In HyperDbg, you are able to s or special a syscall.

For this purpose, you have to use the command. You can also use the too.

There is a list of syscalls available . You can find win32k syscalls .

For example, in Windows 10 2004, the syscall number for NtCreateFile is 0x55.

We want to intercept all the times that a process with pid 2f4c in our system tries to open a file, so we use the following command.

We might even want to monitor all processes. For example, we want to intercept whenever any process uses NtFreezeRegistry (syscall number 0xee).