From 6e3f8db3d4e42b50dc9ea77969682e06f3fc8457 Mon Sep 17 00:00:00 2001
From: doomedraven <doommedraven@gmail.com>
Date: Wed, 2 Aug 2017 14:21:18 +0200
Subject: [PATCH] NtOpenEvent hook

"EventName" from NtOpenEvent required for Andromeda for example
```
eventname_int = int(eventname)
if eventname_int == self.sysvolserial ^ 0x696e6a63: # 'injc'
```
---
 sigs/sync.rst | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/sigs/sync.rst b/sigs/sync.rst
index 1705ce11e..f9e1f4ab0 100644
--- a/sigs/sync.rst
+++ b/sigs/sync.rst
@@ -3,6 +3,39 @@ Signature::
     * Calling convention: WINAPI
     * Category: synchronisation
 
+NtOpenEvent
+===========
+
+Signature::
+
+    * Library: ntdll
+    * Return value: NTSTATUS
+
+Parameters::
+
+    ** PHANDLE EventHandle event_handle
+    ** ACCESS_MASK DesiredAccess desired_access
+    *  POBJECT_ATTRIBUTES ObjectAttributes
+
+Flags::
+
+    desired_access
+
+Pre::
+
+    wchar_t *event_name = NULL;
+    if(ObjectAttributes != NULL) {
+        event_name = extract_unicode_string_unistr(ObjectAttributes->ObjectName);
+    }
+
+Logging::
+
+    u event_name event_name
+
+Post::
+
+    free_unicode_buffer(event_name);
+
 
 NtCreateMutant
 ==============