
Plugins installed if it lie in ke_core.dll folder

ke_plug.dll exports 2 functions

plug_setup - returns 0, if you need in spy report 1 - no need in report

plugin - plugin core

You insert in database hooked function, write on asm her handler as plugin
(count of functions not limited)

;Example with GetDriveTypeA

ke_spy.txt
[kernel32.dll]
    GetDriveType, 1
    ...............
    ............



ke_plug.asm
......................
.........................
plug_setup	proc
	mov		eax, REPORT_OFF
	ret
plug_setup endp

; All regs has values as on function enter
plugin	proc
	pop		ret_address		;return address
	pop		func_adr		;hooked function begin address
	pop		func_par		;function parameters
	pop		func_nam		;pointer to function name
	pop		func_return_address	;return address to main program
	pop		func_idx		;index of function in base
	pushfd
	pushad
	mov		eax, func_adr

	;You cod here
	.if eax == getDriveTypeA_addr    ; if address of hooked function equal with GetDriveTypeA - ACTION
		push	func_idx
		call	clear_from_db
		push	offset sz_func_GetDriveTypeCleared
		call	wf_string
		popad
		popfd
		call	func_adr
		mov	eax, 5			;Always return CD_ROM

	.elseif eax == another_hooked_func
		.......................
			
	.else					;else function calling
		popad
		popfd
		call	func_adr
	.endif
	push	ret_address
	ret
plugin endp