[question] file name detection

BlockAPI(m_hProc, "NTDLL.DLL", "LdrLoadDll")

////////////////////////BlockAPI////////////////////////
bool BlockAPI(HANDLE hProcess, char* libName, char* apiName)
{
	HINSTANCE hLib = NULL;
	VOID *pAddr = NULL;

	hLib = LoadLibrary(libName);
	if(!hLib) 
		return false;

	pAddr = (VOID*)GetProcAddress(hLib, apiName);
	if(!pAddr) 
		return false;
	
	if(!this->HookFunc((unsigned)pAddr, (unsigned)&_BackupedOriginal, (unsigned)&_Hook, 5))
		return false;

	FreeLibrary(hLib);
	return true;
}

////////////////////////HookFunc////////////////////////
bool HookFunc(unsigned sourceFunc, unsigned new_address, unsigned instead_call, unsigned bts) 
{
/*
	read 5 bytes from offi; (5 => jmp + 4x address)
	write them in right order into backup; 
	delete the bytes from offi; (nop)
	
	write jmp into offi;
	get diff between offi and replace;
	write address into sourcefunc; (complete cmd = jmp 0x00 0x00 0x00 0x00) (0x00 = address)

	write jmp into backup;
	calc deff between backup and offi;
	write address to backup;
*/
	BYTE byte;
	DWORD rw = 0;
	HANDLE hProc = m_hProc; //OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	unsigned temp_address[5];

	temp_address[0] = sourceFunc; // store toHooking func start location
	temp_address[1] = new_address; // store new original backup func start location

	for(int i = 0; i < bts; i++) // "cut" original func into backupfunc
	{
		ReadProcessMemory(hProc, (LPCVOID) sourceFunc, &byte, sizeof(byte), &rw); // read offiopcode &save in byte
		WriteProcessMemory(hProc, (LPVOID) new_address++, &byte, sizeof(byte), &rw); // "backup" offiopcode

		byte = 0x90; //nop => xchg eax, eax => nothing
		WriteProcessMemory(hProc, (LPVOID) sourceFunc++, &byte, sizeof(byte), &rw); // "delete" sourcefunc opcode
	}

	sourceFunc = temp_address[0]; // restore start func location
	byte = 0xE9; //jmp opcode

	WriteProcessMemory(hProc, (LPVOID) sourceFunc, &byte, sizeof(byte), &rw); // write jmp into sourcefunc
	temp_address[3] = offset(sourceFunc, instead_call); // get diff/offset between offi and replace
	WriteProcessMemory(hProc, (LPVOID) ++sourceFunc, &temp_address[3], sizeof(temp_address[3]), &rw); // write diff after jmp

	WriteProcessMemory(hProc, (LPVOID) new_address++, &byte, sizeof(byte), &rw); // write jmp into backupfunc
	temp_address[4] = offset(temp_address[1] + bts/*after saved opcode from offi*/, temp_address[0] + bts/*after rewrittencode from offi*/); // diff between backup and offi
	WriteProcessMemory(hProc, (LPVOID) new_address, &temp_address[4], sizeof(temp_address[4]), &rw);  // write diff
	return true;
}

//DWORD __stdcall LdrLoadDll(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, PHINSTANCE pResultInstance) 

////////////////////////_BackupedOriginal////////////////////////
DWORD __stdcall _BackupedOriginal(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, HINSTANCE pResultInstance) 
{
	//partly backuped offi
	__asm NOP; // offi byte 1
	__asm NOP; // offi byte 2
	__asm NOP; // offi byte 3
	__asm NOP; // offi byte 4
	__asm NOP; // offi byte 5

	//call offi
	__asm NOP; // jmp
	__asm NOP; // address[0]
	__asm NOP; // address[0]
	__asm NOP; // address[0]
	__asm NOP; // address[0]
}

////////////////////////_Hook////////////////////////
DWORD __stdcall _Hook(PWSTR* szcwPath, PDWORD* pdwLdrErr, PUNICODE_STRING pUniModuleName, HINSTANCE pResultInstance) 
{
	//if(g_zProtect->m_hProc == pResultInstance) // pResultInstance(unused..!?) => pUniModuleName check sys32 or / <= should work | get dll name + GetModuleHandle() check
	if(checkDLL(pUniModuleName->Buffer))
	{
		// call and return original
		return _BackupedOriginal(szcwPath, pdwLdrErr, pUniModuleName, pResultInstance);
	}
	return 1; // let other dlls return
}