Problem with hooking ntdll.dll calls

I'm currently working on hooking ntdll.dll calls via dll injection. At first, I create thread in existing process via CreateRemoteThread() then I load my dll via LoadLibrary and finally hook calls on PROCESS_ATTACH.

Injection works fine, but then I want to log all registry and file system queries. And the problem is that it doesn't work properly.

I decided to publish code via PasteBin, because piece is pretty big. Here is the link: http://pastebin.com/39r4Me6B

I'm trying to hook ZwOpenKey, then log key content and then launch "true" function by开发者_如何学Python pointer. Function NOpenKey gets executed, but process stops without any errors.

Does anyone see any issues?

If you use OllyDbg, ZwOpenKey starts with 5 bytes MOV EAX, 77.

You can overwrite these bytes like so JMP _myZwOpenKey then from there you can do whatever with the values on the stack, restore all registers then do a JMP 7C90D5B5 which is address of ZwOpenKey + 5 bytes.

CPU Disasm
Address   Hex dump          Command                 Comments
7C90D5AF      90            NOP
7C90D5B0  /$  B8 77000000   MOV EAX,77              ; ntdll.ZwOpenKey(guessed rg1,Arg2,Arg3)
7C90D5B5  |.  BA 0003FE7F   MOV EDX,7FFE0300
7C90D5BA  |.  FF12          CALL DWORD PTR DS:[EDX]
7C90D5BC  \.  C2 0C00       RETN 0C

I usually do these in Assembly that way I don't have to mess around a lot with type casting and all that. Hope this helps.