I am trying to create antivirus software shield for windows 7 32 bit .For that I need to hook ZwDebugActiveProcess.When i try to specify the ZwDebugActiveProcess in my driver i got an error "undeclared identifier" while compile in WDK. I have use same procedure to hook ZwOpenProcess .Its successfully hooked.Any mistake in specify the name of that api.How to solve this?
ZwDebugActiveProcess isn't an export from ntoskrnl - you can verify that using dumpbin. The Win32 DebugActiveProcess is a call over OpenProcess, with the debug flags set. A better approach would be to just keep on with ZwOpenProcess, and check if the flags are PROCESS_ALL_ACCESS - which are required for DebugActiveProcess() to work.