When I hook WriteFile via Microsoft Detours, it works:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_WriteFile, Hooked_WriteFile);
DetourTransactionCommit();
However, when I look at the output in Debugview, two things are interesting:
Notepad calls WriteFile extremely frequently, because every time I type a symbol, it calls WriteFile, while I would expect it to call functions other than WriteFile to output symbols to the screen. Is this normal behavior? Because when I check the arguments of the WriteFile call, no data is written to disk.
But more importantly, with Detours I hooked WriteFile, but supposedly it also hooks NtWriteFile, which is a bit strange, because WriteFile is the function that calls NtWriteFile, not the other way around. When I run notepad.exe in API monitor, it looks like notepad.exe calls NtWriteFile directly in some cases, but for some reason my detours hook also seems to hooks those calls, while I only hook WriteFile. Can anyone explain this behaviour? Like, why does Detours also seem to hook NtWriteFile, while I explicitly specified to hook WriteFile?
