A detection mechanism for UM syscall hooking done with InstrumentationCallback functions

SyscallInstrumentation.cpp

#include <Windows.h>

#define OFFSET_InstrumentationCallbackSp 0x2d0
#define OFFSET_InstrumentationCallbackPreviousPc 0x2d8
#define OFFSET_InstrumentationCallbackPreviousSp 0x2e0
#define OFFSET_InstrumentationCallbackDisabled 0x2ec
#define OFFSET_Instrumentation 0x16b8

typedef struct SyscallInstrumentation {
	BYTE InstrumentationCallbackDisabled;
	BYTE FoundInstrumentation;
	DWORD64 InstrumentationCallbackSp;
	DWORD64 InstrumentationCallbackPreviousPc;
	DWORD64 InstrumentationCallbackPreviousSp;
	DWORD64 Instrumentation;
} SyscallInstrumentation, *PSyscallInstrumentation;

PSyscallInstrumentation DetectSyscallInstrumentation(VOID) {
	PSyscallInstrumentation syscallInstInfo = (PSyscallInstrumentation)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SyscallInstrumentation));
	if (!syscallInstInfo) {
		return NULL;
	}
	syscallInstInfo->Instrumentation = __readgsqword(OFFSET_Instrumentation);
	syscallInstInfo->InstrumentationCallbackPreviousPc = __readgsqword(OFFSET_InstrumentationCallbackPreviousPc);
	syscallInstInfo->InstrumentationCallbackPreviousSp = __readgsqword(OFFSET_InstrumentationCallbackPreviousSp);
	syscallInstInfo->InstrumentationCallbackSp = __readgsqword(OFFSET_InstrumentationCallbackSp);
	syscallInstInfo->InstrumentationCallbackDisabled = __readgsqword(OFFSET_InstrumentationCallbackDisabled);
	syscallInstInfo->FoundInstrumentation = syscallInstInfo->InstrumentationCallbackDisabled || syscallInstInfo->InstrumentationCallbackPreviousPc ||  syscallInstInfo->InstrumentationCallbackPreviousSp;
	return syscallInstInfo;
}