In HyperDbg, you are able to intercept all syscalls or special a syscall.

For this purpose, you have to use the !syscall command. You can also use the !sysret too.

There is a list of syscalls available here. You can find win32k syscalls here.

For example, in Windows 10 2004, the syscall number for NtCreateFile is 0x55.

We want to intercept all the times that a process with pid 2f4c in our system tries to open a file, so we use the following command.

HyperDbg> !syscall 55 pid 2f4c

We might even want to monitor all processes. For example, we want to intercept whenever any process uses NtFreezeRegistry (syscall number 0xee).

HyperDbg> !syscall ee