Easyhook: unmanaged connection, how to call the original function / change the return status?

So, I have a hook function in winspool.drv!WritePrinter that is successfully connected to unmanaged C ++ remotely nested in spoolsv.exe.

Currently, the hook seems to either replace the original function or damage the stack in an undetectable way: after connecting, WritePrinter calls result in inactivity of the printer outside the hook.

I found out at least one way to call the original function, the so-called LhGetOldProc . However, using this leads to crashes, not sure if this is an easyhook error, or just bad casting.

So, how to properly call the original function in an unmanaged version of Easyhook?

Hook LhGetOldProc using LhGetOldProc :

 UCHAR *uc = NULL; LhGetOldProc(hhW, &uc); typedef BOOL (*wp)(_In_ HANDLE, _In_ LPVOID, _In_ DWORD cbBuf, _Out_ LPDWORD); wp my_wp = reinterpret_cast<wp>(reinterpret_cast<long>(uc)); // http://stackoverflow.com/questions/1096341/function-pointers-casting-in-c BOOL res ; if (my_wp == 0x0) { return -1; } else { res = my_wp(hPrinter, pBuf, cbBuf, pcWritten); // crash } 

Hook Code:

 HMODULE hSpoolsv = LoadLibraryA("winspool.drv"); TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO(); NTSTATUS NtStatus; UNICODE_STRING* NameBuffer = NULL; HANDLE hRemoteThread; FORCE(LhInstallHook(GetProcAddress(hSpoolsv, "WritePrinter"), WritePrinterHookA, 0x0, hHook)); ULONG ACLEntries[1] = { (ULONG) - 1 }; FORCE(LhSetExclusiveACL(ACLEntries, 1, hHook)); hhW = hHook; 

TIL: In 2013, CodePlex (where the EasyHook discussion list is) does not accept third-level domains for email when registering with a Microsoft account. Do not use Firebug to crawl a form.