLE,LPCVOID,DWORD,LPDWORD,LPOVERLAPPED);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"WriteFile");
+	if( addFun != NULL )
+	{
+		ret = addFun(hFile,lpBuffer,nNumberOfBytesToWrite,lpNumberOfBytesWritten,lpOverlapped);
+	}
+	return ret;
+}
+
+BOOL
+WINAPI
+CAPI_CopyFileW(
+    IN LPCWSTR lpExistingFileName,
+    IN LPCWSTR lpNewFileName,
+    IN BOOL bFailIfExists
+    )
+{
+	BOOL ret = NULL;
+	typedef BOOL (WINAPI *lpAddFun)(LPCWSTR,LPCWSTR,BOOL);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"CopyFileW");
+	if( addFun != NULL )
+	{
+		ret = addFun(lpExistingFileName,lpNewFileName,bFailIfExists);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_KERNEL32.h b/HookPorts/CloneAPI_KERNEL32.h
new file mode 100644
index 0000000..c0f75c6
--- /dev/null
+++ b/HookPorts/CloneAPI_KERNEL32.h
@@ -0,0 +1,169 @@
+#pragma once
+
+HANDLE
+WINAPI
+CAPI_OpenProcess(
+    IN DWORD dwDesiredAccess,
+    IN BOOL bInheritHandle,
+    IN DWORD dwProcessId
+    );
+
+LPVOID
+WINAPI
+CAPI_VirtualAllocEx(
+    IN HANDLE hProcess,
+    IN LPVOID lpAddress,
+    IN SIZE_T dwSize,
+    IN DWORD flAllocationType,
+    IN DWORD flProtect
+    );
+
+BOOL
+WINAPI
+CAPI_WriteProcessMemory(
+    IN HANDLE hProcess,
+    IN LPVOID lpBaseAddress,
+    IN LPCVOID lpBuffer,
+    IN SIZE_T nSize,
+    OUT SIZE_T * lpNumberOfBytesWritten
+    );
+
+HANDLE
+WINAPI
+CAPI_CreateRemoteThread(
+    IN HANDLE hProcess,
+    IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    IN SIZE_T dwStackSize,
+    IN LPTHREAD_START_ROUTINE lpStartAddress,
+    IN LPVOID lpParameter,
+    IN DWORD dwCreationFlags,
+    OUT LPDWORD lpThreadId
+    );
+
+DWORD
+WINAPI
+CAPI_WaitForSingleObject(
+    IN HANDLE hHandle,
+    IN DWORD dwMilliseconds
+    );
+
+BOOL
+WINAPI
+CAPI_GetExitCodeThread(
+    IN HANDLE hThread,
+    OUT LPDWORD lpExitCode
+    );
+
+BOOL
+WINAPI
+CAPI_CloseHandle(
+    IN OUT HANDLE hObject
+    );
+
+BOOL
+WINAPI
+CAPI_VirtualFree(
+    IN LPVOID lpAddress,
+    IN SIZE_T dwSize,
+    IN DWORD dwFreeType
+    );
+
+HANDLE
+WINAPI
+CAPI_OpenThread(
+    DWORD dwDesiredAccess,
+    BOOL bInheritHandle,
+    DWORD dwThreadId
+    );
+
+BOOL
+WINAPI
+CAPI_CreateProcessInternalW(
+	HANDLE hToken,
+	LPCWSTR lpApplicationName,
+	LPWSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCWSTR lpCurrentDirectory,
+	LPSTARTUPINFOW lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation,
+	PHANDLE hNewToken);
+
+DWORD
+WINAPI
+CAPI_QueryDosDeviceW(
+    IN LPCWSTR lpDeviceName,
+    OUT LPWSTR lpTargetPath,
+    IN DWORD ucchMax
+    );
+
+DWORD
+WINAPI
+CAPI_GetLongPathNameW(
+    IN LPCWSTR lpszShortPath,
+    OUT LPWSTR  lpszLongPath,
+    IN DWORD    cchBuffer
+    );
+
+HANDLE
+WINAPI
+CAPI_FindFirstFileW(
+    IN LPCWSTR lpFileName,
+    OUT LPWIN32_FIND_DATAW lpFindFileData
+    );
+
+BOOL
+WINAPI
+CAPI_FindNextFileW(
+    IN HANDLE hFindFile,
+    OUT LPWIN32_FIND_DATAW lpFindFileData
+    );
+
+BOOL
+WINAPI
+CAPI_FindClose(
+    IN OUT HANDLE hFindFile
+    );
+
+HANDLE
+WINAPI
+CAPI_CreateFileW(
+    IN LPCWSTR lpFileName,
+    IN DWORD dwDesiredAccess,
+    IN DWORD dwShareMode,
+    IN LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+    IN DWORD dwCreationDisposition,
+    IN DWORD dwFlagsAndAttributes,
+    IN HANDLE hTemplateFile
+    );
+
+BOOL
+WINAPI
+CAPI_ReadFile(
+    IN HANDLE hFile,
+    OUT LPVOID lpBuffer,
+    IN DWORD nNumberOfBytesToRead,
+    OUT LPDWORD lpNumberOfBytesRead,
+    IN LPOVERLAPPED lpOverlapped
+    );
+
+BOOL
+WINAPI
+CAPI_WriteFile(
+    IN HANDLE hFile,
+    IN LPCVOID lpBuffer,
+    IN DWORD nNumberOfBytesToWrite,
+    OUT LPDWORD lpNumberOfBytesWritten,
+    IN LPOVERLAPPED lpOverlapped
+    );
+
+BOOL
+WINAPI
+CAPI_CopyFileW(
+    IN LPCWSTR lpExistingFileName,
+    IN LPCWSTR lpNewFileName,
+    IN BOOL bFailIfExists
+    );
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_SHELL32.cpp b/HookPorts/CloneAPI_SHELL32.cpp
new file mode 100644
index 0000000..d54aac3
--- /dev/null
+++ b/HookPorts/CloneAPI_SHELL32.cpp
@@ -0,0 +1,22 @@
+#include <windows.h>
+
+#include "./CloneAPI_SHELL32.h"
+#include "./Main.h"
+
+
+
+//
+//CloneAPI_SHELL32 Functions
+//
+int CAPI_SHCreateDirectoryExW(HWND hwnd, LPCWSTR pszPath, SECURITY_ATTRIBUTES *psa)
+{
+	int ret = NULL;
+	typedef int (WINAPI *lpAddFun)(HWND,LPCWSTR,SECURITY_ATTRIBUTES *);
+	HINSTANCE hDll = GetModuleHandleW( CONF_CloneAPI_CloneSHELL32 );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"SHCreateDirectoryExW");
+	if( addFun != NULL )
+	{
+		ret = addFun(hwnd,pszPath,psa);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/CloneAPI_SHELL32.h b/HookPorts/CloneAPI_SHELL32.h
new file mode 100644
index 0000000..fd23328
--- /dev/null
+++ b/HookPorts/CloneAPI_SHELL32.h
@@ -0,0 +1,3 @@
+#pragma once
+
+int CAPI_SHCreateDirectoryExW(HWND hwnd, LPCWSTR pszPath, SECURITY_ATTRIBUTES *psa);
\ No newline at end of file
diff --git a/HookPorts/GetProcAddressEx.cpp b/HookPorts/GetProcAddressEx.cpp
new file mode 100644
index 0000000..9f942d1
--- /dev/null
+++ b/HookPorts/GetProcAddressEx.cpp
@@ -0,0 +1,139 @@
+#include <windows.h>
+
+#include "./GetProcAddressEx.h"
+
+
+
+//
+//Define
+//
+DWORD __stdcall searchexport(IN DWORD modbase, IN DWORD szexportname);
+
+void* __stdcall getkernel32modhandle();
+
+
+
+//
+//Routines
+//
+DWORD GetProcAddressEx(IN HMODULE hModule, IN LPCSTR pProcName)
+{
+	return searchexport( (DWORD) hModule,(DWORD) pProcName );
+}
+
+HINSTANCE GetKERNEL32ModHandle(void)
+{
+	return (HINSTANCE)getkernel32modhandle();
+}
+
+__declspec(naked)
+DWORD __stdcall searchexport(IN DWORD modbase, IN DWORD szexportname)
+{
+	__asm
+	{
+		push ebp
+		mov ebp,esp
+		push ebx
+		push esi
+		push edi
+		mov al,0
+		mov ecx,256
+		mov edi,szexportname
+		cld
+		repnz scasb
+		mov edx,256
+		sub edx,ecx//edx:strlen
+		mov ebx,modbase//ebx: hold the modbase.
+		mov esi,[ebx+60]//PEheaderRVA
+		add esi,ebx
+		add esi,78h//datadirectory,no.1 is exporttable
+		mov eax,[esi]//exptable RVA
+		add eax,ebx
+		mov esi,eax//exptable
+		mov ecx,[esi+24]//ecx:num_of_names
+		mov eax,[esi+32]
+		add eax,ebx//eax:namestable
+
+looper:	cmp ecx,0
+		jz error
+		dec ecx
+		mov esi,[eax+4*ecx]
+		add esi,ebx
+		inc ecx
+		push ecx
+		mov ecx,edx
+		mov edi,szexportname
+		cld
+		repz cmpsb
+		pop ecx
+		jz found
+		dec ecx
+		jmp looper
+found:	dec ecx
+		mov esi,[ebx+60]//PEheaderRVA
+		add esi,ebx
+		add esi,78h//datadirectory,no.1 is exporttable
+		mov esi,[esi]//exptable RVA
+		add esi,ebx//exptable:esi
+		mov esi,[esi+36]
+		add esi,ebx//Index table
+		mov ax,[esi+2*ecx]//got x
+		mov esi,[ebx+60]//PEheaderRVA
+		add esi,ebx
+		add esi,78h//datadirectory,no.1 is exporttable
+		mov esi,[esi]//exptable RVA
+		add esi,ebx//exptable:esi
+		mov esi,[esi+28]
+		add esi,ebx//address table
+		xor edi,edi
+		movzx edi,ax
+		mov eax,[esi+edi*4]
+		add eax,ebx
+		jmp end
+error:
+		xor eax,eax
+		jmp end
+end:
+		pop edi
+		pop esi
+		pop ebx
+		pop ebp
+		ret 8
+	}
+}
+
+void* __stdcall getkernel32modhandle()
+{
+	//
+	//Get Module Handle of [kernel32.dll]
+	//
+	//(1) FS¼Ä´æÆ÷ -> TEB½á¹¹
+	//(2) TEB+0x30 -> PEB½á¹¹
+	//(3) PEB+0x0c -> PEB_LDR_DATA
+	//(4) PEB_LDR_DATA+0x1c -> Ntdll.dll
+	//(5) Ntdll.dll+0x08 -> Kernel32.dll
+	//
+	//For example:
+	//
+	//__asm
+	//{
+	//	push esi
+	//	mov eax, fs:0x30		//´ò¿ªFS¼Ä´æÆ÷
+	//	mov eax, [eax + 0x0c]	//µÃµ½PEB½á¹¹µØÖ·
+	//	mov esi, [eax + 0x1c]	//µÃµ½PEB_LDR_DATA½á¹¹µØÖ·
+	//	lodsd					//InInitializationOrderModuleList
+	//	mov eax, [eax + 0x08]	//µÃµ½BaseAddress£¬¼´kernel32.dll»ùÖ·
+	//	pop esi
+	//}
+
+	__asm
+	{
+		push esi
+		mov eax, fs:0x30		//´ò¿ªFS¼Ä´æÆ÷
+		mov eax, [eax + 0x0c]	//µÃµ½PEB½á¹¹µØÖ·
+		mov esi, [eax + 0x1c]	//µÃµ½PEB_LDR_DATA½á¹¹µØÖ·
+		lodsd					//InInitializationOrderModuleList
+		mov eax, [eax + 0x08]	//µÃµ½BaseAddress£¬¼´kernel32.dll»ùÖ·
+		pop esi
+	}
+}
\ No newline at end of file
diff --git a/HookPorts/GetProcAddressEx.h b/HookPorts/GetProcAddressEx.h
new file mode 100644
index 0000000..15abf0b
--- /dev/null
+++ b/HookPorts/GetProcAddressEx.h
@@ -0,0 +1,5 @@
+#pragma once
+
+DWORD GetProcAddressEx(IN HMODULE hModule, IN LPCSTR pProcName);
+
+HINSTANCE GetKERNEL32ModHandle(void);
\ No newline at end of file
diff --git a/HookPorts/HookHelp.cpp b/HookPorts/HookHelp.cpp
new file mode 100644
index 0000000..fa3d941
--- /dev/null
+++ b/HookPorts/HookHelp.cpp
@@ -0,0 +1,1128 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <tlhelp32.h>
+#include <psapi.h>
+#include <shlobj.h>
+#pragma comment(lib,"psapi.lib")
+#include <shlwapi.h>
+#pragma comment(lib,"shlwapi.lib")
+
+#include "./HookHelp.h"
+#include "../Common/DebugLog.h"
+#include "./Main.h"
+#include "./BeginDispatch.h"
+#include "../Config/Config.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./NativeAPI_NTDLL.h"
+
+#include "./CloneAPI_KERNEL32.h"
+#include "./CloneAPI_FLTLIB.h"
+
+
+
+//
+//Global
+//
+
+//PatchedProcessTable
+DWORD g_dwPatchedProcessId[CONF_HookPort_MaxProcessCount];
+
+//Current module
+DWORD g_dwCurrentModule_ImageBase = 0;
+DWORD g_dwCurrentModule_ImageHigh = 0;
+
+//kernel32.dll
+DWORD g_dwCloneAPIModule_KERNEL32_ImageBase = 0;
+DWORD g_dwCloneAPIModule_KERNEL32_ImageHigh = 0;
+
+//fltlib.dll
+DWORD g_dwCloneAPIModule_FLTLIB_ImageBase = 0;
+DWORD g_dwCloneAPIModule_FLTLIB_ImageHigh = 0;
+
+//shell32.dll
+DWORD g_dwCloneAPIModule_SHELL32_ImageBase = 0;
+DWORD g_dwCloneAPIModule_SHELL32_ImageHigh = 0;
+
+//advapi32.dll
+DWORD g_dwCloneAPIModule_ADVAPI32_ImageBase = 0;
+DWORD g_dwCloneAPIModule_ADVAPI32_ImageHigh = 0;
+
+
+
+//
+//HookHelp Functions
+//
+int GetCurrentModuleInfo( IN HMODULE hModule )
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = -1;
+
+	//
+	//Calculate Base Address & Size of Image
+	//
+	if( hModule )
+	{
+		MODULEINFO ModInfo = {0};
+
+		if( GetModuleInformation(GetCurrentProcess(),hModule,&ModInfo,sizeof(ModInfo)) == TRUE )
+		{
+			//Base Address
+			g_dwCurrentModule_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
+
+			//Size of image
+			g_dwCurrentModule_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
+
+			if( g_dwCurrentModule_ImageBase > 0 &&
+				g_dwCurrentModule_ImageHigh > 0
+				)
+			{
+				iRet = 0;
+
+#ifdef Dbg
+				WCHAR szDebugString[256] = {0};
+				wsprintf(szDebugString,L"CurrentModuleImageBase = [0x%08X] CurrentModuleImageHigh = [0x%08X]",g_dwCurrentModule_ImageBase,g_dwCurrentModule_ImageHigh);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+			}
+		}
+	}
+
+	return iRet;
+}
+
+int GetCloenAPIModuleInfo(void)
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = 0;
+
+	//
+	//Calculate Base Address & Size of Image
+	//
+
+	//kernel32.dll
+	g_hCloneKERNEL32 = LoadLibrary( g_szCloneKERNEL32 );
+	if( g_hCloneKERNEL32 )
+	{
+		MODULEINFO ModInfo = {0};
+
+		if( GetModuleInformation(GetCurrentProcess(),g_hCloneKERNEL32,&ModInfo,sizeof(ModInfo)) == TRUE )
+		{
+			//Base Address
+			g_dwCloneAPIModule_KERNEL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
+
+			//Size of image
+			g_dwCloneAPIModule_KERNEL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
+
+			if( g_dwCloneAPIModule_KERNEL32_ImageBase > 0 &&
+				g_dwCloneAPIModule_KERNEL32_ImageHigh > 0
+				)
+			{
+				iRet = 0;
+
+#ifdef Dbg
+				WCHAR szDebugString[256] = {0};
+				wsprintf(
+					szDebugString,
+					L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
+					g_dwCloneAPIModule_KERNEL32_ImageBase,
+					g_dwCloneAPIModule_KERNEL32_ImageHigh
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+			}
+		}
+	}
+
+	//fltlib.dll
+	g_hCloneFLTLIB = LoadLibrary( g_szCloneFLTLIB );
+	if( g_hCloneFLTLIB )
+	{
+		MODULEINFO ModInfo = {0};
+
+		if( GetModuleInformation(GetCurrentProcess(),g_hCloneFLTLIB,&ModInfo,sizeof(ModInfo)) == TRUE )
+		{
+			//Base Address
+			g_dwCloneAPIModule_FLTLIB_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
+
+			//Size of image
+			g_dwCloneAPIModule_FLTLIB_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
+
+			if( g_dwCloneAPIModule_FLTLIB_ImageBase > 0 &&
+				g_dwCloneAPIModule_FLTLIB_ImageHigh > 0
+				)
+			{
+				iRet = 0;
+
+#ifdef Dbg
+				WCHAR szDebugString[256] = {0};
+				wsprintf(
+					szDebugString,
+					L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
+					g_dwCloneAPIModule_FLTLIB_ImageBase,
+					g_dwCloneAPIModule_FLTLIB_ImageHigh
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+			}
+		}
+	}
+
+	//shell32.dll
+	g_hCloneSHELL32 = LoadLibrary( g_szCloneSHELL32 );
+	if( g_hCloneSHELL32 )
+	{
+		MODULEINFO ModInfo = {0};
+
+		if( GetModuleInformation(GetCurrentProcess(),g_hCloneSHELL32,&ModInfo,sizeof(ModInfo)) == TRUE )
+		{
+			//Base Address
+			g_dwCloneAPIModule_SHELL32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
+
+			//Size of image
+			g_dwCloneAPIModule_SHELL32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
+
+			if( g_dwCloneAPIModule_SHELL32_ImageBase > 0 &&
+				g_dwCloneAPIModule_SHELL32_ImageHigh > 0
+				)
+			{
+				iRet = 0;
+
+#ifdef Dbg
+				WCHAR szDebugString[256] = {0};
+				wsprintf(
+					szDebugString,
+					L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
+					g_dwCloneAPIModule_SHELL32_ImageBase,
+					g_dwCloneAPIModule_SHELL32_ImageHigh
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+			}
+		}
+	}
+
+	//advapi32.dll
+	g_hCloneADVAPI32 = LoadLibrary( g_szCloneADVAPI32 );
+	if( g_hCloneADVAPI32 )
+	{
+		MODULEINFO ModInfo = {0};
+
+		if( GetModuleInformation(GetCurrentProcess(),g_hCloneADVAPI32,&ModInfo,sizeof(ModInfo)) == TRUE )
+		{
+			//Base Address
+			g_dwCloneAPIModule_ADVAPI32_ImageBase = (DWORD)ModInfo.lpBaseOfDll;
+
+			//Size of image
+			g_dwCloneAPIModule_ADVAPI32_ImageHigh = (DWORD)ModInfo.lpBaseOfDll+ModInfo.SizeOfImage;
+
+			if( g_dwCloneAPIModule_ADVAPI32_ImageBase > 0 &&
+				g_dwCloneAPIModule_ADVAPI32_ImageHigh > 0
+				)
+			{
+				iRet = 0;
+
+#ifdef Dbg
+				WCHAR szDebugString[256] = {0};
+				wsprintf(
+					szDebugString,
+					L"CloneAPIModuleImageBase = [0x%08X] CloneAPIModuleImageHigh = [0x%08X]",
+					g_dwCloneAPIModule_ADVAPI32_ImageBase,
+					g_dwCloneAPIModule_ADVAPI32_ImageHigh
+					);
+				DebugLog(DbgInfo,szDebugString);
+#endif
+			}
+		}
+	}
+
+	return iRet;
+}
+
+BOOL IsBypassCaller( IN DWORD lpdwReturnAddress )
+{
+	//Return Value:
+	//TRUE = bypass
+	//FALSE = not bypass
+
+	//
+	//Check Return Address
+	//
+
+	//Current module
+	if( lpdwReturnAddress >= g_dwCurrentModule_ImageBase &&
+		lpdwReturnAddress <= g_dwCurrentModule_ImageHigh
+		)
+	{
+		return TRUE;
+	}
+
+	//kernel32.dll
+	if( lpdwReturnAddress >= g_dwCloneAPIModule_KERNEL32_ImageBase &&
+		lpdwReturnAddress <= g_dwCloneAPIModule_KERNEL32_ImageHigh
+		)
+	{
+		return TRUE;
+	}
+
+	//fltlib.dll
+	if( lpdwReturnAddress >= g_dwCloneAPIModule_FLTLIB_ImageBase &&
+		lpdwReturnAddress <= g_dwCloneAPIModule_FLTLIB_ImageHigh
+		)
+	{
+		return TRUE;
+	}
+
+	//shell32.dll
+	if( lpdwReturnAddress >= g_dwCloneAPIModule_SHELL32_ImageBase &&
+		lpdwReturnAddress <= g_dwCloneAPIModule_SHELL32_ImageHigh
+		)
+	{
+		return TRUE;
+	}
+
+	//advapi.dll
+	if( lpdwReturnAddress >= g_dwCloneAPIModule_ADVAPI32_ImageBase &&
+		lpdwReturnAddress <= g_dwCloneAPIModule_ADVAPI32_ImageHigh
+		)
+	{
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+BOOL IsProcessPatched( IN DWORD dwProcessId ,IN BOOL bQueryInCached )
+{
+	//Return Value:
+	//TRUE = Patched
+	//FALSE = not Patched
+	BOOL bRet = FALSE;
+
+	//
+	//Query in cached of [Patched Process Table]
+	//
+	if( bQueryInCached == TRUE )
+	{
+		for(int i=0;i<CONF_HookPort_MaxProcessCount;i++)
+		{
+			if( g_dwPatchedProcessId[i] == 0 )
+			{
+				break;
+			}
+			if( g_dwPatchedProcessId[i] == dwProcessId )
+			{
+				bRet = TRUE;
+				break;
+			}
+		}
+
+		return bRet;
+	}
+
+	//
+	//Query subkey [HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)]
+	//
+	HKEY hkSandBox = NULL;
+	WCHAR szSubKeyName[256] = {NULL};
+
+	wsprintf(
+		szSubKeyName,
+		L"%s_%s\\%s\\%s\\%d",
+		CONF_SoftwareReg_SandBox,
+		g_szSandBoxName,
+		CONF_SoftwareReg_SandBox_SYNC,
+		CONF_SoftwareReg_SandBox_SYNC_PROC,
+		dwProcessId
+		);
+
+	if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkSandBox) == ERROR_SUCCESS )
+	{
+		HANDLE hProc = NULL;
+		hProc = CAPI_OpenProcess( PROCESS_QUERY_INFORMATION,FALSE,dwProcessId);
+		if( !hProc )
+		{
+			bRet = FALSE;
+		}
+		else
+		{
+			bRet = TRUE;
+		}
+		CloseHandle(hProc);
+	}
+	RegCloseKey(hkSandBox);
+
+	return bRet;
+}
+
+BOOL InitPatchedProcessTable(void)
+{
+	for(int i=0;i<CONF_HookPort_MaxProcessCount;i++)
+	{
+		g_dwPatchedProcessId[i] = 0;
+	}
+
+	return TRUE;
+}
+
+BOOL AddProcessIdToProcTable( IN DWORD dwProcessId )
+{
+	for(int i=0;i<CONF_HookPort_MaxProcessCount;i++)
+	{
+		if( g_dwPatchedProcessId[i] == 0 || 
+			g_dwPatchedProcessId[i] == -1
+			)
+		{
+			g_dwPatchedProcessId[i] = dwProcessId;
+			break;
+		}
+	}
+
+	return TRUE;
+}
+
+BOOL DelProcessIdFromProcTable( IN DWORD dwProcessId )
+{
+	for(int i=0;i<CONF_HookPort_MaxProcessCount;i++)
+	{
+		if( g_dwPatchedProcessId[i] == 0 )
+		{
+			break;
+		}
+		if( g_dwPatchedProcessId[i] == dwProcessId )
+		{
+			g_dwPatchedProcessId[i] = -1;
+			break;
+		}
+	}
+
+	return TRUE;
+}
+
+int ScanCurrentProcModule(void)
+{
+	HANDLE hSnapshot= NULL;
+	MODULEENTRY32 moudle;
+
+	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId());
+	moudle.dwSize = sizeof(MODULEENTRY32);
+	Module32First(hSnapshot,&moudle);
+	do
+	{
+		//
+		//Ignore current module
+		//
+		if( moudle.hModule == g_hinstDLL )
+		{
+			continue;
+		}
+		//
+		//Check if is target module
+		//
+		CheckTargetModule(moudle.szModule);
+	}
+	while( Module32Next(hSnapshot,&moudle) );
+	CloseHandle(hSnapshot);
+
+	return 0;
+}
+
+int GetFileDeleteTraceCount( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName )
+{
+	//Return Value:
+	//-1 = error
+	//nonezero = succeed
+	int iRet = 1;
+
+	////
+	////Check if is Directory
+	////
+	//if( lstrlenW(lpszFileDosName) <= lstrlenW(L"C:\\C") )
+	//{
+	//	return iRet;
+	//}
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Query reg value [HKEY_USERS\SandBox_XXX\(DelTrace_File)]
+	////
+	//HKEY hkDeleteTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DelTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDeleteTrace) == ERROR_SUCCESS )
+	//{
+	//	WCHAR szRegValueName[MAX_NAME] = {0};
+	//	DWORD dwIndex = 0;
+	//	DWORD cchValue = MAX_NAME;
+	//	while( RegEnumValue(hkDeleteTrace,dwIndex,szRegValueName,&cchValue,NULL,NULL,NULL,NULL) == ERROR_SUCCESS )
+	//	{
+	//		cchValue = MAX_NAME;
+	//		dwIndex++;
+
+	//		//
+	//		//Get Directory
+	//		//
+	//		PathRemoveFileSpec(szRegValueName);
+	//		if( wcsicmp(szRegValueName,szLinkFileDevPath) == 0 )
+	//		{
+	//			iRet++;
+	//		}
+	//	}
+	//}
+	//RegCloseKey(hkDeleteTrace);
+
+	return iRet;
+}
+
+int QueryFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,IN WCHAR * lpszFileName, IN ULONG lpuNameLength )
+{
+	//Return Value:
+	//-1 = error
+	//0 = Exist
+	//1 = Deleted
+	int iRet = 0;
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Query reg value [HKEY_USERS\SandBox_XXX\(DelTrace_File)]
+	////
+	//HKEY hkDeleteTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DelTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDeleteTrace) == ERROR_SUCCESS )
+	//{
+	//	WCHAR szRealFileName[MAX_NAME] = {NULL};
+	//	WCHAR szLinkFileDevFullPath[MAX_NAME] = {NULL};
+	//	WCHAR szRegDosPath[MAX_NAME] = {NULL};
+	//	DWORD dwType = REG_SZ;
+	//	DWORD dwBufLen = MAX_NAME;
+
+	//	lstrcpyW(szRealFileName,lpszFileName);
+	//	lstrcpynW(szRealFileName,szRealFileName,(lpuNameLength/2)+1);
+
+	//	lstrcpyW(szLinkFileDevFullPath,szLinkFileDevPath);
+	//	lstrcatW(szLinkFileDevFullPath,L"\\");
+	//	lstrcatW(szLinkFileDevFullPath,szRealFileName);
+
+	//	if( RegQueryValueEx(
+	//					hkDeleteTrace,
+	//					szLinkFileDevFullPath,
+	//					NULL,
+	//					&dwType,
+	//					(LPBYTE)&szRegDosPath,
+	//					&dwBufLen
+	//					) == ERROR_SUCCESS )
+	//	{
+	//		iRet = 1;
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+	//RegCloseKey(hkDeleteTrace);
+
+	return iRet;
+}
+
+//int AddFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName )
+//{
+//	//Return Value:
+//	//-1 = error
+//	//0 = succeed
+//	int iRet = 0;
+//
+//	//
+//	//Link Table
+//	//
+//	//Link(FileDevicePath->FileDosPath):
+//	//ValueName
+//	//[\\Device\\HarddiskVolume1\\WINDOWS\\XXX](FileDevicePath)
+//	//Data
+//	//[C:\\WINDOWS\\XXX](FileDosPath)
+//
+//	//
+//	//Get FileDosPath
+//	//
+//	WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+//	WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+//	WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+//
+//	WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+//	WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+//
+//	lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+//	lstrcpyW(szFileDosName,lpszFileDosName);
+//
+//	lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+//
+//	//
+//	//Convert [DeviceName] to [DosName]
+//	//
+//	CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+//
+//	wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+//
+//	//
+//	//Check if is ShortPathName
+//	//
+//	WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+//	lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+//
+//	if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+//	{
+//		if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+//		{
+//			//
+//			//Convert ShortPath to LongPath
+//			//
+//			lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+//
+//			lstrcpyW(szLinkFileDevPath,szDeviceName);
+//			lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+//		}
+//	}
+//	else
+//	{
+//		iRet = -1;
+//	}
+//
+//	//
+//	//Set reg value [HKEY_USERS\SandBox_XXX\(DelTrace_File)]
+//	//
+//	HKEY hkDeleteTrace = NULL;
+//	WCHAR szSubKeyName[256] = {NULL};
+//
+//	wsprintf(
+//		szSubKeyName,
+//		L"%s_%s\\%s",
+//		CONF_SoftwareReg_SandBox,
+//		g_szSandBoxName,
+//		CONF_SoftwareReg_SandBox_DelTrace_File
+//		);
+//
+//	if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDeleteTrace) == ERROR_SUCCESS )
+//	{
+//		RegSetValueEx(
+//			hkDeleteTrace,
+//			szLinkFileDevPath,
+//			NULL,
+//			REG_SZ,
+//			(const BYTE *)szLinkFileDosPath,
+//			(DWORD)(lstrlenW(szLinkFileDosPath)*sizeof(WCHAR))
+//			);
+//	}
+//	else
+//	{
+//		iRet = -1;
+//	}
+//	RegCloseKey(hkDeleteTrace);
+//
+//	return iRet;
+//}
+
+int DelFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName )
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = 0;
+
+	////
+	////Link Table
+	////
+	////Link(FileDevicePath->FileDosPath):
+	////ValueName
+	////[\\Device\\HarddiskVolume1\\WINDOWS\\XXX](FileDevicePath)
+	////Data
+	////[C:\\WINDOWS\\XXX](FileDosPath)
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Delete reg value [HKEY_USERS\SandBox_XXX\(DelTrace_File)]
+	////
+	//HKEY hkDeleteTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DelTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDeleteTrace) == ERROR_SUCCESS )
+	//{
+	//	RegDeleteValue(hkDeleteTrace,szLinkFileDevPath);
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+	//RegCloseKey(hkDeleteTrace);
+
+	return iRet;
+}
+
+int TestFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName )
+{
+	//Return Value:
+	//-1 = error
+	//0 = Exist
+	//1 = Deleted
+	int iRet = 0;
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Query reg value [HKEY_USERS\SandBox_XXX\(DelTrace_File)]
+	////
+	//HKEY hkDeleteTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DelTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDeleteTrace) == ERROR_SUCCESS )
+	//{
+	//	WCHAR szRegDosPath[MAX_NAME] = {NULL};
+	//	DWORD dwType = REG_SZ;
+	//	DWORD dwBufLen = MAX_NAME;
+
+	//	if( RegQueryValueEx(
+	//					hkDeleteTrace,
+	//					szLinkFileDevPath,
+	//					NULL,
+	//					&dwType,
+	//					(LPBYTE)&szRegDosPath,
+	//					&dwBufLen
+	//					) == ERROR_SUCCESS )
+	//	{
+	//		iRet = 1;
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+	//RegCloseKey(hkDeleteTrace);
+
+	return iRet;
+}
+
+int AddFileDispatchTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,OUT WCHAR * lpszNewFileNtPath )
+{
+	int iRet = 0;
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Get NewFileNtPath
+	////
+	//WCHAR szNewFileNtPath[MAX_NAME] = {NULL};//(X:\\SandBox\\DefaultBox\\Device\\HarddiskVolume1\\XXX)
+
+	//wsprintf(szNewFileNtPath,L"%s%s",g_szRestorePath,szLinkFileDevPath);
+
+	////
+	////Init UNICODE_STRING
+	////
+	//WCHAR szNtFileName[MAX_NAME] = {NULL};//(\\??\\X:\\SandBox\\DefaultBox\\Device\\HarddiskVolume1\\XXX)
+	//UNICODE_STRING usNtFileName;
+
+	//RtlDosPathNameToNtPathName_U(szNewFileNtPath,&usNtFileName,NULL,NULL);
+
+	//lstrcpyW(lpszNewFileNtPath,usNtFileName.Buffer);
+
+	//lstrcpyW(szNtFileName,usNtFileName.Buffer);
+
+	////
+	////Free UNICODE_STRING
+	////
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	////
+	////Set reg value [HKEY_USERS\SandBox_XXX\(DspTrace_File)]
+	////
+	//HKEY hkDispatchTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DspTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDispatchTrace) == ERROR_SUCCESS )
+	//{
+	//	RegSetValueEx(
+	//		hkDispatchTrace,
+	//		szLinkFileDevPath,
+	//		NULL,
+	//		REG_SZ,
+	//		(const BYTE *)szNtFileName,
+	//		(DWORD)(lstrlenW(szNtFileName)*sizeof(WCHAR))
+	//		);
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+	//RegCloseKey(hkDispatchTrace);
+
+	////
+	////SHCreateDirectoryEx(NULL,lpDir,NULL);
+	////
+	//PathRemoveFileSpec(szNewFileNtPath);
+
+	//SHCreateDirectoryEx(NULL,szNewFileNtPath,NULL);
+
+	return iRet;
+}
+
+int QueryFileDispatchTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,OUT WCHAR * lpszNewFileNtPath )
+{
+	//Return Value:
+	//-1 = error
+	//0 = Not existed
+	//1 = Existed
+	int iRet = 0;
+
+	////
+	////Get FileDosPath
+	////
+	//WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	//WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	//WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	//WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	//WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	//lstrcpyW(szLinkFileDevPath,lpszFileDevicePath);
+	//lstrcpyW(szFileDosName,lpszFileDosName);
+
+	//lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+	////
+	////Convert [DeviceName] to [DosName]
+	////
+	//CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+	//wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+	////
+	////Check if is ShortPathName
+	////
+	//WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+	//lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+	//if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+	//{
+	//	if( lstrlenW(szLinkFileDosPath) != lstrlenW(szLinkFileDosLongPath) )
+	//	{
+	//		//
+	//		//Convert ShortPath to LongPath
+	//		//
+	//		lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+
+	//		lstrcpyW(szLinkFileDevPath,szDeviceName);
+	//		lstrcatW(szLinkFileDevPath,&szLinkFileDosLongPath[lstrlen(szVolumeName)]);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+
+	////
+	////Query reg value [HKEY_USERS\SandBox_XXX\(DspTrace_File)]
+	////
+	//HKEY hkDispatchTrace = NULL;
+	//WCHAR szSubKeyName[256] = {NULL};
+
+	//wsprintf(
+	//	szSubKeyName,
+	//	L"%s_%s\\%s",
+	//	CONF_SoftwareReg_SandBox,
+	//	g_szSandBoxName,
+	//	CONF_SoftwareReg_SandBox_DspTrace_File
+	//	);
+
+	//if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkDispatchTrace) == ERROR_SUCCESS )
+	//{
+	//	WCHAR szRegNewNtPath[MAX_NAME] = {NULL};
+
+	//	DWORD dwType = REG_SZ;
+	//	DWORD dwBufLen = MAX_NAME;
+
+	//	if( RegQueryValueEx(
+	//					hkDispatchTrace,
+	//					szLinkFileDevPath,
+	//					NULL,
+	//					&dwType,
+	//					(LPBYTE)&szRegNewNtPath,
+	//					&dwBufLen
+	//					) == ERROR_SUCCESS )
+	//	{
+	//		iRet = 1;
+
+	//		lstrcpyW(lpszNewFileNtPath,szRegNewNtPath);
+	//	}
+	//}
+	//else
+	//{
+	//	iRet = -1;
+	//}
+	//RegCloseKey(hkDispatchTrace);
+
+	return iRet;
+}
\ No newline at end of file
diff --git a/HookPorts/HookHelp.h b/HookPorts/HookHelp.h
new file mode 100644
index 0000000..95cc500
--- /dev/null
+++ b/HookPorts/HookHelp.h
@@ -0,0 +1,41 @@
+#pragma once
+
+int GetCurrentModuleInfo( IN HMODULE hModule );
+
+int GetCloenAPIModuleInfo(void);
+
+BOOL IsBypassCaller( IN DWORD lpdwReturnAddress );
+
+BOOL IsProcessPatched( IN DWORD dwProcessId ,IN BOOL bQueryInCached );
+
+BOOL InitPatchedProcessTable(void);
+
+BOOL AddProcessIdToProcTable( IN DWORD dwProcessId );
+
+BOOL DelProcessIdFromProcTable( IN DWORD dwProcessId );
+
+int ScanCurrentProcModule(void);
+
+
+
+//
+//File Delete
+//
+int GetFileDeleteTraceCount( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName );
+
+int QueryFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,IN WCHAR * lpszFileName, IN ULONG lpuNameLength );
+
+//int AddFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName );
+
+int DelFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName );
+
+int TestFileDeleteTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName );
+
+
+
+//
+//File Dispatch
+//
+int AddFileDispatchTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,OUT WCHAR * lpszNewFileNtPath );
+
+int QueryFileDispatchTrace( IN WCHAR * lpszFileDevicePath, IN WCHAR * lpszFileDosName ,OUT WCHAR * lpszNewFileNtPath );
\ No newline at end of file
diff --git a/HookPorts/HookHelp_File.cpp b/HookPorts/HookHelp_File.cpp
new file mode 100644
index 0000000..3b65764
--- /dev/null
+++ b/HookPorts/HookHelp_File.cpp
@@ -0,0 +1,1198 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <stdio.h>
+#include <shlobj.h>
+#include <shlwapi.h>
+#pragma comment(lib,"shlwapi.lib")
+
+#include "./HookHelp_File.h"
+#include "./Main.h"
+#include "../Config/Config.h"
+#include "../Common/DebugLog.h"
+
+#include "./CloneAPI_KERNEL32.h"
+#include "./CloneAPI_FLTLIB.h"
+#include "./CloneAPI_SHELL32.h"
+
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtQueryInformationFile.h"
+#include "./Dispatch_NTDLL_NtSetInformationFile.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "./Dispatch_NTDLL_NtQueryAttributesFile.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+#include "./Dispatch_NTDLL_NtDeleteFile.h"
+
+
+
+//
+//Global
+//
+
+
+
+//
+//HookHelp Functions
+//
+int GetLongNtPathName(
+	IN HANDLE hFileHandle,				//Handle to the file whose path is being requested
+	IN HANDLE hRootDirectory,			//Handle to the directory whose path is being requested
+	IN WCHAR * lpszFileName,			//Pointer to the file name
+	IN WCHAR * lpszRestoreNtPath,		//Pointer to the restore path
+	OUT WCHAR * lpszLongNtPath,			//Pointer to the buffer to receive the nt path
+	OUT WCHAR * lpszDispatchNtPath		//Pointer to the buffer to receive the dispatch path
+)
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = 0;
+
+	WCHAR szDeviceName[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1)
+	WCHAR szVolumeName[MAX_NAME] = {NULL};//(C:)
+	WCHAR szFileDosName[MAX_NAME] = {NULL};//(\\WINDOWS\\XXX)
+
+	WCHAR szLinkFileDevPath[MAX_NAME] = {NULL};//(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+	WCHAR szLinkFileDosPath[MAX_NAME] = {NULL};//(C:\\WINDOWS\\XXX)
+
+	////(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	////(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szDispatchNtPath[MAX_NAME] = {NULL};
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};
+
+	wsprintfW(szRestoreNtPath,L"%s\\%s\\",lpszRestoreNtPath,CONF_SandBox_Drive_Name);
+
+	//
+	//Check if the [hFileHandle] is NULL
+	//
+	if( hFileHandle != NULL )
+	{
+		//
+		//Get file dos name(\\WINDOWS\\XXX)
+		//
+		if( QueryFileNameByNtQueryInformationFile(hFileHandle,szFileDosName) == -1 )
+		{
+			return -1;
+		}
+
+		//
+		//Get file device name(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+		//
+		if( QueryNameInfoByNtQueryObject(hFileHandle,szLinkFileDevPath) == -1 )
+		{
+			return -1;
+		}
+
+		lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+		//
+		//Convert [DeviceName] to [DosName]
+		//
+		CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+		wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+		if( wcsnicmp(&szLinkFileDosPath[lstrlenW(L"C")],L":\\",lstrlenW(L":\\")) != 0 )
+		{
+			return -1;
+		}
+
+		//
+		//Convert [DosPathName] to [NtPathName]
+		//
+		UNICODE_STRING usNtFileName;
+		RtlDosPathNameToNtPathName_U(szLinkFileDosPath,&usNtFileName,NULL,NULL);
+
+		lstrcpyW(lpszLongNtPath,usNtFileName.Buffer);
+		lstrcpyW(szLongNtPath,usNtFileName.Buffer);
+
+		//
+		//Free UNICODE_STRING
+		//
+		RtlFreeUnicodeString(&usNtFileName);
+
+		//
+		//Make lpszDispatchNtPath
+		//
+		WCHAR szRestorePath[MAX_NAME] = {NULL};
+
+		lstrcpynW(szRestorePath,szVolumeName,lstrlenW(szVolumeName));
+		lstrcatW(szRestorePath,&szLinkFileDosPath[lstrlenW(szVolumeName)]);
+
+		lstrcatW(szRestoreNtPath,szRestorePath);
+
+		lstrcpyW(lpszDispatchNtPath,szRestoreNtPath);
+		lstrcpyW(szDispatchNtPath,szRestoreNtPath);
+	}
+
+	//
+	//Check if the [hRootDirectory] is NULL
+	//
+	if( hRootDirectory != NULL )
+	{
+		//
+		//Get file dos name(\\WINDOWS\\XXX)
+		//
+		if( QueryFileNameByNtQueryInformationFile(hRootDirectory,szFileDosName) == -1 )
+		{
+			return -1;
+		}
+
+		//
+		//Get file device name(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+		//
+		if( QueryNameInfoByNtQueryObject(hRootDirectory,szLinkFileDevPath) == -1 )
+		{
+			return -1;
+		}
+
+		lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+		//
+		//Convert [DeviceName] to [DosName]
+		//
+		CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+		wsprintfW(szLinkFileDosPath,L"%s%s\\%s",szVolumeName,szFileDosName,lpszFileName);
+
+		if( wcsnicmp(&szLinkFileDosPath[lstrlenW(L"C")],L":\\",lstrlenW(L":\\")) != 0 )
+		{
+			return -1;
+		}
+
+		//
+		//Convert [DosPathName] to [NtPathName]
+		//
+		UNICODE_STRING usNtFileName;
+		RtlDosPathNameToNtPathName_U(szLinkFileDosPath,&usNtFileName,NULL,NULL);
+
+		lstrcpyW(lpszLongNtPath,usNtFileName.Buffer);
+		lstrcpyW(szLongNtPath,usNtFileName.Buffer);
+
+		//
+		//Free UNICODE_STRING
+		//
+		RtlFreeUnicodeString(&usNtFileName);
+
+		//
+		//Make lpszDispatchNtPath
+		//
+		WCHAR szRestorePath[MAX_NAME] = {NULL};
+
+		lstrcpynW(szRestorePath,szVolumeName,lstrlenW(szVolumeName));
+		lstrcatW(szRestorePath,&szLinkFileDosPath[lstrlenW(szVolumeName)]);
+
+		lstrcatW(szRestoreNtPath,szRestorePath);
+
+		lstrcpyW(lpszDispatchNtPath,szRestoreNtPath);
+		lstrcpyW(szDispatchNtPath,szRestoreNtPath);
+	}
+
+	//
+	//Check if the [hFileHandle]&[hRootDirectory] is NULL
+	//
+	if( hFileHandle == NULL &&
+		hRootDirectory == NULL
+		)
+	{
+		//
+		//Check if is NtPathName
+		//
+		lstrcpyW(szLinkFileDevPath,lpszFileName);
+
+		if( wcsnicmp(szLinkFileDevPath,L"\\??\\",lstrlenW(L"\\??\\")) != 0 )
+		{
+			return -1;
+		}
+		if( wcsnicmp(&szLinkFileDevPath[lstrlenW(L"\\??\\C")],L":\\",lstrlenW(L":\\")) != 0 )
+		{
+			return -1;
+		}
+
+		lstrcpyW(szLinkFileDosPath,&szLinkFileDevPath[lstrlenW(L"\\??\\")]);
+
+		//
+		//Convert [DosPathName] to [NtPathName]
+		//
+		UNICODE_STRING usNtFileName;
+		RtlDosPathNameToNtPathName_U(szLinkFileDosPath,&usNtFileName,NULL,NULL);
+
+		lstrcpyW(lpszLongNtPath,usNtFileName.Buffer);
+		lstrcpyW(szLongNtPath,usNtFileName.Buffer);
+
+		//
+		//Free UNICODE_STRING
+		//
+		RtlFreeUnicodeString(&usNtFileName);
+
+		//
+		//Make lpszDispatchNtPath
+		//
+		WCHAR szRestorePath[MAX_NAME] = {NULL};
+
+		lstrcpynW(szRestorePath,szLinkFileDosPath,lstrlenW(L"C:"));
+		lstrcatW(szRestorePath,&szLinkFileDosPath[lstrlenW(L"C:")]);
+
+		lstrcatW(szRestoreNtPath,szRestorePath);
+
+		lstrcpyW(lpszDispatchNtPath,szRestoreNtPath);
+		lstrcpyW(szDispatchNtPath,szRestoreNtPath);
+	}
+
+	//
+	//Check if is FileNtPath
+	//
+	if( wcsnicmp(&szLongNtPath[lstrlenW(L"\\??\\C")],L":\\",lstrlenW(L":\\")) != 0 )
+	{
+		return -1;
+	}
+
+	//
+	//Check if is ShortPath
+	//
+	if( wcsstr(szLinkFileDosPath,L"~") )
+	{
+		WCHAR szLinkFileDosLongPath[MAX_NAME] = {NULL};
+		lstrcpyW(szLinkFileDosLongPath,szLinkFileDosPath);
+
+		//
+		//Convert [DosPathName] to [NtPathName]
+		//
+		UNICODE_STRING usNtFileName;
+		RtlDosPathNameToNtPathName_U(szLinkFileDosPath,&usNtFileName,NULL,NULL);
+
+		NTSTATUS nStatus;
+		HANDLE hFile = NULL;
+		IO_STATUS_BLOCK IoSB;
+		FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+		OBJECT_ATTRIBUTES oaObjAttrib;
+
+		InitializeObjectAttributes(
+			&oaObjAttrib,
+			&usNtFileName,
+			OBJ_CASE_INSENSITIVE,
+			NULL,
+			NULL);
+
+		nStatus = NtCreateFile(
+			&hFile,
+			FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE,
+			&oaObjAttrib,
+			&IoSB,
+			NULL,
+			FILE_ATTRIBUTE_NORMAL,
+			FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+			FILE_OPEN_IF,
+			FILE_SYNCHRONOUS_IO_NONALERT,
+			NULL,
+			NULL
+			);
+		if( nStatus != STATUS_SUCCESS )
+		{
+			nStatus = NtCreateFile(
+				&hFile,
+				FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE,
+				&oaObjAttrib,
+				&IoSB,
+				NULL,
+				FILE_ATTRIBUTE_NORMAL,
+				FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+				FILE_OPEN,
+				FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+				NULL,
+				NULL
+				);
+		}
+
+		if( nStatus == STATUS_SUCCESS )
+		{
+			iRet = 0;
+
+			//
+			//Get file dos name(\\WINDOWS\\XXX)
+			//
+			QueryFileNameByNtQueryInformationFile(hFile,szFileDosName);
+
+			//
+			//Get file device name(\\Device\\HarddiskVolume1\\WINDOWS\\XXX)
+			//
+			QueryNameInfoByNtQueryObject(hFileHandle,szLinkFileDevPath);
+
+			lstrcpynW(szDeviceName,szLinkFileDevPath,lstrlenW(szLinkFileDevPath) - lstrlenW(szFileDosName) + 1);
+
+			//
+			//Convert [DeviceName] to [DosName]
+			//
+			CAPI_FilterGetDosName(szDeviceName,szVolumeName,MAX_NAME);
+
+			wsprintfW(szLinkFileDosPath,L"%s%s",szVolumeName,szFileDosName);
+
+			//
+			//Convert [ShortPathName] to [LongPathName]
+			//
+			if( CAPI_GetLongPathNameW(szLinkFileDosPath,szLinkFileDosLongPath,MAX_NAME) )
+			{
+				if( lstrlenW(szLinkFileDosPath) < lstrlenW(szLinkFileDosLongPath) )
+				{
+					//
+					//Convert ShortPath to LongPath
+					//
+					lstrcpyW(szLinkFileDosPath,szLinkFileDosLongPath);
+				}
+			}
+
+			//
+			//Convert [DosPathName] to [NtPathName]
+			//
+			UNICODE_STRING usNewNtFileName;
+			RtlDosPathNameToNtPathName_U(szLinkFileDosPath,&usNewNtFileName,NULL,NULL);
+
+			lstrcpyW(lpszLongNtPath,usNewNtFileName.Buffer);
+
+			//
+			//Free UNICODE_STRING
+			//
+			RtlFreeUnicodeString(&usNewNtFileName);
+
+			//
+			//Make lpszDispatchNtPath
+			//
+			WCHAR szRestorePath[MAX_NAME] = {NULL};
+
+			wsprintfW(szRestoreNtPath,L"%s\\%s\\",lpszRestoreNtPath,CONF_SandBox_Drive_Name);
+
+			lstrcpynW(szRestorePath,szLinkFileDosPath,lstrlenW(L"C:"));
+			lstrcatW(szRestorePath,&szLinkFileDosPath[lstrlenW(L"C:")]);
+
+			lstrcatW(szRestoreNtPath,szRestorePath);
+
+			lstrcpyW(lpszDispatchNtPath,szRestoreNtPath);
+		}
+		else
+		{
+			iRet = -1;
+		}
+
+		NtClose(hFile);
+
+		if( IoSB.Information == FILE_CREATED )
+		{
+			NtDeleteFile(&oaObjAttrib);
+		}
+
+		//
+		//Free UNICODE_STRING
+		//
+		RtlFreeUnicodeString(&usNtFileName);
+	}
+
+	return iRet;
+}
+
+ULONG QueryFileAttributes( IN WCHAR * lpszLongNtPath )
+{
+	//Return Value:
+	//-1 = error
+	//0 = Not existed
+	//n = Attributes Values
+	ULONG uRet = -1;
+
+	if( lpszLongNtPath == NULL )
+	{
+		return uRet;
+	}
+
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	lstrcpyW(szLongNtPath,lpszLongNtPath);
+
+	//
+	//Init UNICODE_STRING
+	//
+	UNICODE_STRING usNtFileName;
+	RtlInitUnicodeString(&usNtFileName,szLongNtPath);
+
+	NTSTATUS nStatusQuery;
+	OBJECT_ATTRIBUTES oaObjAttrib;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+	if( nStatusQuery == STATUS_OBJECT_NAME_NOT_FOUND )//FILE_DOES_NOT_EXIST
+	{
+		uRet = 0;
+	}
+	else
+	if( nStatusQuery == STATUS_SUCCESS )//FILE_EXISTS
+	{
+		uRet = fbiFileAttributes.FileAttributes;
+	}
+
+	//
+	//Free UNICODE_STRING
+	//
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	return uRet;
+}
+
+int SetFileDeletedMark( IN WCHAR * lpszLongNtPath, IN WCHAR * lpszRestoreNtPath ,IN ULONG lpuFileAttributes )
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = -1;
+
+	if( lpszLongNtPath == NULL ||
+		lpszRestoreNtPath == NULL
+		)
+	{
+		return iRet;
+	}
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szRestorePath[MAX_NAME] = {NULL};//(C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+
+	lstrcpyW(szRestoreNtPath,lpszRestoreNtPath);
+	lstrcpyW(szRestorePath,&szRestoreNtPath[lstrlenW(L"\\??\\")]);
+
+	PathRemoveFileSpec(szRestorePath);
+
+	//
+	//Init Directory
+	//
+	CAPI_SHCreateDirectoryExW(NULL,szRestorePath,NULL);
+
+	//
+	//Check if the file is a directory
+	//
+	ULONG uCreateOptions = FILE_SYNCHRONOUS_IO_NONALERT;
+	if( lpuFileAttributes == FILE_ATTRIBUTE_DIRECTORY )
+	{
+		uCreateOptions = FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT;
+	}
+
+	//
+	//Init UNICODE_STRING
+	//
+	UNICODE_STRING usNtFileName;
+	RtlInitUnicodeString(&usNtFileName,szRestoreNtPath);
+
+	NTSTATUS nStatus;
+	HANDLE hFile = NULL;
+	IO_STATUS_BLOCK IoSB;
+	FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+	OBJECT_ATTRIBUTES oaObjAttrib;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nStatus = NtCreateFile(
+		&hFile,
+		FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE,
+		&oaObjAttrib,
+		&IoSB,
+		NULL,
+		FILE_ATTRIBUTE_NORMAL,
+		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+		FILE_OPEN_IF,
+		uCreateOptions,
+		NULL,
+		NULL
+		);
+
+	if( nStatus == STATUS_SUCCESS )
+	{
+		nStatus = NtQueryInformationFile(
+			hFile,
+			&IoSB,
+			&stFileBasicInfo,
+			sizeof(FILE_BASIC_INFORMATION),
+			FileBasicInformation);
+
+		if( nStatus == STATUS_SUCCESS )
+		{
+			stFileBasicInfo.CreationTime.QuadPart = CONF_SoftwareReg_SandBox_DeletedFileMark;
+
+			nStatus = NtSetInformationFile(
+				hFile,
+				&IoSB,
+				&stFileBasicInfo,
+				sizeof(FILE_BASIC_INFORMATION),
+				FileBasicInformation
+				);
+
+			if( nStatus == STATUS_SUCCESS )
+			{
+				iRet = 0;
+			}
+		}
+	}
+	NtClose(hFile);
+
+	//
+	//Free UNICODE_STRING
+	//
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	return iRet;
+}
+
+int NtPathExist( IN WCHAR * lpszLongNtPath )
+{
+	//Return Value:
+	//-1 = error
+	//0 = Not existed
+	//1 = Existed
+	int iRet = -1;
+
+	if( lpszLongNtPath == NULL )
+	{
+		return iRet;
+	}
+
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};
+	lstrcpyW(szLongNtPath,lpszLongNtPath);
+
+	//
+	//Init UNICODE_STRING
+	//
+	UNICODE_STRING usNtFileName;
+	RtlInitUnicodeString(&usNtFileName,szLongNtPath);
+
+	HANDLE hFile = NULL;
+	NTSTATUS nStatusQuery;
+	NTSTATUS nCreateFile;
+	OBJECT_ATTRIBUTES oaObjAttrib;
+	IO_STATUS_BLOCK IoSB;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+	if( nStatusQuery != STATUS_SUCCESS )//FILE_DOES_NOT_EXIST
+	{
+		return iRet;
+	}
+
+	nCreateFile = NtCreateFile(
+				&hFile,
+				FILE_LIST_DIRECTORY | SYNCHRONIZE,
+				&oaObjAttrib,
+				&IoSB,
+				NULL,
+				FILE_ATTRIBUTE_NORMAL,
+				FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+				FILE_OPEN,
+				FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+				NULL,
+				NULL
+				);
+
+	if( nCreateFile == STATUS_OBJECT_NAME_NOT_FOUND )//FILE_DOES_NOT_EXIST
+	{
+		iRet = 0;
+	}
+	else
+	if( nCreateFile == STATUS_SUCCESS )//FILE_EXISTS
+	{
+		iRet = 1;
+	}
+	NtClose(hFile);
+
+	//
+	//Free UNICODE_STRING
+	//
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	return iRet;
+}
+
+int GetDirectoryMarkAsDeletedFileCount( IN WCHAR * lpszLongNtPath )
+{
+	int iRet = 0;
+
+	if( lpszLongNtPath == NULL )
+	{
+		return iRet;
+	}
+
+	WCHAR szNtPath[MAX_NAME] = {NULL};//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szPath[MAX_NAME] = {NULL};//(C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+
+	lstrcpyW(szNtPath,lpszLongNtPath);
+	lstrcpyW(szPath,&szNtPath[lstrlenW(L"\\??\\")]);
+
+	WCHAR szSearchName[MAX_PATH]={0};
+	wsprintf(szSearchName,L"%s\\*",szPath);
+
+	WIN32_FIND_DATAW wFindData;
+	HANDLE hFindFile = CAPI_FindFirstFileW(szSearchName,&wFindData);
+
+	if( hFindFile != INVALID_HANDLE_VALUE )
+	{
+		if( wcsicmp(wFindData.cFileName,L".") != 0 &&
+			wcsicmp(wFindData.cFileName,L"..") != 0
+			)
+		{
+			WCHAR szFilePath[MAX_NAME] = {NULL};
+			wsprintf(szFilePath,L"%s\\%s",szPath,wFindData.cFileName);
+
+			//
+			//Init UNICODE_STRING
+			//
+			UNICODE_STRING usNtFileName;
+			RtlDosPathNameToNtPathName_U(szFilePath,&usNtFileName,NULL,NULL);
+
+			NTSTATUS nStatus;
+			NTSTATUS nStatusQuery;
+			HANDLE hFile = NULL;
+			IO_STATUS_BLOCK IoSB;
+			FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+			OBJECT_ATTRIBUTES oaObjAttrib;
+			FILE_BASIC_INFORMATION fbiFileAttributes;
+
+			InitializeObjectAttributes(
+				&oaObjAttrib,
+				&usNtFileName,
+				OBJ_CASE_INSENSITIVE,
+				NULL,
+				NULL);
+
+			nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+			if( nStatusQuery == STATUS_SUCCESS )//FILE_EXISTS
+			{
+				nStatus = NtCreateFile(
+					&hFile,
+					FILE_GENERIC_READ | SYNCHRONIZE,
+					&oaObjAttrib,
+					&IoSB,
+					NULL,
+					FILE_ATTRIBUTE_NORMAL,
+					FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+					FILE_OPEN,
+					FILE_SYNCHRONOUS_IO_NONALERT,
+					NULL,
+					NULL
+					);
+				if( nStatus != STATUS_SUCCESS )
+				{
+					nStatus = NtCreateFile(
+						&hFile,
+						FILE_GENERIC_READ | SYNCHRONIZE,
+						&oaObjAttrib,
+						&IoSB,
+						NULL,
+						FILE_ATTRIBUTE_NORMAL,
+						FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+						FILE_OPEN,
+						FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+						NULL,
+						NULL
+						);
+				}
+
+				if( nStatus == STATUS_SUCCESS )
+				{
+					nStatus = NtQueryInformationFile(
+						hFile,
+						&IoSB,
+						&stFileBasicInfo,
+						sizeof(FILE_BASIC_INFORMATION),
+						FileBasicInformation);
+
+					if( nStatus == STATUS_SUCCESS )
+					{
+						if( stFileBasicInfo.CreationTime.QuadPart == CONF_SoftwareReg_SandBox_DeletedFileMark )
+						{
+							iRet++;
+						}
+					}
+				}
+				NtClose(hFile);
+
+				//
+				//Free UNICODE_STRING
+				//
+				//RtlFreeUnicodeString(&usNtFileName);
+			}//FILE_EXISTS
+		}
+
+		while( CAPI_FindNextFileW(hFindFile, &wFindData) != NULL )
+		{
+			if( wcsicmp(wFindData.cFileName,L".") != 0 &&
+				wcsicmp(wFindData.cFileName,L"..") != 0
+				)
+			{
+				WCHAR szFilePath[MAX_NAME] = {NULL};
+				wsprintf(szFilePath,L"%s\\%s",szPath,wFindData.cFileName);
+
+				//
+				//Init UNICODE_STRING
+				//
+				UNICODE_STRING usNtFileName;
+				RtlDosPathNameToNtPathName_U(szFilePath,&usNtFileName,NULL,NULL);
+
+				NTSTATUS nStatus;
+				NTSTATUS nStatusQuery;
+				HANDLE hFile = NULL;
+				IO_STATUS_BLOCK IoSB;
+				FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+				OBJECT_ATTRIBUTES oaObjAttrib;
+				FILE_BASIC_INFORMATION fbiFileAttributes;
+
+				InitializeObjectAttributes(
+					&oaObjAttrib,
+					&usNtFileName,
+					OBJ_CASE_INSENSITIVE,
+					NULL,
+					NULL);
+
+				nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+				if( nStatusQuery == STATUS_SUCCESS )//FILE_EXISTS
+				{
+					nStatus = NtCreateFile(
+						&hFile,
+						FILE_GENERIC_READ | SYNCHRONIZE,
+						&oaObjAttrib,
+						&IoSB,
+						NULL,
+						FILE_ATTRIBUTE_NORMAL,
+						FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+						FILE_OPEN,
+						FILE_SYNCHRONOUS_IO_NONALERT,
+						NULL,
+						NULL
+						);
+					if( nStatus != STATUS_SUCCESS )
+					{
+						nStatus = NtCreateFile(
+							&hFile,
+							FILE_GENERIC_READ | SYNCHRONIZE,
+							&oaObjAttrib,
+							&IoSB,
+							NULL,
+							FILE_ATTRIBUTE_NORMAL,
+							FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+							FILE_OPEN,
+							FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+							NULL,
+							NULL
+							);
+					}
+
+					if( nStatus == STATUS_SUCCESS )
+					{
+						nStatus = NtQueryInformationFile(
+							hFile,
+							&IoSB,
+							&stFileBasicInfo,
+							sizeof(FILE_BASIC_INFORMATION),
+							FileBasicInformation);
+
+						if( nStatus == STATUS_SUCCESS )
+						{
+							if( stFileBasicInfo.CreationTime.QuadPart == CONF_SoftwareReg_SandBox_DeletedFileMark )
+							{
+								iRet++;
+							}
+						}
+					}
+					NtClose(hFile);
+
+					//
+					//Free UNICODE_STRING
+					//
+					//RtlFreeUnicodeString(&usNtFileName);
+				}//FILE_EXISTS
+			}
+		}
+		CAPI_FindClose(hFindFile);
+	}
+
+	return iRet;
+}
+
+int GetFileDeletedMark( IN WCHAR * lpszRestoreNtPath, IN WCHAR * lpszFileName, IN ULONG lpuFileNameLength )
+{
+	//Return Value:
+	//0 = Not existed
+	//1 = Existed
+	int iRet = 0;
+
+	if( lpszRestoreNtPath == NULL ||
+		lpszFileName == NULL
+		)
+	{
+		return iRet;
+	}
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};
+	WCHAR szFileName[MAX_PATH] = {NULL};
+
+	lstrcpyW(szFileName,lpszFileName);
+	lstrcpynW(szFileName,szFileName,(lpuFileNameLength/2)+1);
+
+	wsprintfW(szRestoreNtPath,L"%s\\%s",lpszRestoreNtPath,szFileName);
+
+	//
+	//Init UNICODE_STRING
+	//
+	UNICODE_STRING usNtFileName;
+	RtlInitUnicodeString(&usNtFileName,szRestoreNtPath);
+
+	NTSTATUS nStatus;
+	NTSTATUS nStatusQuery;
+	HANDLE hFile = NULL;
+	IO_STATUS_BLOCK IoSB;
+	FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+	OBJECT_ATTRIBUTES oaObjAttrib;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+	if( nStatusQuery != STATUS_SUCCESS )//FILE_DOES_NOT_EXIST
+	{
+		return iRet;;
+	}
+
+	nStatus = NtCreateFile(
+		&hFile,
+		FILE_GENERIC_READ | SYNCHRONIZE,
+		&oaObjAttrib,
+		&IoSB,
+		NULL,
+		FILE_ATTRIBUTE_NORMAL,
+		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+		FILE_OPEN,
+		FILE_SYNCHRONOUS_IO_NONALERT,
+		NULL,
+		NULL
+		);
+	if( nStatus != STATUS_SUCCESS )
+	{
+		nStatus = NtCreateFile(
+			&hFile,
+			FILE_GENERIC_READ | SYNCHRONIZE,
+			&oaObjAttrib,
+			&IoSB,
+			NULL,
+			FILE_ATTRIBUTE_NORMAL,
+			FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+			FILE_OPEN,
+			FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+			NULL,
+			NULL
+			);
+	}
+
+	if( nStatus == STATUS_SUCCESS )
+	{
+		nStatus = NtQueryInformationFile(
+			hFile,
+			&IoSB,
+			&stFileBasicInfo,
+			sizeof(FILE_BASIC_INFORMATION),
+			FileBasicInformation);
+
+		if( nStatus == STATUS_SUCCESS )
+		{
+			if( stFileBasicInfo.CreationTime.QuadPart == CONF_SoftwareReg_SandBox_DeletedFileMark )
+			{
+				iRet = 1;
+			}
+		}
+	}
+	NtClose(hFile);
+
+	//
+	//Free UNICODE_STRING
+	//
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	return iRet;
+}
+
+int InitDirectoryForFileDispatch( IN WCHAR * lpszRestoreNtPath )
+{
+	//Return Value:
+	//-1 = Error
+	//0 = Succeed
+	int iRet = -1;
+
+	if( lpszRestoreNtPath == NULL )
+	{
+		return iRet;
+	}
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szRestorePath[MAX_NAME] = {NULL};//(C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+
+	lstrcpyW(szRestoreNtPath,lpszRestoreNtPath);
+	lstrcpyW(szRestorePath,&szRestoreNtPath[lstrlenW(L"\\??\\")]);
+
+	PathRemoveFileSpec(szRestorePath);
+
+	//
+	//Init Directory
+	//
+	iRet = CAPI_SHCreateDirectoryExW(NULL,szRestorePath,NULL);
+
+	return iRet;
+}
+
+int QueryDispatchedFile( IN WCHAR * lpszRestoreNtPath )
+{
+	//Return Value:
+	//-1 = Error or MarkAsDeleted
+	//0 = Not Dispatched
+	//1 = Dispatched
+	int iRet = 0;
+
+	if( lpszRestoreNtPath == NULL )
+	{
+		return iRet;
+	}
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};
+	lstrcpyW(szRestoreNtPath,lpszRestoreNtPath);
+
+	//
+	//Init UNICODE_STRING
+	//
+	UNICODE_STRING usNtFileName;
+	RtlInitUnicodeString(&usNtFileName,szRestoreNtPath);
+
+	NTSTATUS nStatus;
+	NTSTATUS nStatusQuery;
+	HANDLE hFile = NULL;
+	IO_STATUS_BLOCK IoSB;
+	FILE_BASIC_INFORMATION stFileBasicInfo = {NULL};
+	OBJECT_ATTRIBUTES oaObjAttrib;
+	FILE_BASIC_INFORMATION fbiFileAttributes;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nStatusQuery = NtQueryAttributesFile(&oaObjAttrib,&fbiFileAttributes);
+
+	if( nStatusQuery != STATUS_SUCCESS )//FILE_DOES_NOT_EXIST
+	{
+		return iRet;
+	}
+
+	nStatus = NtCreateFile(
+		&hFile,
+		FILE_GENERIC_READ | SYNCHRONIZE,
+		&oaObjAttrib,
+		&IoSB,
+		NULL,
+		FILE_ATTRIBUTE_NORMAL,
+		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+		FILE_OPEN,
+		FILE_SYNCHRONOUS_IO_NONALERT,
+		NULL,
+		NULL
+		);
+	if( nStatus != STATUS_SUCCESS )
+	{
+		nStatus = NtCreateFile(
+			&hFile,
+			FILE_GENERIC_READ | SYNCHRONIZE,
+			&oaObjAttrib,
+			&IoSB,
+			NULL,
+			FILE_ATTRIBUTE_NORMAL,
+			FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+			FILE_OPEN,
+			FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
+			NULL,
+			NULL
+			);
+	}
+
+	if( nStatus == STATUS_SUCCESS )
+	{
+		nStatus = NtQueryInformationFile(
+			hFile,
+			&IoSB,
+			&stFileBasicInfo,
+			sizeof(FILE_BASIC_INFORMATION),
+			FileBasicInformation);
+
+		if( nStatus == STATUS_SUCCESS )
+		{
+			if( stFileBasicInfo.CreationTime.QuadPart == CONF_SoftwareReg_SandBox_DeletedFileMark )
+			{
+				iRet = -1;
+			}
+			else
+			{
+				iRet = 1;
+			}
+		}
+		else
+		{
+			iRet = 0;
+		}
+	}
+	NtClose(hFile);
+
+	//
+	//Free UNICODE_STRING
+	//
+	//RtlFreeUnicodeString(&usNtFileName);
+
+	return iRet;
+}
+
+BOOL CloneFileToDispatchPath( IN WCHAR * lpszLongNtPath, IN WCHAR * lpszRestoreNtPath, IN ULONG lpuFileAttributes )
+{
+	BOOL bRet = FALSE;
+
+	if( lpszLongNtPath == NULL ||
+		lpszRestoreNtPath == NULL
+		)
+	{
+		return bRet;
+	}
+
+	WCHAR szLongNtPath[MAX_NAME] = {NULL};//(\\??\\C:\\WINDOWS\\XXX)
+	WCHAR szLongPath[MAX_NAME] = {NULL};//(C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+
+	WCHAR szRestoreNtPath[MAX_NAME] = {NULL};//(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+	WCHAR szRestorePath[MAX_NAME] = {NULL};//(C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX)
+
+	lstrcpyW(szLongNtPath,lpszLongNtPath);
+	lstrcpyW(szLongPath,&szLongNtPath[lstrlenW(L"\\??\\")]);
+
+	lstrcpyW(szRestoreNtPath,lpszRestoreNtPath);
+	lstrcpyW(szRestorePath,&szRestoreNtPath[lstrlenW(L"\\??\\")]);
+
+	//
+	//Copy file
+	//
+	//bRet = ReadWriteCopyFile(szLongPath,szRestorePath);
+
+	if( lpuFileAttributes == FILE_ATTRIBUTE_DIRECTORY )
+	{
+		bRet = CopyDirectory(szLongPath,szRestorePath);
+	}
+	else
+	{
+		bRet = CAPI_CopyFileW(szLongPath,szRestorePath,TRUE);
+	}
+
+	return bRet;
+}
+
+BOOL ReadWriteCopyFile( IN LPCWSTR lpExistingFileName, IN LPCWSTR lpNewFileName )
+{
+	if( lpExistingFileName == NULL ||
+		lpNewFileName == NULL
+		)
+	{
+		return FALSE;
+	}
+
+	HANDLE hExist = INVALID_HANDLE_VALUE;
+	HANDLE hNew = INVALID_HANDLE_VALUE;
+
+	hExist = CAPI_CreateFileW( lpExistingFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+
+	if ( hExist == INVALID_HANDLE_VALUE )
+	{
+		CAPI_CloseHandle( hExist );
+		return FALSE;
+	}
+
+	hNew = CAPI_CreateFileW( lpNewFileName, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+
+	if ( hNew == INVALID_HANDLE_VALUE )
+	{
+		CAPI_CloseHandle( hExist );
+		CAPI_CloseHandle( hNew );
+		return FALSE;
+	}
+
+	BYTE buffer[0x1000];
+	DWORD dwRead = 0;
+	DWORD dwWrite = 0;
+
+	while ( CAPI_ReadFile( hExist, buffer, 0x1000, &dwRead, NULL) )
+	{
+		if ( !CAPI_WriteFile( hNew, buffer, dwRead, &dwWrite, NULL) )
+		{
+			CloseHandle( hNew );
+			CloseHandle( hExist);
+			return FALSE;
+		}
+
+		if ( dwRead < 0x1000 )
+		{
+			break;
+		}
+	}
+
+	CAPI_CloseHandle( hNew );
+	CAPI_CloseHandle( hExist);
+
+	return TRUE;
+}
+
+int CopyDirectory( IN LPCWSTR lpExistingPathName, IN LPCWSTR lpNewPathName )
+{
+	if( lpExistingPathName == NULL ||
+		lpNewPathName == NULL
+		)
+	{
+		return -1;
+	}
+
+	SHFILEOPSTRUCT fo = 
+	{
+		NULL,
+		FO_COPY,
+		lpExistingPathName,
+		lpNewPathName,
+		FOF_SILENT | FOF_NOERRORUI | FOF_NOCONFIRMATION,
+		FALSE,
+		NULL,
+		NULL
+	};
+
+	return SHFileOperation(&fo);
+}
\ No newline at end of file
diff --git a/HookPorts/HookHelp_File.h b/HookPorts/HookHelp_File.h
new file mode 100644
index 0000000..17fe0d6
--- /dev/null
+++ b/HookPorts/HookHelp_File.h
@@ -0,0 +1,32 @@
+#pragma once
+
+
+
+int GetLongNtPathName(
+	IN HANDLE hFileHandle,				//Handle to the file whose path is being requested
+	IN HANDLE hRootDirectory,			//Handle to the directory whose path is being requested
+	IN WCHAR * lpszFileName,			//Pointer to the file name
+	IN WCHAR * lpszRestoreNtPath,		//Pointer to the restore path
+	OUT WCHAR * lpszLongNtPath,			//Pointer to the buffer to receive the nt path
+	OUT WCHAR * lpszDispatchNtPath		//Pointer to the buffer to receive the dispatch path
+);
+
+ULONG QueryFileAttributes( IN WCHAR * lpszLongNtPath );
+
+int SetFileDeletedMark( IN WCHAR * lpszLongNtPath, IN WCHAR * lpszRestoreNtPath ,IN ULONG lpuFileAttributes );
+
+int NtPathExist( IN WCHAR * lpszLongNtPath );
+
+int GetDirectoryMarkAsDeletedFileCount( IN WCHAR * lpszLongNtPath );
+
+int GetFileDeletedMark( IN WCHAR * lpszRestoreNtPath, IN WCHAR * lpszFileName, IN ULONG lpuFileNameLength );
+
+int InitDirectoryForFileDispatch( IN WCHAR * lpszRestoreNtPath );
+
+int QueryDispatchedFile( IN WCHAR * lpszRestoreNtPath );
+
+BOOL CloneFileToDispatchPath( IN WCHAR * lpszLongNtPath, IN WCHAR * lpszRestoreNtPath, IN ULONG lpuFileAttributes );
+
+BOOL ReadWriteCopyFile( IN LPCWSTR lpExistingFileName, IN LPCWSTR lpNewFileName );
+
+int CopyDirectory( IN LPCWSTR lpExistingPathName, IN LPCWSTR lpNewPathName );
\ No newline at end of file
diff --git a/HookPorts/HookHelp_Reg.cpp b/HookPorts/HookHelp_Reg.cpp
new file mode 100644
index 0000000..bb55e5d
--- /dev/null
+++ b/HookPorts/HookHelp_Reg.cpp
@@ -0,0 +1,204 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./HookHelp_Reg.h"
+#include "./Main.h"
+#include "../Config/Config.h"
+#include "../Common/DebugLog.h"
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./Dispatch_NTDLL_NtOpenKey.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+
+#include "./CloneAPI_ADVAPI32.h"
+
+
+
+//
+//Global
+//
+
+
+
+//
+//HookHelp Functions
+//
+int GetRegistryPathName(
+	IN HANDLE hKeyHandle,
+	IN HANDLE hRootDirectory,
+	IN WCHAR * lpszObjectName,
+	IN WCHAR * lpszRestoreRegUserPath,
+	OUT WCHAR * lpszRegKrnlPath,
+	OUT WCHAR * lpszDispatchRegKrnlPath,
+	OUT WCHAR * lpszDispatchRegUserPath
+)
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = 0;
+
+	WCHAR szKeyName[MAX_NAME] = {NULL};//(\\REGISTRY\\MACHINE\\XXX)
+	WCHAR szSubKeyName[MAX_NAME] = {NULL};//(MACHINE\\XXX)
+
+	WCHAR szDispatchRegKrnlPath[MAX_NAME] = {NULL};//(\\REGISTRY\\USERS\\SandBox_DefaultBox\\MACHINE\\XXX)
+	WCHAR szDispatchRegUserPath[MAX_NAME] = {NULL};//(SandBox_DefaultBox\\MACHINE\\XXX)
+
+	__try
+	{
+		if( hKeyHandle != NULL )
+		{
+			if( QueryNameInfoByNtQueryObject(hKeyHandle,szKeyName) == -1 )
+			{
+				return -1;
+			}
+
+			//
+			//Check if is registry path
+			//
+			if( wcsnicmp(szKeyName,L"\\REGISTRY\\",lstrlenW(L"\\REGISTRY\\")) != 0 )
+			{
+				return -1;
+			}
+
+			lstrcpyW(lpszRegKrnlPath,szKeyName);
+
+			lstrcpyW(szSubKeyName,&szKeyName[lstrlenW(L"\\REGISTRY\\")]);
+
+			wsprintfW(
+				szDispatchRegKrnlPath,
+				L"\\REGISTRY\\%s\\%s\\%s",
+				CONF_SoftwareReg_SandBox_HKEY_USERS,
+				lpszRestoreRegUserPath,
+				szSubKeyName
+				);
+
+			lstrcpyW(lpszDispatchRegKrnlPath,szDispatchRegKrnlPath);
+
+			lstrcpyW(szDispatchRegUserPath,&szDispatchRegKrnlPath[lstrlenW(L"\\REGISTRY\\USER\\")]);
+
+			lstrcpyW(lpszDispatchRegUserPath,szDispatchRegUserPath);
+
+			return iRet;
+		}
+
+		if( hRootDirectory != NULL )
+		{
+			if( QueryNameInfoByNtQueryObject(hRootDirectory,szKeyName) == -1 )
+			{
+				return -1;
+			}
+
+			//
+			//Check if is registry path
+			//
+			if( wcsnicmp(szKeyName,L"\\REGISTRY\\",lstrlenW(L"\\REGISTRY\\")) != 0 )
+			{
+				return -1;
+			}
+
+			lstrcatW(szKeyName,L"\\");
+			lstrcatW(szKeyName,lpszObjectName);
+
+			lstrcpyW(lpszRegKrnlPath,szKeyName);
+
+			lstrcpyW(szSubKeyName,&szKeyName[lstrlenW(L"\\REGISTRY\\")]);
+
+			wsprintfW(
+				szDispatchRegKrnlPath,
+				L"\\REGISTRY\\%s\\%s\\%s",
+				CONF_SoftwareReg_SandBox_HKEY_USERS,
+				lpszRestoreRegUserPath,
+				szSubKeyName
+				);
+
+			lstrcpyW(lpszDispatchRegKrnlPath,szDispatchRegKrnlPath);
+
+			lstrcpyW(szDispatchRegUserPath,&szDispatchRegKrnlPath[lstrlenW(L"\\REGISTRY\\USER\\")]);
+
+			lstrcpyW(lpszDispatchRegUserPath,szDispatchRegUserPath);
+
+			return iRet;
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+		iRet = -1;
+	}
+
+	return -1;
+}
+
+int InitSubkeyForRegDispatch( IN WCHAR * lpszDispatchRegUserPath )
+{
+	//Return Value:
+	//-1 = Error
+	//0 = Succeed
+	int iRet = -1;
+
+	if( lpszDispatchRegUserPath == NULL )
+	{
+		return iRet;
+	}
+
+	//
+	//Init Subkey
+	//
+	HKEY hkKey;
+
+	CAPI_RegCreateKeyW(HKEY_USERS,lpszDispatchRegUserPath,&hkKey);
+
+	CAPI_RegCloseKey(hkKey);
+
+	return iRet;
+}
+
+int QueryDispatchedRegValue( IN WCHAR * lpszDispatchRegUserPath, IN WCHAR * lpszValueName )
+{
+	//Return Value:
+	//-1 = Error or MarkAsDeleted
+	//0 = Not Dispatched
+	//1 = Dispatched
+	int iRet = 0;
+
+	if( lpszDispatchRegUserPath == NULL ||
+		lpszValueName == NULL
+		)
+	{
+		return -1;
+	}
+
+	HKEY hkKey;
+	DWORD dwBufLen = 1;
+	LPBYTE lpData = (LPBYTE)LocalAlloc(LPTR, dwBufLen);
+
+	if( CAPI_RegOpenKeyExW(HKEY_USERS,lpszDispatchRegUserPath,NULL,KEY_READ,&hkKey) == ERROR_SUCCESS )
+	{
+		LONG lRet = -1;
+		lRet = CAPI_RegQueryValueExW(hkKey,lpszValueName,NULL,NULL,lpData,&dwBufLen);
+		if( lRet == ERROR_SUCCESS ||
+			lRet == ERROR_MORE_DATA
+			)
+		{
+			iRet = 1;
+		}
+		else
+		{
+//#ifdef Dbg
+//			WCHAR szDebugString[2048] = {0};
+//			wsprintf(
+//				szDebugString,
+//				L"RegQueryValueExW error code lRet = [%d]",
+//				lRet
+//				);
+//			DebugLog(DbgInfo,szDebugString);
+//#endif
+		}
+	}
+	CAPI_RegCloseKey(hkKey);
+
+	LocalFree(lpData);
+
+	return iRet;
+}
\ No newline at end of file
diff --git a/HookPorts/HookHelp_Reg.h b/HookPorts/HookHelp_Reg.h
new file mode 100644
index 0000000..aa8550f
--- /dev/null
+++ b/HookPorts/HookHelp_Reg.h
@@ -0,0 +1,17 @@
+#pragma once
+
+
+
+int GetRegistryPathName(
+	IN HANDLE hKeyHandle,
+	IN HANDLE hRootDirectory,
+	IN WCHAR * lpszObjectName,
+	IN WCHAR * lpszRestoreRegUserPath,
+	OUT WCHAR * lpszRegKrnlPath,
+	OUT WCHAR * lpszDispatchRegKrnlPath,
+	OUT WCHAR * lpszDispatchRegUserPath
+);
+
+int InitSubkeyForRegDispatch( IN WCHAR * lpszDispatchRegUserPath );
+
+int QueryDispatchedRegValue( IN WCHAR * lpszDispatchRegUserPath, IN WCHAR * lpszValueName );
\ No newline at end of file
diff --git a/HookPorts/HookPort.sln b/HookPorts/HookPort.sln
new file mode 100644
index 0000000..11bcf03
--- /dev/null
+++ b/HookPorts/HookPort.sln
@@ -0,0 +1,24 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28307.902
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookPort", "HookPort.vcxproj", "{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x86 = Debug|x86
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}.Debug|x86.ActiveCfg = Debug|Win32
+		{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}.Debug|x86.Build.0 = Debug|Win32
+		{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}.Release|x86.ActiveCfg = Release|Win32
+		{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {6DA2830B-CA3F-4EEF-BEC8-888B4CEA35AD}
+	EndGlobalSection
+EndGlobal
diff --git a/HookPorts/HookPort.suo b/HookPorts/HookPort.suo
new file mode 100644
index 0000000000000000000000000000000000000000..e1d067b523135ec9cdae571948e2197335eaa71a
GIT binary patch
literal 12800
zcmeI2eQcFi9mh{E1<Q+6kQc4nypFeuZCCn&Wp$fvDXgP~K?|MBO-O-TRw(UFdpkx3
z$)by7OGf65ZvL?uk|it{2PO-dVRng8qb7#M_>a-3OV*b}llg}tx|i$cd!Fa?zVzP9
zy`^^y#%aFyInO!gIluG#&hPE~p1yTy$=^=@r0i{zQtmZ#%!jf0W?n*j5p}_q&lnS+
zB77K&#k@visNO0!5C=YBt;KBKN-!5_zdr>^z<jU}EC7qZV(@8D3bf~lfLQ{T`uC}?
ztueRC$D0GY%piYJ6Ev-6fa{Ps#%|_bRv<O*4X12FrpK!z3wHkEw?%X4e`1+8=s_qB
znnR`y>b=xj&10FKPTRi11d2XOkLJ`m(hf?~DA`r%GCgM495(Hyk89NI<~PimT>G#$
zEaUHL=xZ+NOs@3BC+U|;8<eyI{bnD(kC{$O{ZUr4pW4++5c<+v+2LI2YwR!msimWW
z_$ND{xm=sp=<2cqvH{Y6*#X%Ay|?Sv9=Q5W>ar)F1D^+XfLd@Hr~?}JMXo{cC2%KL
z1y+MKU@h1H%E6bxdhiuc0V+WixC>MR%~j)HRj;SM5quTg3pRnfK_mDYxCh(^H1_LU
zn?N&Y0h>W9*aEhK`#~Fc0Bi&8paX0NJHUfL^9VO;>HJgZx%2-hZGNiZj}@2ix^j+J
z%B%ddMP6d&MKZN$^3~C?mrstLI`huO3!195W$4&&w5LC~D;yadidr3<H~ziz<IlXR
z?gbBZv<Jsux-kCIle%3xcJ8N>=UyB?{q2c2zCStoov|OhqUI$NXD*IC{YtPqye~L$
z_W5^y_Fc6uNWPsnaq&r?=;H3afdhj_hZ6=D-`~}tO*f@uPo157?X~e2-y9n~J8{Z#
zY2MiDuTP$_E6|V`7TJPpDSBS=*oKsckVsk6gZ%cGBmDJYRS(kMP3sU=ZkT!}eFNqI
zQZIYcX7<q1f$V$FMy&mb;su)RTt|I-m}!mcu|JZ1*#%uQjZ18ozPS6%(A#H5Smi-W
zxtrBRv3-wlXZPI=%y5<cE2U4gRWb}qYF3QnyC2>=nZDjS%o+}x2>cQMqFL8b?!SMr
zzlJ128E)h&9`^fE>C6Ag@<*WC#|j3rQkSjt_%AKY_5C$gwp}HJm6QKD%>GM8qO{~w
zu2p^=E%~1(Kua1q4q}n}@Q{*-5V9)YC^;Vny{tHh49k0uuy6g`b<#G1go}Scyv25`
zdKa}CJVrI1D8%^vc!-dlM{hjLeEYc?bLt~sgXFy*UG23ia4T{5g<esr{E5@D4xR9B
z#BwDJM=}>De^&W&)IXgk-YD|s%uN3nJW)*4pP4v4qAyvNPUkBBI<sWb{|=<=2vijZ
zcl*2;G_r!}ONFn0i}Rqb^HP^To%B5l%^|oh>5WUei;Tm_MHIb|Ezrnhi*&b7KOg?<
z-DR&-(rHC{iS%0Yvko4OtNkh-O)b~bmO9tf?o<6{KK5oVoGe0?zXeVM$+pVxepI*g
z-O(TaMSXweUXYBcB=$)bJJ7U#_O{Pjt{!AT_ABCh<U@?O$DVH##ny56IMUEet=2T)
zzv@9H^)0ltP^;s96Tg*=sV0tYrPe@9+(c_LBV+~Z>2IcXg0X|h*9bE2NmioF%Oec4
zs%)O9+Lu3_4|3JN2FCtf2MtO#`tB^Y8O?}-bfpUV;<@6;T<I@oY}B7jcCMfIckk%w
zSubyWkXFS}uE&2M<%0fOy7}ne3g&oD4v(?}8+Ql^P|TJ|$Gws1fA5$9{W7L<@kbT5
z{%DHa?Xb~@le$=}(Vq6?Rj13QXPq>*#Gc#ol})i>@%GL?kG{L8<LNaoyczi6@+;QX
zPApsV`*W*SZM`t|_K9`-j?|$?jQmYm|NHY-?RYkJ^2(*3zua0>v@>YfznMnA>7t+1
zc&N%eiiSkkALS{$3}~F<Lzg^_uOZH8w$h^5wV5>?U_YZ+caJxU`F5dWiei*;2&2pQ
z(Uwg&8|~>dUyf#*u_|Q^$9*4Hi!GSh`ainW^-kljC!rDykC(H%mUv{6JC|hC;?FhO
zY(rsJB|oV=OPp%rYQ3CGyieJssI_Q17fR1skVwhnu#KU^*n<455cw~g|CJxh)&3@)
z|6G)#I4Hte6nQBc@~n;Go$N*VH_=s0lPmo%F!q$SCx(3AfTh}lzJ`HYk7w61MSbx#
z-8qB!EAjnPtxbI9+-gf_Kz|)m_xk~s?}qrUQ)2#A<<TrL|DLK{_G=5x6<eEQ{=-#I
z%`yL-8uh=a+Iv&A_or$f__c*5=GQ8Cek=SQuzRhzH_`7-mr_rT_b{p%N!^dX)CoO2
zl{?kC%Yky(vb&0vJs<Avr^{;e@r?HLHjr$M^V6D7Cf8uvv@$^CDc_OFI_rT(8x=R%
zb4(xJG|Ue5Vt+i(m})bd*u@QazDj#qZ{oLw$hDgIR(~zfI{`fxwJ?c}Q`6Pxz1*J9
zH(xfBh=KK?UC$1j3}4=^x-n(`T?o6a%td4>a`5`sX6z4<&FJE(cAJgX=n_-+jrh#V
z{5#F;GF#r9WeGiTn(jM?`~J~M^y1}#bSlW6`_jC!|FXNTc(k(r-cGm6KV=`8Td$+7
zYi>`>?x-7?{#<){MV(Yun)2dr1_)?lu{D9IPyOe&RRn(BUJ;PTEcW;9fuh+AYmQIT
z-{heCI7%|J^maORO;x$Q2`Z(!k}X~mSmB3D$W+-wK*Sv9?{So?+BZ}6jNWJu+qE34
zH&Lsjrw$WVX%E~R8L8uWEu++5!=Db}O}2JIr-gWl>t%9#=I42KLrpDNfrPzVn|<%L
z+|+xg!>a;|0`HsMvjm>6%g*zMZ)%=<0h{}TKSVMqo;E4`J~;Wmz4#AG1;t|J+4dq}
zs&CT0D3FEnElmB!w6?96?g8NPwTZdSQ9Q=4{BxG{#q}jyKsvO8^?bEoY0~duIsT_S
z!T$tIjoU+gIrK{U_$I}UrcZ)iZ~wEK<8CVl5-*fivT4@+jL&7?>%@8Pz5}?uQNDUL
z-HOrH0~ObYSDTh#&XfPMm$<&(dlnDFy_muI9VPRXDAi}0!fK?qIkWK*;Cl0No0Wcj
zrfs)6us10J^EetNK~y+?X0|=4v2VcaakhuGHaOjo-qf-q`oE)8TS)wu?E}oUeZcv6
z@0}t8MFSE4SQ#$l9&U#B`gff){Ld>UXA0|)@{i{2llr%s(6kdx2$@!TQz@?|(u{3p
zFEMI+{EJHRSC@RVCh5)=tVVLZy!fp&anWvk>h1)e%D>Ge$~7mP8%Zvw^ETC{6wY>}
l{!3N5z0Y{&l-)=z&Zdy)dBi`79w?OFB<3z|)jxS0_&+<=j<5g#

literal 0
HcmV?d00001

diff --git a/HookPorts/HookPort.vcproj b/HookPorts/HookPort.vcproj
new file mode 100644
index 0000000..5f587ae
--- /dev/null
+++ b/HookPorts/HookPort.vcproj
@@ -0,0 +1,835 @@
+<?xml version="1.0" encoding="gb2312"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="7.10"
+	Name="HookPort"
+	ProjectGUID="{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}"
+	Keyword="Win32Proj">
+	<Platforms>
+		<Platform
+			Name="Win32"/>
+	</Platforms>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="Debug"
+			IntermediateDirectory="Debug"
+			ConfigurationType="2"
+			CharacterSet="1">
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;HOOKPORT_EXPORTS"
+				MinimalRebuild="TRUE"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="0"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="TRUE"
+				DebugInformationFormat="4"/>
+			<Tool
+				Name="VCCustomBuildTool"/>
+			<Tool
+				Name="VCLinkerTool"
+				OutputFile="$(OutDir)/HookPort.dll"
+				LinkIncremental="2"
+				GenerateDebugInformation="TRUE"
+				ProgramDatabaseFile="$(OutDir)/HookPort.pdb"
+				SubSystem="2"
+				ImportLibrary="$(OutDir)/HookPort.lib"
+				TargetMachine="1"/>
+			<Tool
+				Name="VCMIDLTool"/>
+			<Tool
+				Name="VCPostBuildEventTool"/>
+			<Tool
+				Name="VCPreBuildEventTool"/>
+			<Tool
+				Name="VCPreLinkEventTool"/>
+			<Tool
+				Name="VCResourceCompilerTool"/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"/>
+			<Tool
+				Name="VCWebDeploymentTool"/>
+			<Tool
+				Name="VCManagedWrapperGeneratorTool"/>
+			<Tool
+				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="Release"
+			IntermediateDirectory="Release"
+			ConfigurationType="2"
+			CharacterSet="1">
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;HOOKPORT_EXPORTS"
+				RuntimeLibrary="0"
+				BufferSecurityCheck="TRUE"
+				UsePrecompiledHeader="0"
+				WarningLevel="3"
+				Detect64BitPortabilityProblems="TRUE"
+				DebugInformationFormat="3"/>
+			<Tool
+				Name="VCCustomBuildTool"/>
+			<Tool
+				Name="VCLinkerTool"
+				OutputFile="../Release/HookPort.dll"
+				LinkIncremental="1"
+				GenerateDebugInformation="TRUE"
+				SubSystem="2"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				ImportLibrary="$(OutDir)/HookPort.lib"
+				TargetMachine="1"/>
+			<Tool
+				Name="VCMIDLTool"/>
+			<Tool
+				Name="VCPostBuildEventTool"/>
+			<Tool
+				Name="VCPreBuildEventTool"/>
+			<Tool
+				Name="VCPreLinkEventTool"/>
+			<Tool
+				Name="VCResourceCompilerTool"/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"/>
+			<Tool
+				Name="VCWebDeploymentTool"/>
+			<Tool
+				Name="VCManagedWrapperGeneratorTool"/>
+			<Tool
+				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Ô´Îļþ"
+			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
+			<File
+				RelativePath=".\Main.cpp">
+			</File>
+			<Filter
+				Name="Debug"
+				Filter="">
+				<File
+					RelativePath="..\Common\DebugLog.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="Init"
+				Filter="">
+				<File
+					RelativePath=".\Initalization.cpp">
+				</File>
+				<File
+					RelativePath=".\Privilege.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="Begin"
+				Filter="">
+				<File
+					RelativePath=".\BeginDispatch.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="Hook"
+				Filter="">
+				<File
+					RelativePath=".\GetProcAddressEx.cpp">
+				</File>
+				<File
+					RelativePath=".\HookHelp.cpp">
+				</File>
+				<File
+					RelativePath=".\HookHelp_File.cpp">
+				</File>
+				<File
+					RelativePath=".\HookHelp_Reg.cpp">
+				</File>
+				<File
+					RelativePath=".\InlineHook.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="Dispatch"
+				Filter="">
+				<Filter
+					Name="NTDLL"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_NTDLL.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_LdrLoadDll.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_LdrUnloadDll.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtAllocateVirtualMemory.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtClose.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtConnectPort.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateEvent.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateMutant.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreatePort.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateProcess.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateProcessEx.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateSection.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateSemaphore.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateThread.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteValueKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtEnumerateKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtEnumerateValueKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtFsControlFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtGetContextThread.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtLoadDriver.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtNotifyChangeKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenEvent.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenMutant.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenProcess.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenSection.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenSemaphore.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenThread.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtProtectVirtualMemory.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryAttributesFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryDirectoryFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryFullAttributesFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationProcess.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationThread.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryMultipleValueKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryObject.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQuerySystemInformation.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryValueKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtReadFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtRenameKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtResumeThread.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSaveKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSecureConnectPort.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetInformationFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetInformationToken.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetSecurityObject.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetSystemInformation.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetValueKey.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSystemDebugControl.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtWriteFile.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtWriteVirtualMemory.cpp">
+					</File>
+				</Filter>
+				<Filter
+					Name="KERNEL32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_KERNEL32.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_KERNEL32_CreateProcessInternal.cpp">
+					</File>
+				</Filter>
+				<Filter
+					Name="ADVAPI32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_ADVAPI32.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ChangeServiceConfig.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ChangeServiceConfig2.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ControlService.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_CreateService.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_DeleteService.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_LockServiceDatabase.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_SetServiceStatus.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_StartService.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_UnlockServiceDatabase.cpp">
+					</File>
+				</Filter>
+				<Filter
+					Name="USER32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_USER32.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_CreateWindowEx.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_ExitWindowsEx.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_GetWindowThreadProcessId.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_PostMessage.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SendMessage.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowLong.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowsHookEx.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowText.cpp">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_UnhookWindowsHookEx.cpp">
+					</File>
+				</Filter>
+			</Filter>
+			<Filter
+				Name="Inject"
+				Filter="">
+				<File
+					RelativePath=".\IATModifier.cpp">
+				</File>
+				<File
+					RelativePath=".\IATProcess.cpp">
+				</File>
+				<File
+					RelativePath=".\RemoteInjection.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="CloneAPI"
+				Filter="">
+				<File
+					RelativePath=".\CloneAPI_ADVAPI32.cpp">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_FLTLIB.cpp">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_KERNEL32.cpp">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_SHELL32.cpp">
+				</File>
+			</Filter>
+			<Filter
+				Name="NativeAPI"
+				Filter="">
+				<File
+					RelativePath=".\NativeAPI_NTDLL.cpp">
+				</File>
+			</Filter>
+		</Filter>
+		<Filter
+			Name="Í·Îļþ"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
+			<File
+				RelativePath="..\Config\Config.h">
+			</File>
+			<File
+				RelativePath="..\Common\DllModule.h">
+			</File>
+			<File
+				RelativePath=".\Main.h">
+			</File>
+			<Filter
+				Name="Debug"
+				Filter="">
+				<File
+					RelativePath="..\Common\DebugLog.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="Init"
+				Filter="">
+				<File
+					RelativePath=".\Initalization.h">
+				</File>
+				<File
+					RelativePath=".\Privilege.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="Begin"
+				Filter="">
+				<File
+					RelativePath=".\BeginDispatch.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="Hook"
+				Filter="">
+				<File
+					RelativePath=".\GetProcAddressEx.h">
+				</File>
+				<File
+					RelativePath=".\HookHelp.h">
+				</File>
+				<File
+					RelativePath=".\HookHelp_File.h">
+				</File>
+				<File
+					RelativePath=".\HookHelp_Reg.h">
+				</File>
+				<File
+					RelativePath=".\InlineHook.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="Dispatch"
+				Filter="">
+				<Filter
+					Name="NTDLL"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_NTDLL.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_LdrLoadDll.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_LdrUnloadDll.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtAdjustPrivilegesToken.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtAllocateVirtualMemory.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtClose.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtConnectPort.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateEvent.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateMutant.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreatePort.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateProcess.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateProcessEx.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateSection.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateSemaphore.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtCreateThread.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtDeleteValueKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtEnumerateKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtEnumerateValueKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtFsControlFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtGetContextThread.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtLoadDriver.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtNotifyChangeKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenEvent.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenMutant.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenProcess.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenSection.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenSemaphore.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtOpenThread.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtProtectVirtualMemory.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryAttributesFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryDirectoryFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryFullAttributesFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationProcess.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryInformationThread.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryMultipleValueKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryObject.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQuerySystemInformation.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtQueryValueKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtReadFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtRenameKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtResumeThread.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSaveKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSecureConnectPort.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetInformationFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetInformationToken.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetSecurityObject.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetSystemInformation.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSetValueKey.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtSystemDebugControl.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtWriteFile.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_NTDLL_NtWriteVirtualMemory.h">
+					</File>
+				</Filter>
+				<Filter
+					Name="KERNEL32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_KERNEL32.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_KERNEL32_CreateProcessInternal.h">
+					</File>
+				</Filter>
+				<Filter
+					Name="USER32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_USER32.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_CreateWindowEx.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_ExitWindowsEx.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_GetWindowThreadProcessId.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_PostMessage.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SendMessage.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowLong.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowsHookEx.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_SetWindowText.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_USER32_UnhookWindowsHookEx.h">
+					</File>
+				</Filter>
+				<Filter
+					Name="ADVAPI32"
+					Filter="">
+					<File
+						RelativePath=".\Dispatch_ADVAPI32.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ChangeServiceConfig.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ChangeServiceConfig2.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_ControlService.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_CreateService.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_DeleteService.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_LockServiceDatabase.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_SetServiceStatus.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_StartService.h">
+					</File>
+					<File
+						RelativePath=".\Dispatch_ADVAPI32_UnlockServiceDatabase.h">
+					</File>
+				</Filter>
+			</Filter>
+			<Filter
+				Name="Inject"
+				Filter="">
+				<File
+					RelativePath=".\IATModifier.h">
+				</File>
+				<File
+					RelativePath=".\IATProcess.h">
+				</File>
+				<File
+					RelativePath=".\RemoteInjection.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="CloneAPI"
+				Filter="">
+				<File
+					RelativePath=".\CloneAPI_ADVAPI32.h">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_FLTLIB.h">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_KERNEL32.h">
+				</File>
+				<File
+					RelativePath=".\CloneAPI_SHELL32.h">
+				</File>
+			</Filter>
+			<Filter
+				Name="NativeAPI"
+				Filter="">
+				<File
+					RelativePath=".\NativeAPI_NTDLL.h">
+				</File>
+			</Filter>
+		</Filter>
+		<Filter
+			Name="×ÊÔ´Îļþ"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}">
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>
diff --git a/HookPorts/HookPort.vcxproj b/HookPorts/HookPort.vcxproj
new file mode 100644
index 0000000..b8eb73c
--- /dev/null
+++ b/HookPorts/HookPort.vcxproj
@@ -0,0 +1,300 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{CB438D5D-3F4C-4D94-B01E-86A9BC2054B2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>15.0.28307.799</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <OutDir>Debug\</OutDir>
+    <IntDir>Debug\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <OutDir>Release\</OutDir>
+    <IntDir>Release\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;HOOKPORT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <OutputFile>$(OutDir)HookPort.dll</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)HookPort.pdb</ProgramDatabaseFile>
+      <SubSystem>Windows</SubSystem>
+      <ImportLibrary>$(OutDir)HookPort.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;HOOKPORT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <OutputFile>../Release/HookPort.dll</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <ImportLibrary>$(OutDir)HookPort.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\Common\DebugLog.cpp" />
+    <ClCompile Include="BeginDispatch.cpp" />
+    <ClCompile Include="CloneAPI_ADVAPI32.cpp" />
+    <ClCompile Include="CloneAPI_FLTLIB.cpp" />
+    <ClCompile Include="CloneAPI_KERNEL32.cpp" />
+    <ClCompile Include="CloneAPI_SHELL32.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_ChangeServiceConfig.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_ChangeServiceConfig2.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_ControlService.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_CreateService.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_DeleteService.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_LockServiceDatabase.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_SetServiceStatus.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_StartService.cpp" />
+    <ClCompile Include="Dispatch_ADVAPI32_UnlockServiceDatabase.cpp" />
+    <ClCompile Include="Dispatch_KERNEL32.cpp" />
+    <ClCompile Include="Dispatch_KERNEL32_CreateProcessInternal.cpp" />
+    <ClCompile Include="Dispatch_NTDLL.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_LdrLoadDll.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_LdrUnloadDll.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtAllocateVirtualMemory.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtClose.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtConnectPort.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateEvent.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateMutant.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreatePort.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateProcess.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateProcessEx.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateSection.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateSemaphore.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtCreateThread.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteValueKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtEnumerateKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtEnumerateValueKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtFsControlFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtGetContextThread.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtLoadDriver.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtNotifyChangeKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenEvent.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenMutant.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenProcess.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenSection.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenSemaphore.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtOpenThread.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtProtectVirtualMemory.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryAttributesFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryDirectoryFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryFullAttributesFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationProcess.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationThread.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryMultipleValueKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryObject.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQuerySystemInformation.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtQueryValueKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtReadFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtRenameKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtResumeThread.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSaveKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSecureConnectPort.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSetInformationFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSetInformationToken.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSetSecurityObject.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSetSystemInformation.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSetValueKey.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtSystemDebugControl.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtWriteFile.cpp" />
+    <ClCompile Include="Dispatch_NTDLL_NtWriteVirtualMemory.cpp" />
+    <ClCompile Include="Dispatch_USER32.cpp" />
+    <ClCompile Include="Dispatch_USER32_CreateWindowEx.cpp" />
+    <ClCompile Include="Dispatch_USER32_ExitWindowsEx.cpp" />
+    <ClCompile Include="Dispatch_USER32_GetWindowThreadProcessId.cpp" />
+    <ClCompile Include="Dispatch_USER32_PostMessage.cpp" />
+    <ClCompile Include="Dispatch_USER32_SendMessage.cpp" />
+    <ClCompile Include="Dispatch_USER32_SetWindowLong.cpp" />
+    <ClCompile Include="Dispatch_USER32_SetWindowsHookEx.cpp" />
+    <ClCompile Include="Dispatch_USER32_SetWindowText.cpp" />
+    <ClCompile Include="Dispatch_USER32_UnhookWindowsHookEx.cpp" />
+    <ClCompile Include="GetProcAddressEx.cpp" />
+    <ClCompile Include="HookHelp.cpp" />
+    <ClCompile Include="HookHelp_File.cpp" />
+    <ClCompile Include="HookHelp_Reg.cpp" />
+    <ClCompile Include="IATModifier.cpp" />
+    <ClCompile Include="IATProcess.cpp" />
+    <ClCompile Include="Initalization.cpp" />
+    <ClCompile Include="InlineHook.cpp" />
+    <ClCompile Include="Main.cpp" />
+    <ClCompile Include="NativeAPI_NTDLL.cpp" />
+    <ClCompile Include="Privilege.cpp" />
+    <ClCompile Include="RemoteInjection.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\Common\DebugLog.h" />
+    <ClInclude Include="..\Common\DllModule.h" />
+    <ClInclude Include="..\Config\Config.h" />
+    <ClInclude Include="BeginDispatch.h" />
+    <ClInclude Include="CloneAPI_ADVAPI32.h" />
+    <ClInclude Include="CloneAPI_FLTLIB.h" />
+    <ClInclude Include="CloneAPI_KERNEL32.h" />
+    <ClInclude Include="CloneAPI_SHELL32.h" />
+    <ClInclude Include="Dispatch_ADVAPI32.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_ChangeServiceConfig.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_ChangeServiceConfig2.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_ControlService.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_CreateService.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_DeleteService.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_LockServiceDatabase.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_SetServiceStatus.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_StartService.h" />
+    <ClInclude Include="Dispatch_ADVAPI32_UnlockServiceDatabase.h" />
+    <ClInclude Include="Dispatch_KERNEL32.h" />
+    <ClInclude Include="Dispatch_KERNEL32_CreateProcessInternal.h" />
+    <ClInclude Include="Dispatch_NTDLL.h" />
+    <ClInclude Include="Dispatch_NTDLL_LdrLoadDll.h" />
+    <ClInclude Include="Dispatch_NTDLL_LdrUnloadDll.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtAdjustPrivilegesToken.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtAllocateVirtualMemory.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtClose.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtConnectPort.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateEvent.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateMutant.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreatePort.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateProcess.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateProcessEx.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateSection.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateSemaphore.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtCreateThread.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteValueKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtEnumerateKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtEnumerateValueKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtFsControlFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtGetContextThread.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtLoadDriver.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtNotifyChangeKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenEvent.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenMutant.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenProcess.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenSection.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenSemaphore.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtOpenThread.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtProtectVirtualMemory.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryAttributesFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryDirectoryFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryFullAttributesFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationProcess.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationThread.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryMultipleValueKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryObject.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQuerySystemInformation.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtQueryValueKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtReadFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtRenameKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtResumeThread.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSaveKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSecureConnectPort.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSetInformationFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSetInformationToken.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSetSecurityObject.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSetSystemInformation.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSetValueKey.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtSystemDebugControl.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtWriteFile.h" />
+    <ClInclude Include="Dispatch_NTDLL_NtWriteVirtualMemory.h" />
+    <ClInclude Include="Dispatch_USER32.h" />
+    <ClInclude Include="Dispatch_USER32_CreateWindowEx.h" />
+    <ClInclude Include="Dispatch_USER32_ExitWindowsEx.h" />
+    <ClInclude Include="Dispatch_USER32_GetWindowThreadProcessId.h" />
+    <ClInclude Include="Dispatch_USER32_PostMessage.h" />
+    <ClInclude Include="Dispatch_USER32_SendMessage.h" />
+    <ClInclude Include="Dispatch_USER32_SetWindowLong.h" />
+    <ClInclude Include="Dispatch_USER32_SetWindowsHookEx.h" />
+    <ClInclude Include="Dispatch_USER32_SetWindowText.h" />
+    <ClInclude Include="Dispatch_USER32_UnhookWindowsHookEx.h" />
+    <ClInclude Include="GetProcAddressEx.h" />
+    <ClInclude Include="HookHelp.h" />
+    <ClInclude Include="HookHelp_File.h" />
+    <ClInclude Include="HookHelp_Reg.h" />
+    <ClInclude Include="IATModifier.h" />
+    <ClInclude Include="IATProcess.h" />
+    <ClInclude Include="Initalization.h" />
+    <ClInclude Include="InlineHook.h" />
+    <ClInclude Include="Main.h" />
+    <ClInclude Include="NativeAPI_NTDLL.h" />
+    <ClInclude Include="Privilege.h" />
+    <ClInclude Include="RemoteInjection.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/HookPorts/HookPort.vcxproj.filters b/HookPorts/HookPort.vcxproj.filters
new file mode 100644
index 0000000..6f636d0
--- /dev/null
+++ b/HookPorts/HookPort.vcxproj.filters
@@ -0,0 +1,695 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Source Files\Debug">
+      <UniqueIdentifier>{551d6c3a-7efe-4d2e-b69a-28474e231ba0}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Init">
+      <UniqueIdentifier>{b60a067b-5223-4ee9-a23b-3036526cc0c2}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Begin">
+      <UniqueIdentifier>{64864ed6-0d3b-4f17-9958-df07ccd931b3}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Hook">
+      <UniqueIdentifier>{e665302e-a2c3-4beb-ace5-f298e4f390b0}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Dispatch">
+      <UniqueIdentifier>{21d3101f-8d06-4ec0-a0b8-655c97c4d025}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Dispatch\NTDLL">
+      <UniqueIdentifier>{5ed006b5-bed5-4598-81ec-a7b310c23a3a}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Dispatch\KERNEL32">
+      <UniqueIdentifier>{181436a9-c52c-4805-8b51-3a4293beef91}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Dispatch\ADVAPI32">
+      <UniqueIdentifier>{3398afe7-a82a-4f28-94b9-d6fc1470176e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Dispatch\USER32">
+      <UniqueIdentifier>{9a23d5d1-a895-4b99-a85d-c5ae8efc1d1c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\Inject">
+      <UniqueIdentifier>{18fbefe8-2ba4-45f7-a1b9-b0843e655f14}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\CloneAPI">
+      <UniqueIdentifier>{d99f5a4a-56f1-4367-ad2c-4d972917664b}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\NativeAPI">
+      <UniqueIdentifier>{c05d4dc5-6e18-468d-a9a5-eb59e40a10ee}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Header Files\Debug">
+      <UniqueIdentifier>{3d8d9994-977a-4dd5-a8bc-4a655793b5ed}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Init">
+      <UniqueIdentifier>{847ca160-7c57-440a-b131-e64a161c3689}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Begin">
+      <UniqueIdentifier>{70e627dd-8d7e-41c2-af20-6b44bba54017}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Hook">
+      <UniqueIdentifier>{f8d74cd0-48df-4b42-8443-845fc2b2cd23}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Dispatch">
+      <UniqueIdentifier>{198ca6e7-1887-45b2-9330-2e9e93b46080}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Dispatch\NTDLL">
+      <UniqueIdentifier>{aedf0afc-1107-43df-8108-7235fc8b7383}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Dispatch\KERNEL32">
+      <UniqueIdentifier>{9a97ece6-714d-4826-8d87-1aed3d98ef44}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Dispatch\USER32">
+      <UniqueIdentifier>{b53cbb20-2513-4613-85c9-a4c2e7e69d04}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Dispatch\ADVAPI32">
+      <UniqueIdentifier>{0927d2a7-a774-4152-ac41-75416584b3f1}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\Inject">
+      <UniqueIdentifier>{81af091a-deeb-4cfb-b8b6-40239c2d7dd4}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\CloneAPI">
+      <UniqueIdentifier>{849fe92b-41a9-4bf2-99bf-76464296fc23}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\NativeAPI">
+      <UniqueIdentifier>{12917cd9-2cac-46c8-9d4b-c392985c2570}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="Main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\Common\DebugLog.cpp">
+      <Filter>Source Files\Debug</Filter>
+    </ClCompile>
+    <ClCompile Include="Initalization.cpp">
+      <Filter>Source Files\Init</Filter>
+    </ClCompile>
+    <ClCompile Include="Privilege.cpp">
+      <Filter>Source Files\Init</Filter>
+    </ClCompile>
+    <ClCompile Include="BeginDispatch.cpp">
+      <Filter>Source Files\Begin</Filter>
+    </ClCompile>
+    <ClCompile Include="GetProcAddressEx.cpp">
+      <Filter>Source Files\Hook</Filter>
+    </ClCompile>
+    <ClCompile Include="HookHelp.cpp">
+      <Filter>Source Files\Hook</Filter>
+    </ClCompile>
+    <ClCompile Include="HookHelp_File.cpp">
+      <Filter>Source Files\Hook</Filter>
+    </ClCompile>
+    <ClCompile Include="HookHelp_Reg.cpp">
+      <Filter>Source Files\Hook</Filter>
+    </ClCompile>
+    <ClCompile Include="InlineHook.cpp">
+      <Filter>Source Files\Hook</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_LdrLoadDll.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_LdrUnloadDll.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtAdjustPrivilegesToken.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtAllocateVirtualMemory.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtClose.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtConnectPort.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateEvent.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateMutant.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreatePort.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateProcess.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateProcessEx.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateSection.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateSemaphore.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtCreateThread.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtDeleteValueKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtEnumerateKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtEnumerateValueKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtFsControlFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtGetContextThread.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtLoadDriver.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtNotifyChangeKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtNotifyChangeMultipleKeys.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenEvent.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenMutant.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenProcess.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenSection.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenSemaphore.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtOpenThread.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtProtectVirtualMemory.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryAttributesFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryDirectoryFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryFullAttributesFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationProcess.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryInformationThread.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryMultipleValueKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryObject.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQuerySystemInformation.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtQueryValueKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtReadFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtRenameKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtResumeThread.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSaveKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSecureConnectPort.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSetInformationFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSetInformationToken.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSetSecurityObject.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSetSystemInformation.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSetValueKey.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtSystemDebugControl.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtWriteFile.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_NTDLL_NtWriteVirtualMemory.cpp">
+      <Filter>Source Files\Dispatch\NTDLL</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_KERNEL32.cpp">
+      <Filter>Source Files\Dispatch\KERNEL32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_KERNEL32_CreateProcessInternal.cpp">
+      <Filter>Source Files\Dispatch\KERNEL32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_ChangeServiceConfig.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_ChangeServiceConfig2.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_ControlService.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_CreateService.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_DeleteService.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_LockServiceDatabase.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_SetServiceStatus.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_StartService.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_ADVAPI32_UnlockServiceDatabase.cpp">
+      <Filter>Source Files\Dispatch\ADVAPI32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_CreateWindowEx.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_ExitWindowsEx.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_GetWindowThreadProcessId.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_PostMessage.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_SendMessage.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_SetWindowLong.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_SetWindowsHookEx.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_SetWindowText.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="Dispatch_USER32_UnhookWindowsHookEx.cpp">
+      <Filter>Source Files\Dispatch\USER32</Filter>
+    </ClCompile>
+    <ClCompile Include="IATModifier.cpp">
+      <Filter>Source Files\Inject</Filter>
+    </ClCompile>
+    <ClCompile Include="IATProcess.cpp">
+      <Filter>Source Files\Inject</Filter>
+    </ClCompile>
+    <ClCompile Include="RemoteInjection.cpp">
+      <Filter>Source Files\Inject</Filter>
+    </ClCompile>
+    <ClCompile Include="CloneAPI_ADVAPI32.cpp">
+      <Filter>Source Files\CloneAPI</Filter>
+    </ClCompile>
+    <ClCompile Include="CloneAPI_FLTLIB.cpp">
+      <Filter>Source Files\CloneAPI</Filter>
+    </ClCompile>
+    <ClCompile Include="CloneAPI_KERNEL32.cpp">
+      <Filter>Source Files\CloneAPI</Filter>
+    </ClCompile>
+    <ClCompile Include="CloneAPI_SHELL32.cpp">
+      <Filter>Source Files\CloneAPI</Filter>
+    </ClCompile>
+    <ClCompile Include="NativeAPI_NTDLL.cpp">
+      <Filter>Source Files\NativeAPI</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\Config\Config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Common\DllModule.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Main.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Common\DebugLog.h">
+      <Filter>Header Files\Debug</Filter>
+    </ClInclude>
+    <ClInclude Include="Initalization.h">
+      <Filter>Header Files\Init</Filter>
+    </ClInclude>
+    <ClInclude Include="Privilege.h">
+      <Filter>Header Files\Init</Filter>
+    </ClInclude>
+    <ClInclude Include="BeginDispatch.h">
+      <Filter>Header Files\Begin</Filter>
+    </ClInclude>
+    <ClInclude Include="GetProcAddressEx.h">
+      <Filter>Header Files\Hook</Filter>
+    </ClInclude>
+    <ClInclude Include="HookHelp.h">
+      <Filter>Header Files\Hook</Filter>
+    </ClInclude>
+    <ClInclude Include="HookHelp_File.h">
+      <Filter>Header Files\Hook</Filter>
+    </ClInclude>
+    <ClInclude Include="HookHelp_Reg.h">
+      <Filter>Header Files\Hook</Filter>
+    </ClInclude>
+    <ClInclude Include="InlineHook.h">
+      <Filter>Header Files\Hook</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_LdrLoadDll.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_LdrUnloadDll.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtAdjustPrivilegesToken.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtAllocateVirtualMemory.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtClose.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtConnectPort.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateEvent.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateMutant.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreatePort.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateProcess.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateProcessEx.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateSection.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateSemaphore.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtCreateThread.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtDeleteValueKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtEnumerateKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtEnumerateValueKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtFsControlFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtGetContextThread.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtLoadDriver.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtNotifyChangeKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtNotifyChangeMultipleKeys.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenEvent.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenMutant.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenProcess.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenSection.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenSemaphore.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtOpenThread.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtProtectVirtualMemory.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryAttributesFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryDirectoryFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryFullAttributesFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationProcess.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryInformationThread.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryMultipleValueKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryObject.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQuerySystemInformation.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtQueryValueKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtReadFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtRenameKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtResumeThread.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSaveKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSecureConnectPort.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSetInformationFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSetInformationToken.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSetSecurityObject.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSetSystemInformation.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSetValueKey.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtSystemDebugControl.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtWriteFile.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_NTDLL_NtWriteVirtualMemory.h">
+      <Filter>Header Files\Dispatch\NTDLL</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_KERNEL32.h">
+      <Filter>Header Files\Dispatch\KERNEL32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_KERNEL32_CreateProcessInternal.h">
+      <Filter>Header Files\Dispatch\KERNEL32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_CreateWindowEx.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_ExitWindowsEx.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_GetWindowThreadProcessId.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_PostMessage.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_SendMessage.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_SetWindowLong.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_SetWindowsHookEx.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_SetWindowText.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_USER32_UnhookWindowsHookEx.h">
+      <Filter>Header Files\Dispatch\USER32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_ChangeServiceConfig.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_ChangeServiceConfig2.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_ControlService.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_CreateService.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_DeleteService.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_LockServiceDatabase.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_SetServiceStatus.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_StartService.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="Dispatch_ADVAPI32_UnlockServiceDatabase.h">
+      <Filter>Header Files\Dispatch\ADVAPI32</Filter>
+    </ClInclude>
+    <ClInclude Include="IATModifier.h">
+      <Filter>Header Files\Inject</Filter>
+    </ClInclude>
+    <ClInclude Include="IATProcess.h">
+      <Filter>Header Files\Inject</Filter>
+    </ClInclude>
+    <ClInclude Include="RemoteInjection.h">
+      <Filter>Header Files\Inject</Filter>
+    </ClInclude>
+    <ClInclude Include="CloneAPI_ADVAPI32.h">
+      <Filter>Header Files\CloneAPI</Filter>
+    </ClInclude>
+    <ClInclude Include="CloneAPI_FLTLIB.h">
+      <Filter>Header Files\CloneAPI</Filter>
+    </ClInclude>
+    <ClInclude Include="CloneAPI_KERNEL32.h">
+      <Filter>Header Files\CloneAPI</Filter>
+    </ClInclude>
+    <ClInclude Include="CloneAPI_SHELL32.h">
+      <Filter>Header Files\CloneAPI</Filter>
+    </ClInclude>
+    <ClInclude Include="NativeAPI_NTDLL.h">
+      <Filter>Header Files\NativeAPI</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/HookPorts/HookPort.vcxproj.user b/HookPorts/HookPort.vcxproj.user
new file mode 100644
index 0000000..6e2aec7
--- /dev/null
+++ b/HookPorts/HookPort.vcxproj.user
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>
\ No newline at end of file
diff --git a/HookPorts/IATModifier.cpp b/HookPorts/IATModifier.cpp
new file mode 100644
index 0000000..20d4a13
--- /dev/null
+++ b/HookPorts/IATModifier.cpp
@@ -0,0 +1,203 @@
+#include "IATModifier.h"
+#include <string>
+#include <Windows.h>
+
+using namespace std;
+
+IATModifier::IATModifier(const Process& process)
+	: process_(process), importDescrTblAddr_(NULL), importDescrTblSize_(0)
+{
+}
+
+IATModifier::~IATModifier()
+{
+}
+
+// check if supplied IBA is a valid executable header, so we can locate the import descriptor
+void IATModifier::setImageBase(uintptr_t address)
+{
+	IMAGE_DOS_HEADER dosHeader;
+	process_.readMemory((void*)address, &dosHeader, sizeof(IMAGE_DOS_HEADER));
+	if (dosHeader.e_magic != IMAGE_DOS_SIGNATURE)
+		throw std::runtime_error("Error while setting image base address: no DOS signature found");
+
+	IMAGE_NT_HEADERS ntHeaders;
+	ntHeadersAddr_ = address + dosHeader.e_lfanew;
+	process_.readMemory((void*)ntHeadersAddr_, &ntHeaders, sizeof(IMAGE_NT_HEADERS));
+	if (ntHeaders.Signature != IMAGE_NT_SIGNATURE)
+		throw std::runtime_error("Error while setting image base address: no NT signature found");
+	if (ntHeaders.FileHeader.Characteristics & IMAGE_FILE_DLL)
+		throw std::runtime_error("Error while setting image base address: not the image base of an executable");
+	if (ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress == 0)
+		throw std::runtime_error("Error while setting image base address: no import directory existing");
+	importDescrTblSize_ = ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
+	importDescrTblAddr_ = (PIMAGE_IMPORT_DESCRIPTOR)(ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)address);	
+}
+
+void IATModifier::writeIAT(const std::string& dll)
+{
+	vector<string> dlls;
+	dlls.push_back(dll);
+	writeIAT(dlls);
+}
+
+// write one or more new import descriptors by allocating a new import descriptor table
+void IATModifier::writeIAT(const vector<string>& dlls)
+{
+	if (dlls.empty()) throw IATModifierException("DLL path list must not be empty");
+	if (importDescrTblAddr_ == NULL) throw IATModifierException("Import descriptor must not be NULL");
+	
+	// allocate memory for the new descriptor
+	IMAGE_NT_HEADERS ntHeaders;
+	process_.readMemory((void*)ntHeadersAddr_, &ntHeaders, sizeof(IMAGE_NT_HEADERS));
+	
+	// the size of all newly added data, i.e. size without original data in IID
+	// we need n additional IMAGE_IMPORT_DESCRIPTOR
+	DWORD customDataSize = (DWORD)dlls.size() * sizeof(IMAGE_IMPORT_DESCRIPTOR);
+	
+	// make sure the string sizes are padded to 32 bit boundary
+	for (size_t i=0; i<dlls.size(); ++i) customDataSize += padToDword(dlls[i].size() + 1);
+
+	// IMAGE_THUNK_DATA, 2 entries each (OriginalFirstThunk+FirstThunk)
+	customDataSize += 4 * sizeof(DWORD) * dlls.size();
+	DWORD origIIDTblSize = ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
+	DWORD newDescrTblSize = customDataSize + origIIDTblSize;
+	char* newDescrTbl = new char[newDescrTblSize];
+	
+	// allocate and build new import descriptor
+	DWORD iba = ntHeaders.OptionalHeader.ImageBase;
+	void* newDescrTblAddress = allocateMemAboveBase((void*)iba, newDescrTblSize);
+
+	// RVA pointing directly behind the old table
+	DWORD newTblRVA = (DWORD)newDescrTblAddress - iba + origIIDTblSize + dlls.size() * sizeof(IMAGE_IMPORT_DESCRIPTOR);
+	DWORD currentRVA = newTblRVA;
+	
+	// step 1: prepend new IID entries for our dlls and fill with the correct RVAs
+	PIMAGE_IMPORT_DESCRIPTOR currentIDD = (PIMAGE_IMPORT_DESCRIPTOR)newDescrTbl;
+	for (size_t i=0; i<dlls.size(); ++i, ++currentIDD)
+	{
+		// layout: [<orig_first_thunk><IAT><name>]...[...]
+		currentIDD->OriginalFirstThunk = currentIDD->FirstThunk = currentRVA;
+		currentIDD->TimeDateStamp = currentIDD->ForwarderChain = 0;
+		currentRVA += 4 * sizeof(DWORD);
+		currentIDD->Name = currentRVA;
+		currentRVA += padToDword(dlls[i].size() + 1);
+	}
+
+	// step 2: add old IID entries
+	// we need to save the original import descriptor; read process memory directly into our new IID table
+	for (PIMAGE_IMPORT_DESCRIPTOR descrAddr=importDescrTblAddr_;; ++descrAddr, ++currentIDD)
+	{
+		process_.readMemory(descrAddr, currentIDD, sizeof(IMAGE_IMPORT_DESCRIPTOR));
+		if (currentIDD->FirstThunk == 0 && currentIDD->OriginalFirstThunk == 0) break;
+	}
+
+	// step 3: build blocks made of IMAGE_THUNK_DATA, IAT and dll name string
+	// let curBlock point after IIDs
+	PDWORD curBlock = (PDWORD)(newDescrTbl + origIIDTblSize + dlls.size() * sizeof(IMAGE_IMPORT_DESCRIPTOR));
+	for (size_t i=0; i<dlls.size(); ++i)
+	{
+		// force the dll to export at least one entry with ordinal 1
+		// OriginalFirstThunk
+		*curBlock++ = IMAGE_ORDINAL_FLAG | 1;
+		*curBlock++ = 0;
+		// FirstThunk
+		*curBlock++ = IMAGE_ORDINAL_FLAG | 1;
+		*curBlock++ = 0;
+		memcpy((char*)curBlock, dlls[i].c_str(), dlls[i].size() + 1);
+		curBlock += padToDword(dlls[i].size() + 1) >> 2;
+	}
+	
+	// if IAT is zero, set it to VA of section which holds import directory (needed for delphi programs?!)
+	if (ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress == 0)
+	{
+		uintptr_t sectionHdrAddr = ntHeadersAddr_ + FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + ntHeaders.FileHeader.SizeOfOptionalHeader;
+		IMAGE_SECTION_HEADER ish;
+		for (int i=0; i<ntHeaders.FileHeader.NumberOfSections; ++i, sectionHdrAddr += sizeof(IMAGE_SECTION_HEADER))
+		{
+			process_.readMemory((LPVOID)sectionHdrAddr, &ish, sizeof(ish));
+			if (ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress >= ish.VirtualAddress &&
+				ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress < ish.VirtualAddress + ish.SizeOfRawData)
+			{
+				ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = ish.VirtualAddress;
+				ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = ish.SizeOfRawData;
+			}
+		}
+	}
+
+	// finally write new descriptor, fix RVAs and update IMAGE_NT_HEADERS
+	process_.writeMemory(newDescrTblAddress, newDescrTbl, newDescrTblSize);
+	DWORD newIIDRVA = (DWORD)newDescrTblAddress - iba;
+	ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = newIIDRVA;
+	ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = newDescrTblSize;
+
+	// only clear BOUND directory if we need to
+	if(ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != -1
+		&& ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != 0)
+	{
+		ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
+		ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
+	}
+	
+	// handle injection in .NET process
+	if (ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != 0)
+	{
+		uintptr_t comDescriptorAddr = ntHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + iba;
+		IMAGE_COR20_HEADER cor20Header;
+		process_.readMemory((LPVOID)comDescriptorAddr, &cor20Header, sizeof(IMAGE_COR20_HEADER));
+		if (cor20Header.Flags | COMIMAGE_FLAGS_ILONLY)
+		{
+			// pure IL executables trigger more restrictive PE header checks
+			// so just remove the corresponding flag
+			cor20Header.Flags = cor20Header.Flags & ~COMIMAGE_FLAGS_ILONLY;
+			DWORD oldProtect = process_.protectMemory((LPVOID)comDescriptorAddr, sizeof(IMAGE_COR20_HEADER), PAGE_EXECUTE_READWRITE);
+			process_.writeMemory((LPVOID)comDescriptorAddr, &cor20Header, sizeof(IMAGE_COR20_HEADER));
+			process_.protectMemory((LPVOID)comDescriptorAddr, sizeof(IMAGE_COR20_HEADER), oldProtect);
+		}
+	}
+
+	// finally write new NT headers and reset page protection afterwards
+	DWORD oldProtect = process_.protectMemory((void*)ntHeadersAddr_, sizeof(IMAGE_NT_HEADERS), PAGE_EXECUTE_READWRITE);
+	process_.writeMemory((void*)ntHeadersAddr_, &ntHeaders, sizeof(IMAGE_NT_HEADERS));
+	process_.protectMemory((void*)ntHeadersAddr_, sizeof(IMAGE_NT_HEADERS), oldProtect);
+	delete[] newDescrTbl;
+}
+
+void* IATModifier::allocateMemAboveBase(void* baseAddress, size_t size)
+{
+	try
+	{
+		MEMORY_BASIC_INFORMATION mbi;
+		for (char* currentAddress = (char*)baseAddress;; currentAddress = (char*)mbi.BaseAddress + mbi.RegionSize)
+		{
+			mbi = process_.queryMemory(currentAddress);
+			if (mbi.State != MEM_FREE) continue;
+			// walk memory region in allocation granularity steps
+			char* bruteForce = (char*)pad((unsigned int)currentAddress, 0xFFFF);
+			while (bruteForce < (char*)mbi.BaseAddress + mbi.RegionSize)
+			{
+				try
+				{
+					process_.allocMem(size, bruteForce, MEM_RESERVE | MEM_COMMIT);
+					return bruteForce;
+				}
+				catch (MemoryAllocationException)
+				{
+				}
+				bruteForce += 0x10000;
+			}
+		}
+	}
+	catch (const MemoryQueryException&)
+	{
+		return NULL;
+	}
+}
+
+IMAGE_NT_HEADERS IATModifier::readNTHeaders() const
+{
+	if (ntHeadersAddr_ == 0) throw std::runtime_error("Image base address has not been set - unable to retrieve IMAGE_NT_HEADERS");
+	IMAGE_NT_HEADERS ntHeaders;
+	process_.readMemory((void*)ntHeadersAddr_, &ntHeaders, sizeof(IMAGE_NT_HEADERS));
+	return ntHeaders;
+}
\ No newline at end of file
diff --git a/HookPorts/IATModifier.h b/HookPorts/IATModifier.h
new file mode 100644
index 0000000..4f4b2d4
--- /dev/null
+++ b/HookPorts/IATModifier.h
@@ -0,0 +1,46 @@
+#pragma once
+
+#include <iostream>
+#include <vector>
+#include "IATProcess.h"
+
+class IATModifier
+{
+public:
+
+	IATModifier(const Process& process);
+	~IATModifier();
+	std::vector<IMAGE_IMPORT_DESCRIPTOR> readImportTable();
+	void setImageBase(uintptr_t address);
+	void writeIAT(const std::vector<std::string>& dlls);
+	void writeIAT(const std::string& dll);
+	IMAGE_NT_HEADERS readNTHeaders() const;
+
+private:
+
+	DWORD pad(DWORD val, DWORD amount) { return (val+amount) & ~amount; };
+	DWORD padToDword(DWORD val) { return pad(val, 3); };
+	void* allocateMemAboveBase(void* baseAddress, size_t size);
+	Process process_;
+	PIMAGE_IMPORT_DESCRIPTOR importDescrTblAddr_;
+	uintptr_t ntHeadersAddr_;
+	unsigned int importDescrTblSize_;
+};
+
+// general exception for this class
+class IATModifierException : public std::runtime_error
+{
+public:
+	IATModifierException::IATModifierException(const std::string& msg) : std::runtime_error(msg) {};
+};
+
+// exception while writing image import descriptors
+class WriteIIDException : public std::runtime_error
+{
+public:
+	WriteIIDException::WriteIIDException(const std::string& msg, const MemoryAccessException& e) : std::runtime_error(msg), innerException_(e) {};
+	MemoryAccessException innerException() const { return innerException_; };
+
+private:
+	MemoryAccessException innerException_;
+};
\ No newline at end of file
diff --git a/HookPorts/IATProcess.cpp b/HookPorts/IATProcess.cpp
new file mode 100644
index 0000000..82b6751
--- /dev/null
+++ b/HookPorts/IATProcess.cpp
@@ -0,0 +1,235 @@
+#include "IATProcess.h"
+#include <iostream>
+#include <sstream>
+
+using namespace std;
+
+Process::Process(DWORD processID) :
+	hThread_(INVALID_HANDLE_VALUE),
+	hProcess_(INVALID_HANDLE_VALUE),
+	processID_(processID)
+{
+	hProcess_ = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, processID);
+	if (hProcess_ == NULL)
+	{
+		DWORD lastErr = GetLastError();
+		stringstream ss;
+		ss << "Failed to get appropriate process access rights for process id: " << processID
+		   << ", system error code: " << lastErr;
+		throw ProcessHandleException(ss.str());
+	}
+}
+
+Process::Process(const Process& instance)
+{
+	this->hProcess_ = this->hThread_ = INVALID_HANDLE_VALUE;
+	if (!duplicateHandle(instance.hProcess_, &this->hProcess_)
+		|| !duplicateHandle(instance.hThread_, &this->hThread_)) throw ProcessHandleException("Failed to duplicate handle!");
+	this->processID_ = instance.processID_;
+}
+
+Process& Process::operator=(const Process& instance)
+{
+	if (!duplicateHandle(instance.hProcess_, &this->hProcess_)
+		|| !duplicateHandle(instance.hThread_, &this->hThread_)) throw ProcessHandleException("Failed to duplicate handle!");
+	this->processID_ = instance.processID_;
+	return *this;
+}
+
+Process::~Process()
+{
+	if (hProcess_ != INVALID_HANDLE_VALUE) CloseHandle(hProcess_);
+	if (hThread_ != INVALID_HANDLE_VALUE) CloseHandle(hThread_);
+}
+
+bool Process::duplicateHandle(HANDLE hSrc, HANDLE* hDest)
+{
+	if (hSrc == INVALID_HANDLE_VALUE) return true;
+	return (DuplicateHandle(GetCurrentProcess(), 
+						   hSrc, 
+						   GetCurrentProcess(), 
+						   hDest,
+						   0,
+						   FALSE,
+						   DUPLICATE_SAME_ACCESS) == TRUE ? true : false);
+}
+
+void Process::writeMemory(LPVOID address, LPCVOID data, DWORD size) const
+{
+	SIZE_T written = 0;
+	WriteProcessMemory(hProcess_, address, data, size, &written);
+	if (written != size) throw MemoryAccessException("Write memory failed!");
+}
+
+void Process::readMemory(LPVOID address, LPVOID buffer, DWORD size) const
+{
+	SIZE_T read = 0;
+	ReadProcessMemory(hProcess_, address, buffer, size, &read);
+	if (read != size) throw MemoryAccessException("Read memory failed!");
+}
+
+MEMORY_BASIC_INFORMATION Process::queryMemory(LPVOID address) const
+{
+	MEMORY_BASIC_INFORMATION mbi;
+	SIZE_T retVal = VirtualQueryEx(hProcess_, address, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
+	if (retVal == 0) throw MemoryQueryException("Unable to query memory");
+	return mbi;
+}
+
+DWORD Process::protectMemory(LPVOID address, SIZE_T size, DWORD protect) const
+{
+	DWORD oldProtect;
+	BOOL retVal = VirtualProtectEx(hProcess_, address, size, protect, &oldProtect);
+	if (retVal == FALSE) throw MemoryProtectException("Unable to set memory protection", address);
+	return oldProtect;
+}
+
+bool Process::startThread(LPVOID address, LPVOID param)
+{
+	hThread_ = CreateRemoteThread(hProcess_, NULL, 0, (LPTHREAD_START_ROUTINE)address, param, 0, NULL);
+	if (hThread_ != INVALID_HANDLE_VALUE) SetThreadPriority(hThread_, THREAD_PRIORITY_TIME_CRITICAL);
+	return (hThread_ != NULL);
+}
+
+// wait for remote thread to exit and close its handle
+void Process::waitForThread()
+{
+	if (hThread_ == NULL) throw std::runtime_error("Invalid thread handle");
+	WaitForSingleObject(hThread_, INFINITE);
+	CloseHandle(hThread_);
+	hThread_ = NULL;
+}
+
+LPVOID Process::allocMem(DWORD size) const
+{
+	return allocMem(size, MEM_RESERVE | MEM_COMMIT);	
+}
+
+LPVOID Process::allocMem(DWORD size, DWORD allocationType) const
+{
+	return allocMem(size, NULL, allocationType);
+}
+
+LPVOID Process::allocMem(DWORD size, LPVOID desiredAddress, DWORD allocationType) const
+{
+	LPVOID addr = VirtualAllocEx(hProcess_, desiredAddress, size, allocationType, PAGE_EXECUTE_READWRITE);
+	if (addr == NULL) throw MemoryAllocationException("Failed to allocate memory");
+	return addr;
+}
+
+bool Process::freeMem(LPVOID address) const
+{
+	return (VirtualFreeEx(hProcess_, address, 0, MEM_RELEASE) != 0);
+}
+
+// note: does not work in process start event
+std::vector<MODULEENTRY32> Process::getModules() const
+{
+	std::vector<MODULEENTRY32> result;
+	HANDLE hModulesSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processID_);
+	if (hModulesSnap == INVALID_HANDLE_VALUE)
+	{
+		DWORD err = GetLastError();
+		ostringstream oss;
+		oss << "Unable to create modules snapshot, last error: " << err << std::endl;
+		throw std::runtime_error(oss.str());
+	}
+
+	MODULEENTRY32 me32;
+	me32.dwSize = sizeof(MODULEENTRY32);
+	if(!Module32First(hModulesSnap, &me32))
+	{
+		DWORD err = GetLastError();
+		ostringstream oss;
+		oss << "Unable to enumerate modules from snapshot, last error: " << err << std::endl;
+		CloseHandle(hModulesSnap);
+		throw std::runtime_error(oss.str());
+	}
+
+	bool found = false;
+	do
+	{
+		result.push_back(me32);
+	} while(!found && Module32Next(hModulesSnap, &me32));
+
+	CloseHandle(hModulesSnap);
+	return result;
+}
+
+void Process::throwSysError(const char* msg, DWORD lastError) const
+{
+	std::ostringstream oss;
+	oss << msg << ", system error was: " << lastError;
+	throw std::runtime_error(oss.str());
+}
+
+// also works if process is suspended and not fully initialized yet
+uintptr_t Process::getImageBase(HANDLE hThread) const
+{
+	CONTEXT context;
+	context.ContextFlags = CONTEXT_SEGMENTS;
+	if (!GetThreadContext(hThread, &context))
+	{
+		throwSysError("Error while retrieving thread context to determine IBA",  GetLastError());
+	}
+
+	// translate FS selector to virtual address
+	LDT_ENTRY ldtEntry;
+	if (!GetThreadSelectorEntry(hThread, context.SegFs, &ldtEntry))
+	{
+		throwSysError("Error while translating FS selector to virtual address",  GetLastError());
+	}
+
+	uintptr_t fsVA = (ldtEntry.HighWord.Bytes.BaseHi) << 24
+		| (ldtEntry.HighWord.Bytes.BaseMid) << 16 | (ldtEntry.BaseLow);
+
+	uintptr_t iba = 0;
+	SIZE_T read;
+	// finally read image based address from PEB:[8]
+	if (!(ReadProcessMemory(hProcess_, (LPCVOID)(fsVA+0x30), &iba, sizeof(uintptr_t), &read)
+		&& ReadProcessMemory(hProcess_, (LPCVOID)(iba+8), &iba, sizeof(uintptr_t), &read)))
+	{
+		throwSysError("Error while reading process memory to retrieve image base address", GetLastError());
+	}
+	return iba;
+}
+
+// retrieve image base address for current process
+// ONLY works if process has bee initialized, otherwise thread enumeration will fail
+// use overloaded function instead
+uintptr_t Process::getImageBase() const
+{
+	// first get handle to one of the threads in the process
+	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, processID_);
+	if (hSnapshot == INVALID_HANDLE_VALUE) throw std::runtime_error("Unable to create thread snapshot");
+
+	DWORD lastError = 0;
+	THREADENTRY32 threadEntry;
+	threadEntry.dwSize = sizeof(THREADENTRY32);
+	if (!Thread32First(hSnapshot, &threadEntry))
+	{
+		lastError = GetLastError();
+		CloseHandle(hSnapshot);
+		throwSysError("Unable to get first thread from snapshot", lastError);
+	}
+
+	CloseHandle(hSnapshot);
+	HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, threadEntry.th32ThreadID);
+	if (!hThread)
+	{
+		lastError = GetLastError();
+		throwSysError("Error while retrieving thread handle", lastError);
+	}
+
+	try
+	{
+		uintptr_t iba = getImageBase(hThread);
+		CloseHandle(hThread);
+		return iba;
+	}
+	catch (const std::exception&)
+	{
+		CloseHandle(hThread);
+		throw;
+	}
+}
\ No newline at end of file
diff --git a/HookPorts/IATProcess.h b/HookPorts/IATProcess.h
new file mode 100644
index 0000000..db55c04
--- /dev/null
+++ b/HookPorts/IATProcess.h
@@ -0,0 +1,86 @@
+#pragma once
+
+#include <iostream>
+#include <vector>
+#include <Windows.h>
+#include <TlHelp32.h>
+
+class Process
+{
+public:
+
+	//Process(HANDLE hProcess);
+	Process(DWORD processID);
+	Process::Process(const Process& instance);
+	Process& Process::operator=(const Process& instance);
+	~Process();
+	
+	LPVOID allocMem(DWORD size) const;
+	LPVOID allocMem(DWORD size, DWORD allocationType) const;
+	LPVOID allocMem(DWORD size, LPVOID desiredAddress, DWORD allocationType) const;
+	bool freeMem(LPVOID address) const;
+	void writeMemory(LPVOID address, LPCVOID data, DWORD size) const;
+	void readMemory(LPVOID address, LPVOID buffer, DWORD size) const;
+	MEMORY_BASIC_INFORMATION queryMemory(LPVOID address) const;
+	DWORD protectMemory(LPVOID address, SIZE_T size, DWORD protect) const;
+	bool startThread(LPVOID address, LPVOID param);
+	void waitForThread();
+	std::vector<MODULEENTRY32> Process::getModules() const;
+	
+	uintptr_t getImageBase(HANDLE hThread) const;
+	uintptr_t getImageBase() const;
+
+private:
+
+	bool duplicateHandle(HANDLE hSrc, HANDLE* hDest);
+	void throwSysError(const char* msg, DWORD lastError) const;
+
+	HANDLE hProcess_;
+	HANDLE hThread_;
+	DWORD processID_;
+};
+
+// handle error
+class ProcessHandleException : public std::runtime_error
+{
+public:
+	ProcessHandleException::ProcessHandleException(const std::string& msg) : std::runtime_error(msg) {};
+};
+
+// anything with memory
+class ProcessMemoryException : public std::runtime_error
+{
+public:
+	ProcessMemoryException::ProcessMemoryException(const std::string& msg, LPVOID address) : std::runtime_error(msg), address_(address) {};
+	LPVOID getAddress() { return address_; };
+private:
+	LPVOID address_;
+};
+
+// access memory
+class MemoryAccessException : public std::runtime_error
+{
+public:
+	MemoryAccessException::MemoryAccessException(const std::string& msg) : std::runtime_error(msg) {};	
+};
+
+// allocate
+class MemoryAllocationException : public std::runtime_error
+{
+public:
+	MemoryAllocationException::MemoryAllocationException(const std::string& msg) : std::runtime_error(msg) {};	
+};
+
+// query memory
+class MemoryQueryException : public std::runtime_error
+{
+public:
+	MemoryQueryException::MemoryQueryException(const std::string& msg) : std::runtime_error(msg) {};	
+};
+
+// protect memory
+class MemoryProtectException : public ProcessMemoryException
+{
+public:
+	MemoryProtectException::MemoryProtectException(const std::string& msg, LPVOID address) : ProcessMemoryException(msg, address) {};	
+};
\ No newline at end of file
diff --git a/HookPorts/Initalization.cpp b/HookPorts/Initalization.cpp
new file mode 100644
index 0000000..d7657e1
--- /dev/null
+++ b/HookPorts/Initalization.cpp
@@ -0,0 +1,524 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <stdio.h>
+#include <shlwapi.h>
+#pragma comment(lib,"shlwapi.lib")
+#include <tlhelp32.h>
+
+#include "./Initalization.h"
+#include "../Config/Config.h"
+#include "../Common/DebugLog.h"
+#include "./Privilege.h"
+#include "./HookHelp.h"
+#include "./Main.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+#include "./Dispatch_NTDLL_NtQueryObject.h"
+#include "./NativeAPI_NTDLL.h"
+#include "./Dispatch_NTDLL_NtCreateFile.h"
+#include "./Dispatch_NTDLL_NtClose.h"
+
+#include "./CloneAPI_KERNEL32.h"
+
+
+
+//
+//Initalization Functions
+//
+int GetSandBoxNameFromRegistry( OUT WCHAR * lpSandBoxName )
+{
+	//Return Value:
+	//-1 = error
+	//0 = warning
+	//1 = succeed
+
+	//
+	//List SandBox in Registry
+	//
+	WCHAR szSandBoxName[CONF_SandBoxNameLength+1] = {NULL};
+
+	HKEY hkSandBoxMain = NULL;
+	WCHAR szRegSandBoxPath[256] = {NULL};
+	int nId = 0;
+
+	lstrcpy(szRegSandBoxPath,L"SOFTWARE\\");
+	lstrcat(szRegSandBoxPath,CONF_SoftwareRegName);
+	lstrcat(szRegSandBoxPath,L"\\");
+	lstrcat(szRegSandBoxPath,CONF_SoftwareReg_SandBox);
+
+	if( RegOpenKeyEx(HKEY_LOCAL_MACHINE,szRegSandBoxPath,NULL,KEY_ALL_ACCESS,&hkSandBoxMain) == ERROR_SUCCESS )
+	{
+		while( RegEnumKey(hkSandBoxMain,nId,szSandBoxName,CONF_SandBoxNameLength+1) == ERROR_SUCCESS )
+		{
+			nId++;
+			if( QuerySandBoxState(szSandBoxName) == 1 )
+			{
+				if( IsProcessInSandBox(GetCurrentProcessId(),szSandBoxName) == TRUE )
+				{
+					RegCloseKey(hkSandBoxMain);
+					lstrcpy(lpSandBoxName,szSandBoxName);
+
+					return 1;
+				}
+			}
+		}
+		RegCloseKey(hkSandBoxMain);
+	}
+	else
+	{
+		return -1;
+	}
+
+	return -1;
+}
+
+int QuerySandBoxState(IN const WCHAR * lpSandBoxName)
+{
+	//Return Value:
+	//0 = OFF
+	//1 = ON
+	int iRet = 0;
+
+	HKEY hkSandBox = NULL;
+	WCHAR szSubKeyName[256] = {NULL};
+	lstrcpy(szSubKeyName,CONF_SoftwareReg_SandBox);
+	lstrcat(szSubKeyName,L"_");
+	lstrcat(szSubKeyName,lpSandBoxName);
+	lstrcat(szSubKeyName,L"\\");
+	lstrcat(szSubKeyName,CONF_SoftwareReg_SandBox_SYNC);
+
+	if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkSandBox) == ERROR_SUCCESS )
+	{
+		iRet = 1;
+	}
+	RegCloseKey(hkSandBox);
+
+	return iRet;
+}
+
+BOOL IsProcessInSandBox( IN DWORD dwProcessId ,IN WCHAR * lpSandBoxName )
+{
+	//Return Value:
+	//TRUE = Inside SandBox
+	//FALSE = Outside SandBox
+	BOOL bRet = FALSE;
+
+	//
+	//Query subkey [HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)]
+	//
+	HKEY hkSandBox = NULL;
+	WCHAR szSubKeyName[256] = {NULL};
+
+	wsprintf(
+		szSubKeyName,
+		L"%s_%s\\%s\\%s\\%d",
+		CONF_SoftwareReg_SandBox,
+		lpSandBoxName,
+		CONF_SoftwareReg_SandBox_SYNC,
+		CONF_SoftwareReg_SandBox_SYNC_PROC,
+		dwProcessId
+		);
+
+	if( RegOpenKeyEx(HKEY_USERS,szSubKeyName,NULL,KEY_ALL_ACCESS,&hkSandBox) == ERROR_SUCCESS )
+	{
+		bRet = TRUE;
+	}
+	RegCloseKey(hkSandBox);
+
+	return bRet;
+}
+
+int HookPortInitalization(IN HMODULE hModule, IN const WCHAR * lpSandBoxName)
+{
+	//Return Value:
+	//-1 = error
+	//0 = warning
+	//1 = succeed
+
+	int iRet = 1;
+
+	//
+	//Check if is patched
+	//
+	HINSTANCE hDll = NULL;
+	hDll = GetModuleHandleW( CONF_CloneAPI_CloneKERNEL32 );
+	if( hDll )
+	{
+		return 0;
+	}
+
+	//
+	//Save [lpSandBoxName] to [g_szSandBoxName]
+	//
+	lstrcpy(g_szSandBoxName,lpSandBoxName);
+	WideCharToMultiByte(CP_ACP,WC_COMPOSITECHECK,g_szSandBoxName,-1,g_strSandBoxName,sizeof(g_strSandBoxName),NULL,NULL);
+
+	//
+	//Get Current Module info
+	//
+	if( GetCurrentModuleInfo(hModule) == -1 )
+	{
+		iRet = -1;
+	}
+
+	//
+	//Log Process Information to RegistrySYNC
+	//
+	//[HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)]
+	LogProcessInfoToRegistrySYNC(lpSandBoxName,GetCurrentProcessId());
+
+	//
+	//Get CloneAPI file path
+	//
+	GetCloneAPIPath();
+
+	//
+	//Get CloenAPI Module info
+	//
+	GetCloenAPIModuleInfo();
+
+	//
+	//Init [Patched Process Table]
+	//
+	InitPatchedProcessTable();
+
+	//
+	//Get RestoreFilePath
+	//
+	GetRestoreFilePath(lpSandBoxName);
+
+	//
+	//Get RestoreRegPath
+	//
+	GetRestoreRegPath(lpSandBoxName);
+
+	//
+	//Self check
+	//
+	if( SelfCheck() == -1 )
+	{
+		iRet = -1;
+	}
+
+	return iRet;
+}
+
+int ResumeCurrentProcess(void)
+{
+	HANDLE hSnapshot = NULL;
+	THREADENTRY32 ThreadSnapshot;
+	HANDLE hThread = NULL;
+
+	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,GetCurrentProcessId());
+	ThreadSnapshot.dwSize=sizeof(THREADENTRY32);
+
+	Thread32First(hSnapshot,&ThreadSnapshot);
+	do
+	{
+		if( ThreadSnapshot.th32ThreadID != GetCurrentThreadId() &&
+			ThreadSnapshot.th32OwnerProcessID == GetCurrentProcessId()
+			)
+		{
+			hThread=CAPI_OpenThread(THREAD_SUSPEND_RESUME,0,ThreadSnapshot.th32ThreadID);
+
+			PULONG SuspendCount = 0;
+			NtResumeThread(hThread,SuspendCount);
+
+			CloseHandle(hThread);
+		}
+	}
+	while(Thread32Next(hSnapshot,&ThreadSnapshot));
+	CloseHandle(hSnapshot);
+
+	return 0;
+}
+
+int ConvertToGUIThread(void)
+{
+	WNDCLASSEX wc;
+	MSG msg;
+	const WCHAR	ClassName[] = L"[SandBox]";
+	ZeroMemory(&wc, sizeof(WNDCLASSEX));
+	wc.cbSize = sizeof(WNDCLASSEX);
+	wc.hInstance = g_hinstDLL;
+	wc.lpfnWndProc = WindowProc;
+	wc.lpszClassName = &ClassName[0];
+	RegisterClassEx(&wc);
+
+	msg.hwnd = CreateWindowEx(
+		WS_EX_TOOLWINDOW,
+		&ClassName[0],
+		L"HookPort GUI Thread",
+		0,
+		0,
+		0,
+		1,
+		1,
+		HWND_DESKTOP,
+		NULL,
+		g_hinstDLL,
+		0
+		);
+
+	ShowWindow(msg.hwnd,SW_HIDE);
+	UpdateWindow(msg.hwnd);
+
+	return 0;
+}
+
+LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
+{
+	switch (uMsg)
+	{
+	case WM_SIZE:
+		{
+			// Resize the browser object to fit the window
+			//ResizeBrowser(hwnd, LOWORD(lParam), HIWORD(lParam));
+			return(0);
+		}
+		
+	case WM_CREATE:
+		{
+			// Embed the browser object into our host window. We need do this only
+			// once. Note that the browser object will start calling some of our
+			// IOleInPlaceFrame and IOleClientSite functions as soon as we start
+			// calling browser object functions in EmbedBrowserObject().
+			//if (EmbedBrowserObject(hwnd)) return(-1);
+			
+			// Another window created with an embedded browser object
+			//++WindowCount;
+			
+			// Success
+			return(0);
+		}
+		
+	case WM_DESTROY:
+		{
+			// Detach the browser object from this window, and free resources.
+			//UnEmbedBrowserObject(hwnd);
+			
+			// One less window
+			//--WindowCount;
+			
+			// If all the windows are now closed, quit this app
+			//if(WindowCount==0)PostQuitMessage(0);
+			
+			return(TRUE);
+		}
+		
+		
+	}
+	
+	return(DefWindowProc(hwnd, uMsg, wParam, lParam));
+}
+
+int LogProcessInfoToRegistrySYNC(IN const WCHAR * lpSandBoxName, IN DWORD dwProcessId)
+{
+	//
+	//Create subkey [HKEY_USERS\SandBox_XXX\SYNC\PROC\(PID)]
+	//
+	HKEY hkSandBox = NULL;
+	WCHAR szSubKeyName[256] = {NULL};
+
+	wsprintf(
+		szSubKeyName,
+		L"%s_%s\\%s\\%s\\%d",
+		CONF_SoftwareReg_SandBox,
+		lpSandBoxName,
+		CONF_SoftwareReg_SandBox_SYNC,
+		CONF_SoftwareReg_SandBox_SYNC_PROC,
+		dwProcessId
+		);
+
+	if( RegCreateKey(HKEY_USERS,szSubKeyName,&hkSandBox) == ERROR_SUCCESS )
+	{
+		AddProcessIdToProcTable(dwProcessId);
+	}
+	RegCloseKey(hkSandBox);
+
+	return 0;
+}
+
+int SelfCheck(void)
+{
+	//Return Value:
+	//-1 = error
+	//0 = warning
+	//1 = succeed
+
+	return 0;
+}
+
+int GetRestoreFilePath(IN const WCHAR * lpSandBoxName)
+{
+	//
+	//Get RestorePath
+	//
+	WCHAR szRestorePath[MAX_PATH] = {NULL};
+
+	DWORD dwType = REG_SZ;
+	DWORD dwBufLen = MAX_PATH;
+
+	HKEY hkSandBoxCfg = NULL;
+	WCHAR szRegConfigPath[256] = {NULL};
+
+	lstrcpy(szRegConfigPath,L"SOFTWARE\\");
+	lstrcat(szRegConfigPath,CONF_SoftwareRegName);
+	lstrcat(szRegConfigPath,L"\\");
+	lstrcat(szRegConfigPath,CONF_SoftwareReg_Config);
+
+	RegOpenKeyEx(HKEY_LOCAL_MACHINE,szRegConfigPath,NULL,KEY_ALL_ACCESS,&hkSandBoxCfg);
+
+	dwType = REG_EXPAND_SZ;
+	dwBufLen = MAX_PATH;
+
+	RegQueryValueEx(
+					hkSandBoxCfg,
+					CONF_SoftwareReg_Config_RestorePath,
+					NULL,
+					&dwType,
+					(LPBYTE)&szRestorePath,
+					&dwBufLen
+					);
+
+	RegCloseKey(hkSandBoxCfg);
+
+	lstrcatW(szRestorePath,L"\\");
+	lstrcatW(szRestorePath,lpSandBoxName);
+
+	lstrcpyW(g_szRestorePath,szRestorePath);
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"g_szRestorePath=");
+	OutputDebugString(g_szRestorePath);
+#endif
+
+	//
+	//Get RestoreNtPath
+	//
+	WCHAR szRestoreNtPath[MAX_PATH] = {NULL};
+
+	lstrcpyW(szRestoreNtPath,szRestorePath);
+
+	UNICODE_STRING usNtFileName;
+	RtlDosPathNameToNtPathName_U(szRestoreNtPath,&usNtFileName,NULL,NULL);
+
+	lstrcpyW(g_szRestoreNtPath,usNtFileName.Buffer);
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"g_szRestoreNtPath=");
+	OutputDebugString(g_szRestoreNtPath);
+#endif
+
+	//
+	//Get RestoreDevicePath
+	//
+	WCHAR szFileDevicePath[MAX_NAME] = {NULL};
+
+	HANDLE hFile = NULL;
+	OBJECT_ATTRIBUTES oaObjAttrib;
+	IO_STATUS_BLOCK IoSB;
+	NTSTATUS nCreateFile;
+
+	InitializeObjectAttributes(
+		&oaObjAttrib,
+		&usNtFileName,
+		OBJ_CASE_INSENSITIVE,
+		NULL,
+		NULL);
+
+	nCreateFile = NtCreateFile(
+				&hFile,
+				FILE_LIST_DIRECTORY | SYNCHRONIZE,
+				&oaObjAttrib,
+				&IoSB,
+				NULL,
+				FILE_ATTRIBUTE_NORMAL,
+				FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+				FILE_OPEN,
+				FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE,
+				NULL,
+				NULL
+				);
+
+	if( nCreateFile == STATUS_SUCCESS )
+	{
+		QueryNameInfoByNtQueryObject(hFile,szFileDevicePath);
+		lstrcpyW(g_szRestoreDevPath,szFileDevicePath);
+	}
+	NtClose(hFile);
+
+#ifdef Dbg
+	DebugLog(DbgInfo,L"g_szRestoreDevPath=");
+	OutputDebugString(g_szRestoreDevPath);
+#endif
+
+	return 0;
+}
+
+int GetRestoreRegPath(IN const WCHAR * lpSandBoxName)
+{
+	//
+	//Get RestoreRegPath
+	//
+	WCHAR szSubKeyName[256] = {NULL};
+	wsprintfW(szSubKeyName,L"%s_%s",CONF_SoftwareReg_SandBox,lpSandBoxName);
+
+	lstrcpyW(g_szRestoreRegPath,szSubKeyName);
+
+	lstrcpyW(g_szRestoreFullRegKrnlPath,L"\\REGISTRY\\USER\\");
+	lstrcatW(g_szRestoreFullRegKrnlPath,szSubKeyName);
+
+	return 0;
+}
+
+int GetCloneAPIPath(void)
+{
+	//Return Value:
+	//-1 = error
+	//0 = succeed
+	int iRet = 0;
+
+	//
+	//Get [CloneAPI] directory
+	//
+	WCHAR szCloneAPIDirectory[MAX_PATH] = {NULL};
+	GetModuleFileName(g_hinstDLL,szCloneAPIDirectory,MAX_PATH);
+	PathRemoveFileSpec(szCloneAPIDirectory);
+	lstrcat(szCloneAPIDirectory,L"\\");
+	lstrcat(szCloneAPIDirectory,CONF_CloneAPI_DirectoryName);
+
+	//kernel32.dll
+	wsprintf(g_szCloneKERNEL32,L"%s\\%s",szCloneAPIDirectory,CONF_CloneAPI_CloneKERNEL32);
+
+#ifdef Dbg
+	WCHAR szDebugString[512] = {0};
+	wsprintf(szDebugString,L"g_szCloneKERNEL32=[%s]",g_szCloneKERNEL32);
+	DebugLog(DbgInfo,szDebugString);
+#endif
+
+	//fltlib.dll
+	wsprintf(g_szCloneFLTLIB,L"%s\\%s",szCloneAPIDirectory,CONF_CloneAPI_CloneFLTLIB);
+
+#ifdef Dbg
+	wsprintf(szDebugString,L"g_szCloneFLTLIB=[%s]",g_szCloneFLTLIB);
+	DebugLog(DbgInfo,szDebugString);
+#endif
+
+	//shell32.dll
+	wsprintf(g_szCloneSHELL32,L"%s\\%s",szCloneAPIDirectory,CONF_CloneAPI_CloneSHELL32);
+
+#ifdef Dbg
+	wsprintf(szDebugString,L"g_szCloneSHELL32=[%s]",g_szCloneSHELL32);
+	DebugLog(DbgInfo,szDebugString);
+#endif
+
+	//advapi32.dll
+	wsprintf(g_szCloneADVAPI32,L"%s\\%s",szCloneAPIDirectory,CONF_CloneAPI_CloneADVAPI32);
+
+#ifdef Dbg
+	wsprintf(szDebugString,L"g_szCloneADVAPI32=[%s]",g_szCloneADVAPI32);
+	DebugLog(DbgInfo,szDebugString);
+#endif
+
+	return iRet;
+}
\ No newline at end of file
diff --git a/HookPorts/Initalization.h b/HookPorts/Initalization.h
new file mode 100644
index 0000000..0771699
--- /dev/null
+++ b/HookPorts/Initalization.h
@@ -0,0 +1,27 @@
+#pragma once
+
+
+
+int GetSandBoxNameFromRegistry( OUT WCHAR * lpSandBoxName );
+
+int QuerySandBoxState(IN const WCHAR * lpSandBoxName);
+
+BOOL IsProcessInSandBox( IN DWORD dwProcessId ,IN WCHAR * lpSandBoxName );
+
+int HookPortInitalization(IN HMODULE hModule, IN const WCHAR * lpSandBoxName);
+
+int ResumeCurrentProcess(void);
+
+int ConvertToGUIThread(void);
+
+LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
+
+int LogProcessInfoToRegistrySYNC(IN const WCHAR * lpSandBoxName, IN DWORD dwProcessId);
+
+int GetRestoreFilePath(IN const WCHAR * lpSandBoxName);
+
+int GetRestoreRegPath(IN const WCHAR * lpSandBoxName);
+
+int SelfCheck(void);
+
+int GetCloneAPIPath(void);
\ No newline at end of file
diff --git a/HookPorts/InlineHook.cpp b/HookPorts/InlineHook.cpp
new file mode 100644
index 0000000..1b31b0d
--- /dev/null
+++ b/HookPorts/InlineHook.cpp
@@ -0,0 +1,246 @@
+#ifdef WIN32
+#define RING3
+#endif
+
+#ifdef RING3
+#include <windows.h>
+#else
+#include <windef.h>
+#endif
+
+#include "./InlineHook.h"
+#include "./LDasm.h"
+
+#ifdef RING3
+#define __malloc(_s)	VirtualAlloc(NULL, _s, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
+#define __free(_p)		VirtualFree(_p, 0, MEM_RELEASE)
+#define JMP_SIZE		5
+#else
+#define __malloc(_s)	ExAllocatePool(NonPagedPool, _s)
+#define __free(_p)		ExFreePool(_p)
+#define JMP_SIZE		7
+#endif
+
+#ifdef RING3
+
+BOOL
+WriteReadOnlyMemory(
+	LPBYTE	lpDest,
+	LPBYTE	lpSource,
+	ULONG	Length
+	)
+{
+	BOOL bRet;
+	DWORD dwOldProtect;
+	bRet = FALSE;
+
+	if (!VirtualProtect(lpDest, Length, PAGE_EXECUTE_READWRITE, &dwOldProtect))
+	{
+		return bRet;
+	}
+
+	memcpy(lpDest, lpSource, Length);
+
+	bRet = VirtualProtect(lpDest, Length, dwOldProtect, &dwOldProtect);
+
+	return	bRet;
+}
+
+#else
+
+NTSTATUS
+WriteReadOnlyMemory(
+	LPBYTE	lpDest,
+	LPBYTE	lpSource,
+	ULONG	Length
+	)
+{
+	NTSTATUS status;
+	KSPIN_LOCK spinLock;
+	KIRQL oldIrql;
+	PMDL pMdlMemory;
+	LPBYTE lpWritableAddress;
+
+	status = STATUS_UNSUCCESSFUL;
+
+	pMdlMemory = IoAllocateMdl(lpDest, Length, FALSE, FALSE, NULL);
+
+	if (NULL == pMdlMemory)
+		return status;
+
+	MmBuildMdlForNonPagedPool(pMdlMemory);
+    MmProbeAndLockPages(pMdlMemory, KernelMode, IoWriteAccess);
+	lpWritableAddress = MmMapLockedPages(pMdlMemory, KernelMode);
+    if (NULL != lpWritableAddress)
+	{
+		oldIrql	= 0;
+		KeInitializeSpinLock(&spinLock);
+		KeAcquireSpinLock(&spinLock, &oldIrql);
+
+		memcpy(lpWritableAddress, lpSource, Length);
+
+		KeReleaseSpinLock(&spinLock, oldIrql);
+		MmUnmapLockedPages(lpWritableAddress, pMdlMemory);
+
+		status = STATUS_SUCCESS;
+	}
+
+	MmUnlockPages(pMdlMemory);
+    IoFreeMdl(pMdlMemory);
+
+	return status;
+}
+
+#endif
+
+BOOL 
+GetPatchSize(
+	IN	void *Proc,			/* ÐèÒªHookµÄº¯ÊýµØÖ· */
+	IN	DWORD dwNeedSize,	/* Hookº¯ÊýÍ·²¿Õ¼ÓõÄ×Ö½Ú´óС */
+	OUT LPDWORD lpPatchSize	/* ·µ»Ø¸ù¾Ýº¯ÊýÍ··ÖÎöÐèÒªÐÞ²¹µÄ´óС */
+	)
+{
+	DWORD Length;
+	PUCHAR pOpcode;
+	DWORD PatchSize = 0;
+
+	if (!Proc || !lpPatchSize)
+	{
+		return FALSE;
+	}
+
+	do
+	{
+		Length = SizeOfCode(Proc, &pOpcode);
+		if ((Length == 1) && (*pOpcode == 0xC3))
+			break;
+		if ((Length == 3) && (*pOpcode == 0xC2))
+			break;
+		Proc = (PVOID)((DWORD)Proc + Length);
+
+		PatchSize += Length;
+		if (PatchSize >= dwNeedSize)
+		{
+			break;
+		}
+
+	}while(Length);
+
+	*lpPatchSize = PatchSize;
+
+	return TRUE;
+}
+
+BOOL
+InlineHook(
+	IN	void *OrgProc,		/* ÐèÒªHookµÄº¯ÊýµØÖ· */
+	IN	void *NewProc,		/* ´úÌæ±»Hookº¯ÊýµÄµØÖ· */
+	OUT	void **RealProc		/* ·µ»Øԭʼº¯ÊýµÄÈë¿ÚµØÖ· */
+	)
+{
+	DWORD dwPatchSize;    // µÃµ½ÐèÒªpatchµÄ×Ö½Ú´óС
+	//DWORD dwOldProtect;
+	LPVOID lpHookFunc;    // ·ÖÅäµÄHookº¯ÊýµÄÄÚ´æ
+	DWORD dwBytesNeed;    // ·ÖÅäµÄHookº¯ÊýµÄ´óС
+	LPBYTE lpPatchBuffer; // jmp Ö¸ÁîµÄÁÙʱ»º³åÇø
+
+	if (!OrgProc || !NewProc || !RealProc)
+	{
+		return FALSE;
+	}
+	// µÃµ½ÐèÒªpatchµÄ×Ö½Ú´óС
+	if (!GetPatchSize(OrgProc, JMP_SIZE, &dwPatchSize))
+	{
+		return FALSE;
+	}
+
+	/*
+	0x00000800					0x00000800		sizeof(DWORD)	// dwPatchSize
+	JMP	/ FAR 0xAABBCCDD		E9 DDCCBBAA		JMP_SIZE
+	...							...				dwPatchSize		// Backup instruction
+	JMP	/ FAR 0xAABBCCDD		E9 DDCCBBAA		JMP_SIZE
+	*/
+
+	dwBytesNeed = sizeof(DWORD) + JMP_SIZE + dwPatchSize + JMP_SIZE;
+
+	lpHookFunc = __malloc(dwBytesNeed);
+
+	//±¸·ÝdwPatchSizeµ½lpHookFunc
+	*(DWORD *)lpHookFunc = dwPatchSize;
+
+	//Ìø¹ý¿ªÍ·µÄ4¸ö×Ö½Ú
+	lpHookFunc = (LPVOID)((DWORD)lpHookFunc + sizeof(DWORD));
+
+	//¿ªÊ¼backupº¯Êý¿ªÍ·µÄ×Ö
+	memcpy((BYTE *)lpHookFunc + JMP_SIZE, OrgProc, dwPatchSize);
+
+	lpPatchBuffer = (LPBYTE)__malloc(dwPatchSize);
+
+	//NOPÌî³ä
+	memset(lpPatchBuffer, 0x90, dwPatchSize);
+
+#ifdef RING3
+	//jmpµ½Hook
+	*(BYTE *)lpHookFunc = 0xE9;
+	*(DWORD*)((DWORD)lpHookFunc + 1) = (DWORD)NewProc - (DWORD)lpHookFunc - JMP_SIZE;
+
+	//Ìø»Øԭʼ
+	*(BYTE *)((DWORD)lpHookFunc + 5 + dwPatchSize) = 0xE9;
+	*(DWORD*)((DWORD)lpHookFunc + 5 + dwPatchSize + 1) = ((DWORD)OrgProc + dwPatchSize) - ((DWORD)lpHookFunc + JMP_SIZE + dwPatchSize) - JMP_SIZE;
+
+
+	//jmp 
+	*(BYTE *)lpPatchBuffer = 0xE9;
+	//×¢Òâ¼ÆË㳤¶ÈµÄʱºòµÃÓÃOrgProc
+	*(DWORD*)(lpPatchBuffer + 1) = (DWORD)lpHookFunc - (DWORD)OrgProc - JMP_SIZE;
+
+#else
+
+	//jmpµ½Hook
+	*(BYTE *)lpHookFunc = 0xEA;
+	*(DWORD*)((DWORD)lpHookFunc + 1) = (DWORD)NewProc;
+	*(WORD*)((DWORD)lpHookFunc + 5) = 0x08;
+
+	//Ìø»Øԭʼ
+	*(BYTE *)((DWORD)lpHookFunc + JMP_SIZE + dwPatchSize) = 0xEA;
+	*(DWORD*)((DWORD)lpHookFunc + JMP_SIZE + dwPatchSize + 1) = ((DWORD)OrgProc + dwPatchSize);
+	*(WORD*)((DWORD)lpHookFunc + JMP_SIZE + dwPatchSize + 5) = 0x08;
+
+	//jmp far
+	*(BYTE *)lpPatchBuffer = 0xEA;
+	
+	//Ìøµ½lpHookFuncº¯Êý
+	*(DWORD*)(lpPatchBuffer + 1) = (DWORD)lpHookFunc;
+	*(WORD*)(lpPatchBuffer + 5) = 0x08;
+#endif
+
+	WriteReadOnlyMemory((LPBYTE)OrgProc, lpPatchBuffer, dwPatchSize);
+
+	__free(lpPatchBuffer);
+
+	*RealProc = (void *)((DWORD)lpHookFunc + JMP_SIZE);
+
+	return TRUE;
+}
+
+void UnInlineHook(
+	void *OrgProc,  /* ÐèÒª»Ö¸´HookµÄº¯ÊýµØÖ· */
+	void *RealProc  /* ԭʼº¯ÊýµÄÈë¿ÚµØÖ· */
+	)
+{
+	DWORD dwPatchSize;
+	//DWORD dwOldProtect;
+	LPBYTE lpBuffer;
+
+	//ÕÒµ½·ÖÅäµÄ¿Õ¼ä
+	lpBuffer = (LPBYTE)((DWORD)RealProc - (sizeof(DWORD) + JMP_SIZE));
+	//µÃµ½dwPatchSize
+	dwPatchSize = *(DWORD *)lpBuffer;
+
+	WriteReadOnlyMemory((LPBYTE)OrgProc, (LPBYTE)RealProc, dwPatchSize);
+
+	//ÊÍ·Å·ÖÅäµÄÌøתº¯ÊýµÄ¿Õ¼ä
+	__free(lpBuffer);
+
+	return;
+}
\ No newline at end of file
diff --git a/HookPorts/InlineHook.h b/HookPorts/InlineHook.h
new file mode 100644
index 0000000..c8bdd04
--- /dev/null
+++ b/HookPorts/InlineHook.h
@@ -0,0 +1,58 @@
+#pragma once
+
+
+
+//
+//NOTICE
+//
+//Example
+//typedef int (WINAPI * __pfnMessageBoxA)
+//(
+//    IN HWND hWnd,
+//    IN LPCSTR lpText,
+//    IN LPCSTR lpCaption,
+//    IN UINT uType);
+//int
+//WINAPI
+//OnMessageBoxA(
+//    IN HWND hWnd,
+//    IN LPCSTR lpText,
+//    IN LPCSTR lpCaption,
+//    IN UINT uType);
+//__pfnMessageBoxA pfnMessageBoxA = NULL;
+//
+//HINSTANCE hUSER32 = NULL;
+//hUSER32 = LoadLibrary(L"user32.dll");
+//InlineHook((__pfnMessageBoxA)GetProcAddress(hUSER32,"MessageBoxA"), OnMessageBoxA, (void **)&pfnMessageBoxA);
+//UnInlineHook((__pfnMessageBoxA)GetProcAddress(hUSER32,"MessageBoxA"), pfnMessageBoxA);
+
+
+
+//
+//Define
+//
+BOOL
+WriteReadOnlyMemory(
+	LPBYTE	lpDest,
+	LPBYTE	lpSource,
+	ULONG	Length
+	);
+
+BOOL 
+GetPatchSize(
+	IN	void *Proc,
+	IN	DWORD dwNeedSize,
+	OUT LPDWORD lpPatchSize
+	);
+
+BOOL
+InlineHook(
+	IN	void *OrgProc,		/* ÐèÒªHookµÄº¯ÊýµØÖ· */
+	IN	void *NewProc,		/* ´úÌæ±»Hookº¯ÊýµÄµØÖ· */
+	OUT	void **RealProc		/* ·µ»Øԭʼº¯ÊýµÄÈë¿ÚµØÖ· */
+	);
+
+void UnInlineHook(
+	void *OrgProc,  /* ÐèÒª»Ö¸´HookµÄº¯ÊýµØÖ· */
+	void *RealProc  /* ԭʼº¯ÊýµÄÈë¿ÚµØÖ· */
+	);
\ No newline at end of file
diff --git a/HookPorts/LDasm.h b/HookPorts/LDasm.h
new file mode 100644
index 0000000..2bfe86e
--- /dev/null
+++ b/HookPorts/LDasm.h
@@ -0,0 +1,676 @@
+/*
+  ___________________________________________________
+  Opcode Length Disassembler.
+  Coded By Ms-Rem ( Ms-Rem@yandex.ru ) ICQ 286370715
+  ---------------------------------------------------
+  12.08.2005 - fixed many bugs...
+  09.08.2005 - fixed bug with 0F BA opcode.
+  07.08.2005 - added SSE, SSE2, SSE3 and 3Dnow instruction support.
+  06.08.2005 - fixed bug with F6 and F7 opcodes.
+  29.07.2005 - fixed bug with OP_WORD opcodes.
+*/
+
+#ifndef _LDASM_
+#define _LDASM_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode);
+
+unsigned long __fastcall SizeOfProc(void *Proc);
+
+char __fastcall IsRelativeCmd(unsigned char *pOpcode);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#define OP_NONE           0x00
+#define OP_MODRM          0x01
+#define OP_DATA_I8        0x02
+#define OP_DATA_I16       0x04
+#define OP_DATA_I32       0x08
+#define OP_DATA_PRE66_67  0x10
+#define OP_WORD           0x20
+#define OP_REL32          0x40
+
+#define UCHAR unsigned char
+#define ULONG unsigned long
+#define PVOID void*
+#define PUCHAR unsigned char*
+#define BOOLEAN char
+#define FALSE 0
+#define TRUE  1
+ 
+UCHAR OpcodeFlags[256] = 
+{
+	OP_MODRM,                      // 00
+    OP_MODRM,                      // 01
+    OP_MODRM,                      // 02
+    OP_MODRM,                      // 03
+    OP_DATA_I8,                    // 04
+    OP_DATA_PRE66_67,              // 05
+    OP_NONE,                       // 06
+    OP_NONE,                       // 07
+    OP_MODRM,                      // 08
+    OP_MODRM,                      // 09
+    OP_MODRM,                      // 0A
+    OP_MODRM,                      // 0B
+    OP_DATA_I8,                    // 0C
+    OP_DATA_PRE66_67,              // 0D
+    OP_NONE,                       // 0E
+    OP_NONE,                       // 0F
+    OP_MODRM,                      // 10
+    OP_MODRM,                      // 11
+    OP_MODRM,                      // 12
+    OP_MODRM,                      // 13
+    OP_DATA_I8,                    // 14
+    OP_DATA_PRE66_67,              // 15
+    OP_NONE,                       // 16
+    OP_NONE,                       // 17
+    OP_MODRM,                      // 18
+    OP_MODRM,                      // 19
+    OP_MODRM,                      // 1A
+    OP_MODRM,                      // 1B
+    OP_DATA_I8,                    // 1C
+    OP_DATA_PRE66_67,              // 1D
+    OP_NONE,                       // 1E
+    OP_NONE,                       // 1F
+    OP_MODRM,                      // 20
+    OP_MODRM,                      // 21
+    OP_MODRM,                      // 22
+    OP_MODRM,                      // 23
+    OP_DATA_I8,                    // 24
+    OP_DATA_PRE66_67,              // 25
+    OP_NONE,                       // 26
+    OP_NONE,                       // 27
+    OP_MODRM,                      // 28
+    OP_MODRM,                      // 29
+    OP_MODRM,                      // 2A
+    OP_MODRM,                      // 2B
+    OP_DATA_I8,                    // 2C
+    OP_DATA_PRE66_67,              // 2D
+    OP_NONE,                       // 2E
+    OP_NONE,                       // 2F
+    OP_MODRM,                      // 30
+    OP_MODRM,                      // 31
+    OP_MODRM,                      // 32
+    OP_MODRM,                      // 33
+    OP_DATA_I8,                    // 34
+    OP_DATA_PRE66_67,              // 35
+    OP_NONE,                       // 36
+    OP_NONE,                       // 37
+    OP_MODRM,                      // 38
+    OP_MODRM,                      // 39
+    OP_MODRM,                      // 3A
+    OP_MODRM,                      // 3B
+    OP_DATA_I8,                    // 3C
+    OP_DATA_PRE66_67,              // 3D
+    OP_NONE,                       // 3E
+    OP_NONE,                       // 3F
+    OP_NONE,                       // 40
+    OP_NONE,                       // 41
+    OP_NONE,                       // 42
+    OP_NONE,                       // 43
+    OP_NONE,                       // 44
+    OP_NONE,                       // 45
+    OP_NONE,                       // 46
+    OP_NONE,                       // 47
+    OP_NONE,                       // 48
+    OP_NONE,                       // 49
+    OP_NONE,                       // 4A
+    OP_NONE,                       // 4B
+    OP_NONE,                       // 4C
+    OP_NONE,                       // 4D
+    OP_NONE,                       // 4E
+    OP_NONE,                       // 4F
+    OP_NONE,                       // 50
+    OP_NONE,                       // 51
+    OP_NONE,                       // 52
+    OP_NONE,                       // 53
+    OP_NONE,                       // 54
+    OP_NONE,                       // 55
+    OP_NONE,                       // 56
+    OP_NONE,                       // 57
+    OP_NONE,                       // 58
+    OP_NONE,                       // 59
+    OP_NONE,                       // 5A
+    OP_NONE,                       // 5B
+    OP_NONE,                       // 5C
+    OP_NONE,                       // 5D
+    OP_NONE,                       // 5E
+    OP_NONE,                       // 5F
+    OP_NONE,                       // 60
+    OP_NONE,                       // 61
+    OP_MODRM,                      // 62
+    OP_MODRM,                      // 63
+    OP_NONE,                       // 64
+    OP_NONE,                       // 65
+    OP_NONE,                       // 66
+    OP_NONE,                       // 67
+    OP_DATA_PRE66_67,              // 68
+    OP_MODRM | OP_DATA_PRE66_67,   // 69
+    OP_DATA_I8,                    // 6A
+    OP_MODRM | OP_DATA_I8,         // 6B
+    OP_NONE,                       // 6C
+    OP_NONE,                       // 6D
+    OP_NONE,                       // 6E
+    OP_NONE,                       // 6F
+    OP_DATA_I8,                    // 70
+    OP_DATA_I8,                    // 71
+    OP_DATA_I8,                    // 72
+    OP_DATA_I8,                    // 73
+    OP_DATA_I8,                    // 74
+    OP_DATA_I8,                    // 75
+    OP_DATA_I8,                    // 76
+    OP_DATA_I8,                    // 77
+    OP_DATA_I8,                    // 78
+    OP_DATA_I8,                    // 79
+    OP_DATA_I8,                    // 7A
+    OP_DATA_I8,                    // 7B
+    OP_DATA_I8,                    // 7C
+    OP_DATA_I8,                    // 7D
+    OP_DATA_I8,                    // 7E
+    OP_DATA_I8,                    // 7F
+    OP_MODRM | OP_DATA_I8,         // 80
+    OP_MODRM | OP_DATA_PRE66_67,   // 81
+    OP_MODRM | OP_DATA_I8,         // 82
+    OP_MODRM | OP_DATA_I8,         // 83
+    OP_MODRM,                      // 84
+    OP_MODRM,                      // 85
+    OP_MODRM,                      // 86
+    OP_MODRM,                      // 87
+    OP_MODRM,                      // 88
+    OP_MODRM,                      // 89
+    OP_MODRM,                      // 8A
+    OP_MODRM,                      // 8B
+    OP_MODRM,                      // 8C
+    OP_MODRM,                      // 8D
+    OP_MODRM,                      // 8E
+    OP_MODRM,                      // 8F
+    OP_NONE,                       // 90
+    OP_NONE,                       // 91
+    OP_NONE,                       // 92
+    OP_NONE,                       // 93
+    OP_NONE,                       // 94
+    OP_NONE,                       // 95
+    OP_NONE,                       // 96
+    OP_NONE,                       // 97
+    OP_NONE,                       // 98
+    OP_NONE,                       // 99
+    OP_DATA_I16 | OP_DATA_PRE66_67,// 9A
+    OP_NONE,                       // 9B
+    OP_NONE,                       // 9C
+    OP_NONE,                       // 9D
+    OP_NONE,                       // 9E
+    OP_NONE,                       // 9F
+    OP_DATA_PRE66_67,              // A0
+    OP_DATA_PRE66_67,              // A1
+    OP_DATA_PRE66_67,              // A2
+    OP_DATA_PRE66_67,              // A3
+    OP_NONE,                       // A4
+    OP_NONE,                       // A5
+    OP_NONE,                       // A6
+    OP_NONE,                       // A7
+    OP_DATA_I8,                    // A8
+    OP_DATA_PRE66_67,              // A9
+    OP_NONE,                       // AA
+    OP_NONE,                       // AB
+    OP_NONE,                       // AC
+    OP_NONE,                       // AD
+    OP_NONE,                       // AE
+    OP_NONE,                       // AF
+    OP_DATA_I8,                    // B0
+    OP_DATA_I8,                    // B1
+    OP_DATA_I8,                    // B2
+    OP_DATA_I8,                    // B3
+    OP_DATA_I8,                    // B4
+    OP_DATA_I8,                    // B5
+    OP_DATA_I8,                    // B6
+    OP_DATA_I8,                    // B7
+    OP_DATA_PRE66_67,              // B8
+    OP_DATA_PRE66_67,              // B9
+    OP_DATA_PRE66_67,              // BA
+    OP_DATA_PRE66_67,              // BB
+    OP_DATA_PRE66_67,              // BC
+    OP_DATA_PRE66_67,              // BD
+    OP_DATA_PRE66_67,              // BE
+    OP_DATA_PRE66_67,              // BF
+    OP_MODRM | OP_DATA_I8,         // C0
+    OP_MODRM | OP_DATA_I8,         // C1
+    OP_DATA_I16,                   // C2
+    OP_NONE,                       // C3
+    OP_MODRM,                      // C4
+    OP_MODRM,                      // C5
+    OP_MODRM   | OP_DATA_I8,       // C6
+    OP_MODRM   | OP_DATA_PRE66_67, // C7
+    OP_DATA_I8 | OP_DATA_I16,      // C8
+    OP_NONE,                       // C9
+    OP_DATA_I16,                   // CA
+    OP_NONE,                       // CB
+    OP_NONE,                       // CC
+    OP_DATA_I8,                    // CD
+    OP_NONE,                       // CE
+    OP_NONE,                       // CF
+    OP_MODRM,                      // D0
+    OP_MODRM,                      // D1
+    OP_MODRM,                      // D2
+    OP_MODRM,                      // D3
+    OP_DATA_I8,                    // D4
+    OP_DATA_I8,                    // D5
+    OP_NONE,                       // D6
+    OP_NONE,                       // D7
+    OP_WORD,                       // D8
+    OP_WORD,                       // D9
+    OP_WORD,                       // DA
+    OP_WORD,                       // DB
+    OP_WORD,                       // DC
+    OP_WORD,                       // DD
+    OP_WORD,                       // DE
+    OP_WORD,                       // DF
+    OP_DATA_I8,                    // E0
+    OP_DATA_I8,                    // E1
+    OP_DATA_I8,                    // E2
+    OP_DATA_I8,                    // E3
+    OP_DATA_I8,                    // E4
+    OP_DATA_I8,                    // E5
+    OP_DATA_I8,                    // E6
+    OP_DATA_I8,                    // E7
+    OP_DATA_PRE66_67 | OP_REL32,   // E8
+    OP_DATA_PRE66_67 | OP_REL32,   // E9
+    OP_DATA_I16 | OP_DATA_PRE66_67,// EA
+    OP_DATA_I8,                    // EB
+    OP_NONE,                       // EC
+    OP_NONE,                       // ED
+    OP_NONE,                       // EE
+    OP_NONE,                       // EF
+    OP_NONE,                       // F0
+    OP_NONE,                       // F1
+    OP_NONE,                       // F2
+    OP_NONE,                       // F3
+    OP_NONE,                       // F4
+    OP_NONE,                       // F5
+    OP_MODRM,                      // F6
+    OP_MODRM,                      // F7
+    OP_NONE,                       // F8
+    OP_NONE,                       // F9
+    OP_NONE,                       // FA
+    OP_NONE,                       // FB
+    OP_NONE,                       // FC
+    OP_NONE,                       // FD
+    OP_MODRM,                      // FE
+    OP_MODRM | OP_REL32            // FF
+};
+
+
+UCHAR OpcodeFlagsExt[256] =
+{
+    OP_MODRM,                      // 00
+    OP_MODRM,                      // 01
+    OP_MODRM,                      // 02
+    OP_MODRM,                      // 03
+    OP_NONE,                       // 04
+    OP_NONE,                       // 05
+    OP_NONE,                       // 06
+    OP_NONE,                       // 07
+    OP_NONE,                       // 08
+    OP_NONE,                       // 09
+    OP_NONE,                       // 0A
+    OP_NONE,                       // 0B
+    OP_NONE,                       // 0C
+    OP_MODRM,                      // 0D
+    OP_NONE,                       // 0E
+    OP_MODRM | OP_DATA_I8,         // 0F
+    OP_MODRM,                      // 10
+    OP_MODRM,                      // 11
+    OP_MODRM,                      // 12
+    OP_MODRM,                      // 13
+    OP_MODRM,                      // 14
+    OP_MODRM,                      // 15
+    OP_MODRM,                      // 16
+    OP_MODRM,                      // 17
+    OP_MODRM,                      // 18
+    OP_NONE,                       // 19
+    OP_NONE,                       // 1A
+    OP_NONE,                       // 1B
+    OP_NONE,                       // 1C
+    OP_NONE,                       // 1D
+    OP_NONE,                       // 1E
+    OP_NONE,                       // 1F
+    OP_MODRM,                      // 20
+    OP_MODRM,                      // 21
+    OP_MODRM,                      // 22
+    OP_MODRM,                      // 23
+    OP_MODRM,                      // 24
+    OP_NONE,                       // 25
+    OP_MODRM,                      // 26
+    OP_NONE,                       // 27
+    OP_MODRM,                      // 28
+    OP_MODRM,                      // 29
+    OP_MODRM,                      // 2A
+    OP_MODRM,                      // 2B
+    OP_MODRM,                      // 2C
+    OP_MODRM,                      // 2D
+    OP_MODRM,                      // 2E
+    OP_MODRM,                      // 2F
+    OP_NONE,                       // 30
+    OP_NONE,                       // 31
+    OP_NONE,                       // 32
+    OP_NONE,                       // 33
+    OP_NONE,                       // 34
+    OP_NONE,                       // 35
+    OP_NONE,                       // 36
+    OP_NONE,                       // 37
+    OP_NONE,                       // 38
+    OP_NONE,                       // 39
+    OP_NONE,                       // 3A
+    OP_NONE,                       // 3B
+    OP_NONE,                       // 3C
+    OP_NONE,                       // 3D
+    OP_NONE,                       // 3E
+    OP_NONE,                       // 3F
+    OP_MODRM,                      // 40
+    OP_MODRM,                      // 41
+    OP_MODRM,                      // 42
+    OP_MODRM,                      // 43
+    OP_MODRM,                      // 44
+    OP_MODRM,                      // 45
+    OP_MODRM,                      // 46
+    OP_MODRM,                      // 47
+    OP_MODRM,                      // 48
+    OP_MODRM,                      // 49
+    OP_MODRM,                      // 4A
+    OP_MODRM,                      // 4B
+    OP_MODRM,                      // 4C
+    OP_MODRM,                      // 4D
+    OP_MODRM,                      // 4E
+    OP_MODRM,                      // 4F
+    OP_MODRM,                      // 50
+    OP_MODRM,                      // 51
+    OP_MODRM,                      // 52
+    OP_MODRM,                      // 53
+    OP_MODRM,                      // 54
+    OP_MODRM,                      // 55
+    OP_MODRM,                      // 56
+    OP_MODRM,                      // 57
+    OP_MODRM,                      // 58
+    OP_MODRM,                      // 59
+    OP_MODRM,                      // 5A
+    OP_MODRM,                      // 5B
+    OP_MODRM,                      // 5C
+    OP_MODRM,                      // 5D
+    OP_MODRM,                      // 5E
+    OP_MODRM,                      // 5F
+    OP_MODRM,                      // 60
+    OP_MODRM,                      // 61
+    OP_MODRM,                      // 62
+    OP_MODRM,                      // 63
+    OP_MODRM,                      // 64
+    OP_MODRM,                      // 65
+    OP_MODRM,                      // 66
+    OP_MODRM,                      // 67
+    OP_MODRM,                      // 68
+    OP_MODRM,                      // 69
+    OP_MODRM,                      // 6A
+    OP_MODRM,                      // 6B
+    OP_MODRM,                      // 6C
+    OP_MODRM,                      // 6D
+    OP_MODRM,                      // 6E
+    OP_MODRM,                      // 6F
+    OP_MODRM | OP_DATA_I8,         // 70
+    OP_MODRM | OP_DATA_I8,         // 71
+    OP_MODRM | OP_DATA_I8,         // 72
+    OP_MODRM | OP_DATA_I8,         // 73
+    OP_MODRM,                      // 74
+    OP_MODRM,                      // 75
+    OP_MODRM,                      // 76
+    OP_NONE,                       // 77
+    OP_NONE,                       // 78
+    OP_NONE,                       // 79
+    OP_NONE,                       // 7A
+    OP_NONE,                       // 7B
+    OP_MODRM,                      // 7C
+    OP_MODRM,                      // 7D
+    OP_MODRM,                      // 7E
+    OP_MODRM,                      // 7F
+    OP_DATA_PRE66_67 | OP_REL32,   // 80
+    OP_DATA_PRE66_67 | OP_REL32,   // 81
+    OP_DATA_PRE66_67 | OP_REL32,   // 82
+    OP_DATA_PRE66_67 | OP_REL32,   // 83
+    OP_DATA_PRE66_67 | OP_REL32,   // 84
+    OP_DATA_PRE66_67 | OP_REL32,   // 85
+    OP_DATA_PRE66_67 | OP_REL32,   // 86
+    OP_DATA_PRE66_67 | OP_REL32,   // 87
+    OP_DATA_PRE66_67 | OP_REL32,   // 88
+    OP_DATA_PRE66_67 | OP_REL32,   // 89
+    OP_DATA_PRE66_67 | OP_REL32,   // 8A
+    OP_DATA_PRE66_67 | OP_REL32,   // 8B
+    OP_DATA_PRE66_67 | OP_REL32,   // 8C
+    OP_DATA_PRE66_67 | OP_REL32,   // 8D
+    OP_DATA_PRE66_67 | OP_REL32,   // 8E
+    OP_DATA_PRE66_67 | OP_REL32,   // 8F
+    OP_MODRM,                      // 90
+    OP_MODRM,                      // 91
+    OP_MODRM,                      // 92
+    OP_MODRM,                      // 93
+    OP_MODRM,                      // 94
+    OP_MODRM,                      // 95
+    OP_MODRM,                      // 96
+    OP_MODRM,                      // 97
+    OP_MODRM,                      // 98
+    OP_MODRM,                      // 99
+    OP_MODRM,                      // 9A
+    OP_MODRM,                      // 9B
+    OP_MODRM,                      // 9C
+    OP_MODRM,                      // 9D
+    OP_MODRM,                      // 9E
+    OP_MODRM,                      // 9F
+    OP_NONE,                       // A0
+    OP_NONE,                       // A1
+    OP_NONE,                       // A2
+    OP_MODRM,                      // A3
+    OP_MODRM | OP_DATA_I8,         // A4
+    OP_MODRM,                      // A5
+    OP_NONE,                       // A6
+    OP_NONE,                       // A7
+    OP_NONE,                       // A8
+    OP_NONE,                       // A9
+    OP_NONE,                       // AA
+    OP_MODRM,                      // AB
+    OP_MODRM | OP_DATA_I8,         // AC
+    OP_MODRM,                      // AD
+    OP_MODRM,                      // AE
+    OP_MODRM,                      // AF
+    OP_MODRM,                      // B0
+    OP_MODRM,                      // B1
+    OP_MODRM,                      // B2
+    OP_MODRM,                      // B3
+    OP_MODRM,                      // B4
+    OP_MODRM,                      // B5
+    OP_MODRM,                      // B6
+    OP_MODRM,                      // B7
+    OP_NONE,                       // B8
+    OP_NONE,                       // B9
+    OP_MODRM | OP_DATA_I8,         // BA
+    OP_MODRM,                      // BB
+    OP_MODRM,                      // BC
+    OP_MODRM,                      // BD
+    OP_MODRM,                      // BE
+    OP_MODRM,                      // BF
+    OP_MODRM,                      // C0
+    OP_MODRM,                      // C1
+    OP_MODRM | OP_DATA_I8,         // C2
+    OP_MODRM,                      // C3
+    OP_MODRM | OP_DATA_I8,         // C4
+    OP_MODRM | OP_DATA_I8,         // C5
+    OP_MODRM | OP_DATA_I8,         // C6 
+    OP_MODRM,                      // C7
+    OP_NONE,                       // C8
+    OP_NONE,                       // C9
+    OP_NONE,                       // CA
+    OP_NONE,                       // CB
+    OP_NONE,                       // CC
+    OP_NONE,                       // CD
+    OP_NONE,                       // CE
+    OP_NONE,                       // CF
+    OP_MODRM,                      // D0
+    OP_MODRM,                      // D1
+    OP_MODRM,                      // D2
+    OP_MODRM,                      // D3
+    OP_MODRM,                      // D4
+    OP_MODRM,                      // D5
+    OP_MODRM,                      // D6
+    OP_MODRM,                      // D7
+    OP_MODRM,                      // D8
+    OP_MODRM,                      // D9
+    OP_MODRM,                      // DA
+    OP_MODRM,                      // DB
+    OP_MODRM,                      // DC
+    OP_MODRM,                      // DD
+    OP_MODRM,                      // DE
+    OP_MODRM,                      // DF
+    OP_MODRM,                      // E0
+    OP_MODRM,                      // E1
+    OP_MODRM,                      // E2
+    OP_MODRM,                      // E3
+    OP_MODRM,                      // E4
+    OP_MODRM,                      // E5
+    OP_MODRM,                      // E6
+    OP_MODRM,                      // E7
+    OP_MODRM,                      // E8
+    OP_MODRM,                      // E9
+    OP_MODRM,                      // EA
+    OP_MODRM,                      // EB
+    OP_MODRM,                      // EC
+    OP_MODRM,                      // ED
+    OP_MODRM,                      // EE
+    OP_MODRM,                      // EF
+    OP_MODRM,                      // F0
+    OP_MODRM,                      // F1
+    OP_MODRM,                      // F2
+    OP_MODRM,                      // F3
+    OP_MODRM,                      // F4
+    OP_MODRM,                      // F5
+    OP_MODRM,                      // F6
+    OP_MODRM,                      // F7 
+    OP_MODRM,                      // F8
+    OP_MODRM,                      // F9
+    OP_MODRM,                      // FA
+    OP_MODRM,                      // FB
+    OP_MODRM,                      // FC
+    OP_MODRM,                      // FD
+    OP_MODRM,                      // FE
+    OP_NONE                        // FF
+};
+
+
+unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode)
+{
+	PUCHAR cPtr;
+	UCHAR Flags;
+	BOOLEAN PFX66, PFX67;
+	BOOLEAN SibPresent;
+	UCHAR iMod, iRM, iReg;
+	UCHAR OffsetSize, Add;
+	UCHAR Opcode;
+
+	OffsetSize = 0;
+	PFX66 = FALSE;
+	PFX67 = FALSE;
+	cPtr = (PUCHAR)Code;
+
+	while ( (*cPtr == 0x2E) || (*cPtr == 0x3E) || (*cPtr == 0x36) ||
+		    (*cPtr == 0x26) || (*cPtr == 0x64) || (*cPtr == 0x65) || 
+			(*cPtr == 0xF0) || (*cPtr == 0xF2) || (*cPtr == 0xF3) ||
+			(*cPtr == 0x66) || (*cPtr == 0x67) ) 
+	{
+		if (*cPtr == 0x66) PFX66 = TRUE;
+		if (*cPtr == 0x67) PFX67 = TRUE;
+		cPtr++;
+		if (cPtr > (PUCHAR)Code + 16) return 0; 
+	}
+	Opcode = *cPtr;
+	if (pOpcode) *pOpcode = cPtr; 
+
+	if (*cPtr == 0x0F)
+	{
+		cPtr++;
+		Flags = OpcodeFlagsExt[*cPtr];
+	} else 
+	{
+		Flags = OpcodeFlags[Opcode];
+
+		if (Opcode >= 0xA0 && Opcode <= 0xA3) PFX66 = PFX67;
+	}
+	cPtr++;
+	if (Flags & OP_WORD) cPtr++;	
+
+	if (Flags & OP_MODRM)
+	{
+		iMod = *cPtr >> 6;
+		iReg = (*cPtr & 0x38) >> 3;  
+		iRM  = *cPtr &  7;
+		cPtr++;
+
+		if ((Opcode == 0xF6) && !iReg) Flags |= OP_DATA_I8;    
+		if ((Opcode == 0xF7) && !iReg) Flags |= OP_DATA_PRE66_67; 
+
+
+		SibPresent = !PFX67 & (iRM == 4);
+		switch (iMod)
+		{
+			case 0: 
+			  if ( PFX67 && (iRM == 6)) OffsetSize = 2;
+			  if (!PFX67 && (iRM == 5)) OffsetSize = 4; 
+			 break;
+			case 1: OffsetSize = 1;
+			 break; 
+			case 2: if (PFX67) OffsetSize = 2; else OffsetSize = 4;
+			 break;
+			case 3: SibPresent = FALSE;
+		}
+		if (SibPresent)
+		{
+			if (((*cPtr & 7) == 5) && ( (!iMod) || (iMod == 2) )) OffsetSize = 4;
+			cPtr++;
+		}
+		cPtr = (PUCHAR)(ULONG)cPtr + OffsetSize;
+	}
+
+	if (Flags & OP_DATA_I8)  cPtr++;
+	if (Flags & OP_DATA_I16) cPtr += 2;
+	if (Flags & OP_DATA_I32) cPtr += 4;
+	if (PFX66) Add = 2; else Add = 4;
+	if (Flags & OP_DATA_PRE66_67) cPtr += Add;
+	return (ULONG)cPtr - (ULONG)Code;
+}
+
+unsigned long __fastcall SizeOfProc(void *Proc)
+{
+	ULONG  Length;
+	PUCHAR pOpcode;
+	ULONG  Result = 0;
+
+	do
+	{
+		Length = SizeOfCode(Proc, &pOpcode);
+		Result += Length;
+		if ((Length == 1) && (*pOpcode == 0xC3)) break;
+		if ((Length == 3) && (*pOpcode == 0xC2)) break;
+		Proc = (PVOID)((ULONG)Proc + Length);
+	} while (Length);
+	return Result;
+}
+
+char __fastcall IsRelativeCmd(unsigned char *pOpcode)
+{
+	UCHAR Flags;
+	if (*pOpcode == 0x0F) Flags = OpcodeFlagsExt[*(PUCHAR)((ULONG)pOpcode + 1)]; 
+	    else Flags = OpcodeFlags[*pOpcode];
+	return (Flags & OP_REL32);
+}
+
+#endif
\ No newline at end of file
diff --git a/HookPorts/Main.cpp b/HookPorts/Main.cpp
new file mode 100644
index 0000000..0614629
--- /dev/null
+++ b/HookPorts/Main.cpp
@@ -0,0 +1,257 @@
+#include <windows.h>
+#include <time.h>
+#include <string.h>
+#include <stdlib.h>
+#include <tlhelp32.h>
+
+
+#include "./Main.h"
+#include "../Config/Config.h"
+#include "../Common/DllModule.h"
+#include "../Common/DebugLog.h"
+#include "./Initalization.h"
+#include "./BeginDispatch.h"
+#include "./RemoteInjection.h"
+
+
+
+//
+//Define
+//
+//class CHookPortControlInit : public CHookPortControlInterface
+//{
+//public:
+//
+//	virtual BOOL InitHookPort(LPCWSTR lpSandBoxName);
+//};
+
+
+
+//
+//Global
+//
+HINSTANCE g_hinstDLL = NULL;
+
+//CHookPortControlInit g_hDllModule;
+
+WCHAR g_szSandBoxName[CONF_SandBoxNameLength+1] = {NULL};//Unicode
+char g_strSandBoxName[CONF_SandBoxNameLength+1] = {NULL};//ANSI
+
+WCHAR g_szRestorePath[MAX_PATH] = {NULL};
+WCHAR g_szRestoreNtPath[MAX_PATH] = {NULL};
+WCHAR g_szRestoreDevPath[MAX_PATH] = {NULL};
+
+WCHAR g_szRestoreRegPath[MAX_PATH] = {NULL};
+WCHAR g_szRestoreFullRegKrnlPath[MAX_PATH] = {NULL};
+
+//kernel32
+HINSTANCE g_hCloneKERNEL32 = NULL;
+WCHAR g_szCloneKERNEL32[MAX_PATH] = {NULL};
+
+//fltlib
+HINSTANCE g_hCloneFLTLIB = NULL;
+WCHAR g_szCloneFLTLIB[MAX_PATH] = {NULL};
+
+//shell32
+HINSTANCE g_hCloneSHELL32 = NULL;
+WCHAR g_szCloneSHELL32[MAX_PATH] = {NULL};
+
+//advapi32
+HINSTANCE g_hCloneADVAPI32 = NULL;
+WCHAR g_szCloneADVAPI32[MAX_PATH] = {NULL};
+
+
+
+//
+//DllMain
+//
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved )
+{
+	g_hinstDLL = hinstDLL;
+
+	//
+	//Sets a random starting point
+	//
+	srand( (int) time(0) );
+
+    switch( fdwReason )
+    {
+		case DLL_PROCESS_ATTACH:
+			{
+				//
+				//Initialize once for each new process
+				//Return FALSE to fail DLL load
+				//
+
+				if( HookPort_Start_DllMain() == FALSE )
+				{
+					ExitProcess(0);
+				}
+			}break;
+		case DLL_THREAD_ATTACH:
+			{
+				//
+				//Do thread-specific initialization
+				//
+			}break;
+		case DLL_THREAD_DETACH:
+			{
+				//
+				//Do thread-specific cleanup
+				//
+			}break;
+		case DLL_PROCESS_DETACH:
+			{
+				//
+				//Perform any necessary cleanup
+				//
+			}break;
+    }
+
+	//
+	//Successful DLL_PROCESS_ATTACH
+	//
+	return TRUE;
+}
+
+
+
+//
+//Dll Export [GetHookPortControlInit]
+//
+//extern "C" __declspec(dllexport) BOOL GetHookPortControlInit(CHookPortControlInterface** lpParameter)   
+//{
+//	*lpParameter = (CHookPortControlInterface*)&g_hDllModule;
+//
+//	return TRUE;
+//}
+//
+//BOOL CHookPortControlInit::InitHookPort(LPCWSTR lpSandBoxName)
+//{
+//	//
+//	//Initalization
+//	//
+//	int iInitState = -1;
+//	iInitState = HookPortInitalization(g_hinstDLL,lpSandBoxName);
+//
+//	if( iInitState == -1 ||
+//		iInitState == 0
+//		)
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"ERROR");
+//#endif
+//
+//		return FALSE;
+//	}
+//
+//	//
+//	//Begin Dispatch
+//	//
+//	if( BeginDispatchBySandBoxName(lpSandBoxName) == -1 )
+//	{
+//#ifdef Dbg
+//		DebugLog(DbgInfo,L"ERROR");
+//#endif
+//
+//		return FALSE;
+//	}
+//
+//	return TRUE;
+//}
+
+//
+//Dll Export [HookPort_Start]
+//
+extern "C" __declspec(dllexport) BOOL HookPort_Start(LPVOID lpParameter)
+{
+	//
+	//Initalization
+	//
+	LPOBJECTCONFIG OBJCfg = (LPOBJECTCONFIG)lpParameter;
+	int iInitState = -1;
+	iInitState = HookPortInitalization(g_hinstDLL,OBJCfg->szSandBoxName);
+
+	if( iInitState == -1 ||
+		iInitState == 0
+		)
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+
+		return FALSE;
+	}
+
+	//
+	//Begin Dispatch
+	//
+	if( BeginDispatchBySandBoxName(g_szSandBoxName) == -1 )
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+
+		return FALSE;
+	}
+
+	//
+	//Resume Current Process
+	//
+	ResumeCurrentProcess();
+
+	//
+	//Convert thread to a GUI thread
+	//
+	ConvertToGUIThread();
+
+	return TRUE;
+}
+
+BOOL HookPort_Start_DllMain(void)
+{
+	//
+	//Get SandBox Name
+	//
+	WCHAR szSandBoxName[CONF_SandBoxNameLength+1] = {NULL};
+
+	if( GetSandBoxNameFromRegistry(szSandBoxName) == -1 )
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+
+		return FALSE;
+	}
+
+	//
+	//Initalization
+	//
+	int iInitState = -1;
+	iInitState = HookPortInitalization(g_hinstDLL,szSandBoxName);
+
+	if( iInitState == -1 ||
+		iInitState == 0
+		)
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+
+		return FALSE;
+	}
+
+	//
+	//Begin Dispatch
+	//
+	if( BeginDispatchBySandBoxName(g_szSandBoxName) == -1 )
+	{
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+
+		return FALSE;
+	}
+
+	return TRUE;
+}
\ No newline at end of file
diff --git a/HookPorts/Main.h b/HookPorts/Main.h
new file mode 100644
index 0000000..e2e9bac
--- /dev/null
+++ b/HookPorts/Main.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include "../Config/Config.h"
+
+
+
+//
+//Define
+//
+DWORD WINAPI ThreadStartHook(LPVOID lpParameter);
+
+extern HINSTANCE g_hinstDLL;
+
+extern WCHAR g_szSandBoxName[CONF_SandBoxNameLength+1];//Unicode
+extern char g_strSandBoxName[CONF_SandBoxNameLength+1];//ANSI
+
+extern WCHAR g_szRestorePath[MAX_PATH];
+extern WCHAR g_szRestoreNtPath[MAX_PATH];
+extern WCHAR g_szRestoreDevPath[MAX_PATH];
+
+extern WCHAR g_szRestoreRegPath[MAX_PATH];
+extern WCHAR g_szRestoreFullRegKrnlPath[MAX_PATH];
+
+//kernel32
+extern HINSTANCE g_hCloneKERNEL32;
+extern WCHAR g_szCloneKERNEL32[MAX_PATH];
+
+//fltlib
+extern HINSTANCE g_hCloneFLTLIB;
+extern WCHAR g_szCloneFLTLIB[MAX_PATH];
+
+//shell32
+extern HINSTANCE g_hCloneSHELL32;
+extern WCHAR g_szCloneSHELL32[MAX_PATH];
+
+//advapi32
+extern HINSTANCE g_hCloneADVAPI32;
+extern WCHAR g_szCloneADVAPI32[MAX_PATH];
+
+
+
+BOOL HookPort_Start_DllMain(void);
\ No newline at end of file
diff --git a/HookPorts/NativeAPI_NTDLL.cpp b/HookPorts/NativeAPI_NTDLL.cpp
new file mode 100644
index 0000000..577d1f4
--- /dev/null
+++ b/HookPorts/NativeAPI_NTDLL.cpp
@@ -0,0 +1,65 @@
+#include <windows.h>
+#include <ntsecapi.h>
+
+#include "./NativeAPI_NTDLL.h"
+#include "./Main.h"
+
+
+
+//
+//NativeAPI_NTDLL Functions
+//
+NTSTATUS
+NTAPI
+RtlInitUnicodeString(
+	PUNICODE_STRING DestinationString,
+	PCWSTR SourceString
+	)
+{
+	NTSTATUS ret = NULL;
+	typedef NTSTATUS (WINAPI *lpAddFun)(PUNICODE_STRING,PCWSTR);
+	HINSTANCE hDll = GetModuleHandleW( L"ntdll.dll" );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RtlInitUnicodeString");
+	if( addFun != NULL )
+	{
+		ret = addFun(DestinationString,SourceString);
+	}
+	return ret;
+}
+
+NTSTATUS
+NTAPI
+RtlFreeUnicodeString(
+	IN PUNICODE_STRING UnicodeString
+	)
+{
+	NTSTATUS ret = NULL;
+	typedef NTSTATUS (WINAPI *lpAddFun)(PUNICODE_STRING);
+	HINSTANCE hDll = GetModuleHandleW( L"ntdll.dll" );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RtlFreeUnicodeString");
+	if( addFun != NULL )
+	{
+		ret = addFun(UnicodeString);
+	}
+	return ret;
+}
+
+NTSTATUS
+NTAPI
+RtlDosPathNameToNtPathName_U(
+	IN PCWSTR DosPathName,
+	OUT PUNICODE_STRING NtPathName,
+	OUT PCWSTR *NtFileNamePart,
+	OUT CURDIR *DirectoryInfo
+	)
+{
+	NTSTATUS ret = NULL;
+	typedef NTSTATUS (WINAPI *lpAddFun)(PCWSTR,PUNICODE_STRING,PCWSTR *,CURDIR *);
+	HINSTANCE hDll = GetModuleHandleW( L"ntdll.dll" );
+	lpAddFun addFun = (lpAddFun)GetProcAddress(hDll,"RtlDosPathNameToNtPathName_U");
+	if( addFun != NULL )
+	{
+		ret = addFun(DosPathName,NtPathName,NtFileNamePart,DirectoryInfo);
+	}
+	return ret;
+}
\ No newline at end of file
diff --git a/HookPorts/NativeAPI_NTDLL.h b/HookPorts/NativeAPI_NTDLL.h
new file mode 100644
index 0000000..2cb96cb
--- /dev/null
+++ b/HookPorts/NativeAPI_NTDLL.h
@@ -0,0 +1,29 @@
+#pragma once
+
+NTSTATUS
+NTAPI
+RtlInitUnicodeString(
+	PUNICODE_STRING DestinationString,
+	PCWSTR SourceString
+	);
+
+NTSTATUS
+NTAPI
+RtlFreeUnicodeString(
+	IN PUNICODE_STRING UnicodeString
+	);
+
+typedef struct _CURDIR
+{
+	UNICODE_STRING DosPath;
+	HANDLE Handle;
+} CURDIR;
+
+NTSTATUS
+NTAPI
+RtlDosPathNameToNtPathName_U(
+	IN PCWSTR DosPathName,
+	OUT PUNICODE_STRING NtPathName,
+	OUT PCWSTR *NtFileNamePart,
+	OUT CURDIR *DirectoryInfo
+	);
\ No newline at end of file
diff --git a/HookPorts/Privilege.cpp b/HookPorts/Privilege.cpp
new file mode 100644
index 0000000..b48f6b3
--- /dev/null
+++ b/HookPorts/Privilege.cpp
@@ -0,0 +1,73 @@
+#include <windows.h>
+#include <stdio.h>
+
+#include "./Privilege.h"
+
+
+
+//
+//Privilege Functions
+//
+
+BOOL EnableSpecificPrivilege(IN BOOL bEnable,IN WCHAR * Name)
+{
+	BOOL bResult = FALSE;
+	HANDLE hToken = NULL;
+	TOKEN_PRIVILEGES TokenPrivileges;
+
+	if( OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0 )
+	{
+		return FALSE;
+	}
+
+	TokenPrivileges.PrivilegeCount = 1;
+	TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
+	bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
+
+	if( !bResult )
+	{
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
+
+	if(GetLastError() != ERROR_SUCCESS || !bResult)
+	{
+		CloseHandle(hToken);
+		return FALSE;
+	}
+
+	CloseHandle(hToken);
+	return TRUE;
+}
+
+BOOL SetAllPrivileges(IN BOOL bEnable)
+{
+	EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
+	EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
+	EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
+	EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
+	EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
+	EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
+	EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
+	EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
+	EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
+	EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
+	EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
+	EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
+	EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
+	EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
+	EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
+	EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
+	EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
+	EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
+	EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
+	EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
+	EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
+	EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
+	EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
+	EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);
+
+	return TRUE;
+}
\ No newline at end of file
diff --git a/HookPorts/Privilege.h b/HookPorts/Privilege.h
new file mode 100644
index 0000000..c3a218d
--- /dev/null
+++ b/HookPorts/Privilege.h
@@ -0,0 +1,5 @@
+#pragma once
+
+BOOL EnableSpecificPrivilege(IN BOOL bEnable,IN WCHAR * Name);
+
+BOOL SetAllPrivileges(IN BOOL bEnable);
\ No newline at end of file
diff --git a/HookPorts/RemoteInjection.cpp b/HookPorts/RemoteInjection.cpp
new file mode 100644
index 0000000..dcc7126
--- /dev/null
+++ b/HookPorts/RemoteInjection.cpp
@@ -0,0 +1,400 @@
+#include <windows.h>
+#include <ntsecapi.h>
+#include <tlhelp32.h>
+
+#include "./RemoteInjection.h"
+#include "../Common/DebugLog.h"
+#include "./Main.h"
+#include "./GetProcAddressEx.h"
+
+#include "./CloneAPI_KERNEL32.h"
+
+#include "./Dispatch_NTDLL_NtAllocateVirtualMemory.h"
+#include "./Dispatch_NTDLL_NtWriteVirtualMemory.h"
+#include "./Dispatch_NTDLL_NtProtectVirtualMemory.h"
+#include "./Dispatch_NTDLL_NtGetContextThread.h"
+#include "./Dispatch_NTDLL_NtCreateThread.h"
+#include "./Dispatch_NTDLL_NtResumeThread.h"
+
+
+
+//
+//Define
+//
+DWORD Inject
+(
+	IN DWORD PID,
+	IN void* pfnRemoteFunc,
+	IN DWORD dwFuncSize,
+	IN void* pRemoteParam,
+	IN DWORD dwParamSize,
+	IN DWORD dwMilliseconds,
+	IN BOOL bFreeRemoteThread
+);
+
+typedef struct tagThreadParam
+{
+	DWORD dwRVA_pfnDestDllExport;
+	DWORD dwRVA_pfnRtlInitUnicodeString;
+	DWORD dwRVA_pfnLdrLoadDll;
+	WCHAR szDllFileName[MAX_PATH];
+    char szFunctionName[MAX_PATH];
+	OBJECTCONFIG lp;
+}ThreadParam, *PThreadParam;
+
+DWORD WINAPI RemoteLoadLibrary(IN LPVOID lpParameter);
+
+
+
+//
+//RemoteInjection Functions
+//
+int InjectProcess(IN HMODULE hModule, IN DWORD dwProcessId, IN LPOBJECTCONFIG lp, IN LPCSTR szFnName)
+{
+	//Return Value:
+	//-1 = error
+	//0 = warning
+	//1 = succeed
+
+	int ret = -1;
+	ThreadParam tp;
+	DWORD dwFuncSize = 1024*2;
+	HINSTANCE hNTDLL = NULL;
+
+	hNTDLL = GetModuleHandleW(L"ntdll.dll");
+
+	//
+	//Set [Relative Virtual Addresses] of [Dest!DllExport]
+	//
+	tp.dwRVA_pfnDestDllExport = (DWORD) ((DWORD)GetProcAddress(g_hinstDLL,szFnName) - (DWORD)g_hinstDLL);
+
+	//
+	//Set [Relative Virtual Addresses] of [ntdll!RtlInitUnicodeString]
+	//
+	tp.dwRVA_pfnRtlInitUnicodeString = (DWORD) ((DWORD)GetProcAddress(hNTDLL,"RtlInitUnicodeString") - (DWORD)hNTDLL);
+
+	//
+	//Set [Relative Virtual Addresses] of [ntdll!LdrLoadDll]
+	//
+	tp.dwRVA_pfnLdrLoadDll = (DWORD) ((DWORD)GetProcAddress(hNTDLL,"LdrLoadDll") - (DWORD)hNTDLL);
+
+	//
+	//Set Dll Export
+	//
+	strcpy(tp.szFunctionName, szFnName);
+
+	//
+	//Set Dll Path
+	//
+	GetModuleFileName(hModule, tp.szDllFileName, MAX_PATH);
+
+	//
+	//Set Dll Parameter
+	//
+	memcpy(&tp.lp, lp, sizeof(OBJECTCONFIG));
+
+	ret = Inject( dwProcessId, RemoteLoadLibrary, dwFuncSize, &tp, sizeof(tp), 10*1000, FALSE);
+
+	return ret;
+}
+
+DWORD WINAPI RemoteLoadLibrary(IN LPVOID lpParameter)
+{
+	DWORD dwRet = DEF_ThreadError_Unknown;
+
+	PThreadParam tp = (PThreadParam)lpParameter;
+	HANDLE hDll = NULL;
+
+	//
+	//Get [Module Base Address] of [ntdll.dll]
+	//
+	HINSTANCE hNTDLL = NULL;
+	hNTDLL = (HINSTANCE)shellcode_getntdllmodbase();
+	if( !hNTDLL )
+	{
+		return DEF_ThreadError_GetKERNEL32Mod;
+	}
+
+	//
+	//Get [Proc Address] of [ntdll!RtlInitUnicodeString]
+	//
+	typedef VOID (NTAPI * __pfnRtlInitUnicodeString)
+	(
+		PUNICODE_STRING DestinationString,
+		PCWSTR SourceString
+		);
+
+	__pfnRtlInitUnicodeString pfnRtlInitUnicodeString = NULL;
+	pfnRtlInitUnicodeString = (__pfnRtlInitUnicodeString) (DWORD) ( (DWORD)hNTDLL + tp->dwRVA_pfnRtlInitUnicodeString );
+
+	//
+	//Get [Proc Address] of [ntdll!LdrLoadDll]
+	//
+	typedef NTSTATUS (NTAPI * __pfnLdrLoadDll)
+	(
+		IN PWCHAR               PathToFile OPTIONAL,
+		IN ULONG                Flags OPTIONAL,
+		IN PUNICODE_STRING      ModuleFileName,
+		OUT PHANDLE             ModuleHandle );
+
+	__pfnLdrLoadDll pfnLdrLoadDll = NULL;
+	pfnLdrLoadDll = (__pfnLdrLoadDll) (DWORD) ( (DWORD)hNTDLL + tp->dwRVA_pfnLdrLoadDll );
+
+
+	//
+	//Init the UNICODE_STRING
+	//
+	UNICODE_STRING usDllFileName;
+	pfnRtlInitUnicodeString(&usDllFileName,tp->szDllFileName);
+
+	//
+	//Call [ntdll!LdrLoadDll] to load [DestDll]
+	//
+	NTSTATUS nStatus;
+	nStatus = pfnLdrLoadDll(NULL,NULL,&usDllFileName,&hDll);
+	if( !hDll || nStatus != ((NTSTATUS)0x00000000L) )
+	{
+		return DEF_ThreadError_CallLoadLibraryA;
+	}
+
+	//
+	//Get [Proc Address] of [DestDll!Export]
+	//
+	typedef BOOL (*PObjectStart)(LPVOID lp);
+	PObjectStart pfnObjectStart = NULL;
+	pfnObjectStart = (PObjectStart) (DWORD) ( (DWORD)hDll + tp->dwRVA_pfnDestDllExport );
+
+	//
+	//Call [DestDllExport]
+	//
+	dwRet = pfnObjectStart(&tp->lp);
+
+	return dwRet;
+}
+
+DWORD Inject
+(
+	IN DWORD PID,
+	IN void* pfnRemoteFunc,
+	IN DWORD dwFuncSize,
+	IN void* pRemoteParam,
+	IN DWORD dwParamSize,
+	IN DWORD dwMilliseconds,
+	IN BOOL bFreeRemoteThread
+)
+{
+    if( PID < 1 || dwFuncSize < 1 || pfnRemoteFunc == NULL )
+	{
+		return -1;
+	}
+
+    HANDLE hProc = NULL;
+    void* pfnRmtFunc = NULL;
+    void* pRmtParam = NULL;
+    HANDLE hRemoteThread = NULL;
+    DWORD dwThreadId = NULL;
+    DWORD dwExitCode = NULL;
+    BOOL bFlag;
+
+    hProc = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,PID);		
+    if( !hProc )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+
+    pfnRmtFunc = VirtualAllocEx( hProc, NULL, dwFuncSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if( !pfnRmtFunc )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+
+    pRmtParam = VirtualAllocEx( hProc, NULL, dwParamSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if( !pRmtParam )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+
+    bFlag = WriteProcessMemory( hProc, pfnRmtFunc, (PVOID)pfnRemoteFunc, dwFuncSize, 0);
+    if( bFlag == FALSE )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+
+    bFlag = WriteProcessMemory( hProc, pRmtParam, (PVOID)pRemoteParam, dwParamSize, 0);
+    if( bFlag == FALSE )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+
+    hRemoteThread = CreateRemoteThread(
+		hProc,
+		NULL,
+		NULL,
+		(LPTHREAD_START_ROUTINE)pfnRmtFunc,
+		(LPVOID)pRmtParam,
+		CREATE_SUSPENDED,
+		&dwThreadId);
+
+    if( !hRemoteThread )
+    {
+#ifdef Dbg
+		DebugLog(DbgInfo,L"ERROR");
+#endif
+		goto InjectCleanUp;
+    }
+	else
+	{
+		PULONG SuspendCount = 0;
+		NtResumeThread(hRemoteThread,SuspendCount);
+
+//#ifdef Dbg
+//		WCHAR szDebugString[256] = {0};
+//		wsprintf(szDebugString,L"CreateRemoteThread SuspendCount=[%d]",SuspendCount);
+//		DebugLog(DbgInfo,szDebugString);
+//#endif
+	}
+
+    WaitForSingleObject( hRemoteThread, dwMilliseconds ); 
+    GetExitCodeThread( hRemoteThread, &dwExitCode );
+
+#ifdef Dbg
+	WCHAR szThreadExitCode[256] = {0};
+	wsprintf(szThreadExitCode,L"szThreadExitCode =[%d]",dwExitCode);
+	DebugLog(DbgInfo,szThreadExitCode);
+#endif
+
+    CloseHandle( hProc );
+    if( dwMilliseconds != 0 &&
+		bFreeRemoteThread == TRUE
+		)
+    {
+		VirtualFree( pfnRmtFunc, 0, MEM_RELEASE);
+    }
+    CloseHandle( hRemoteThread );
+
+    return dwExitCode;
+
+InjectCleanUp:
+    if( hProc )
+		CloseHandle( hProc );
+    if( pfnRmtFunc )
+		VirtualFree( pfnRmtFunc, 0, MEM_RELEASE);
+    if( hRemoteThread )
+		CloseHandle( hRemoteThread );
+
+    return 0;
+}
+
+void * __stdcall shellcode_getkernel32modbase()
+{
+	//
+	//Get [Module Base Address] of [kernel32.dll]
+	//
+	//(1) FS¼Ä´æÆ÷ -> TEB½á¹¹
+	//(2) TEB+0x30 -> PEB½á¹¹
+	//(3) PEB+0x0c -> PEB_LDR_DATA
+	//(4) PEB_LDR_DATA+0x1c -> Ntdll.dll
+	//(5) Ntdll.dll+0x08 -> Kernel32.dll
+	//
+	//typedef struct _PEB_LDR_DATA {
+	//	ULONG Length; // +0x00
+	//	BOOLEAN Initialized; // +0x04
+	//	PVOID SsHandle; // +0x08
+	//	LIST_ENTRY InLoadOrderModuleList; // +0x0c
+	//	LIST_ENTRY InMemoryOrderModuleList; // +0x14
+	//	LIST_ENTRY InInitializationOrderModuleList;// +0x1c
+	//} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24
+	//
+	//typedef struct _LDR_MODULE {
+	//	LIST_ENTRY          InLoadOrderModuleList;   +0x00
+	//	LIST_ENTRY          InMemoryOrderModuleList; +0x08 
+	//	LIST_ENTRY          InInitializationOrderModuleList; +0x10
+	//	void*               BaseAddress; +0x18
+	//	void*               EntryPoint;   +0x1c
+	//	ULONG               SizeOfImage;
+	//	UNICODE_STRING      FullDllName;
+	//	UNICODE_STRING      BaseDllName;
+	//	ULONG               Flags;
+	//	SHORT               LoadCount;
+	//	SHORT               TlsIndex;
+	//	HANDLE              SectionHandle;
+	//	ULONG               CheckSum;
+	//	ULONG               TimeDateStamp;
+	//} LDR_MODULE, *PLDR_MODULE;
+	//
+	//typedef struct _LIST_ENTRY {
+	//	struct _LIST_ENTRY *Flink;
+	//	struct _LIST_ENTRY *Blink;
+	//} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
+
+	//
+	//Example 1:
+	//
+	//__asm
+	//{
+	//	push esi
+	//	mov eax, fs:0x30		//´ò¿ªFS¼Ä´æÆ÷
+	//	mov eax, [eax + 0x0c]	//µÃµ½PEB½á¹¹µØÖ·
+	//	mov esi, [eax + 0x1c]	//µÃµ½PEB_LDR_DATA½á¹¹µØÖ·
+	//	lodsd					//InInitializationOrderModuleList
+	//	mov eax, [eax + 0x08]	//µÃµ½BaseAddress£¬¼´kernel32.dll»ùÖ·
+	//	pop esi
+	//}
+	//
+
+	//
+	//Example 2:
+	//
+	//__asm
+	//{
+	//	push esi
+	//	mov eax,fs:[30h]
+	//	mov eax,[eax+0Ch]
+	//	mov eax,[eax+0Ch]
+	//	mov eax,[eax]		//ntdll.dll
+	//	mov eax,[eax]		//kernel32.dll
+	//	mov eax,[eax+18h]
+	//	pop esi
+	//}
+
+	__asm
+	{
+		push esi
+		mov eax, fs:0x30		//´ò¿ªFS¼Ä´æÆ÷
+		mov eax, [eax + 0x0c]	//µÃµ½PEB½á¹¹µØÖ·
+		mov esi, [eax + 0x1c]	//µÃµ½PEB_LDR_DATA½á¹¹µØÖ·
+		lodsd					//InInitializationOrderModuleList
+		mov eax, [eax + 0x08]	//µÃµ½BaseAddress£¬¼´kernel32.dll»ùÖ·
+		pop esi
+	}
+}
+
+void * __stdcall shellcode_getntdllmodbase()
+{
+	__asm
+	{
+		push esi
+		mov eax,fs:[30h]
+		mov eax,[eax+0Ch]
+		mov eax,[eax+0Ch]
+		mov eax,[eax]		//ntdll.dll
+		//mov eax,[eax]		//kernel32.dll
+		mov eax,[eax+18h]
+		pop esi
+	}
+}
\ No newline at end of file
diff --git a/HookPorts/RemoteInjection.h b/HookPorts/RemoteInjection.h
new file mode 100644
index 0000000..b2efafa
--- /dev/null
+++ b/HookPorts/RemoteInjection.h
@@ -0,0 +1,30 @@
+#pragma once
+
+#include "../Config/Config.h"
+
+//
+//Definition
+//
+
+//
+//RemoteThread Error Codes
+//
+#define DEF_ThreadError_Unknown				-1
+#define DEF_ThreadError_GetKERNEL32Mod		10
+#define DEF_ThreadError_CallLoadLibraryA	11
+
+
+
+//
+//struct
+//
+typedef struct tagObjectConfig
+{
+	WCHAR szSandBoxName[CONF_SandBoxNameLength+1];
+}OBJECTCONFIG, *LPOBJECTCONFIG;
+
+int InjectProcess(IN HMODULE hModule, IN DWORD dwProcessId, IN LPOBJECTCONFIG lp, IN LPCSTR szFnName);
+
+void * __stdcall shellcode_getkernel32modbase();
+
+void * __stdcall shellcode_getntdllmodbase();
\ No newline at end of file