Hooking KiFastSystemCall

 program KiFastSystemCall;

uses
  Windows, madCodeHook, SysUtils;

var
  realKiFastSystemCall: procedure;
  dwIndexPVM: DWORD;

function hookZwProtectVirtualMemory(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; lpflOldProtect: Pointer): DWORD; stdcall;
var
  Stack1, Stack2: DWORD;
begin
  Result := 0;
  MessageBoxA(0, PChar(IntToHex(DWORD(lpAddress), 8)), 'ZwProtectVirtualMemory', 0);
  asm
    pop eax
    mov [Stack1], eax
    pop eax
    mov [Stack2], eax
    mov eax, [dwIndexPVM]
    call realKiFastSystemCall
    mov [Result], eax
    push [Stack2]
    push [Stack1]
  end;
end;

procedure hookKiFastSystemCall; assembler;
label
  CallPVM;
begin
  asm
    cmp eax, [dwIndexPVM]
    je @CallPVM
    jmp realKiFastSystemCall
    @CallPVM:
    pop eax
    jmp hookZwProtectVirtualMemory
  end;
end;

begin
  MessageBoxA(0, 'You need to call me once before you install the hook, otherwise I don''t initialize properly.', 'MessageBoxA Bug Fix', 0);
  dwIndexPVM := PDWORD(DWORD(GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwProtectVirtualMemory'))+1)^;
  HookAPI('ntdll.dll', 'KiFastSystemCall', @hookKiFastSystemCall, @realKiFastSystemCall);
end.