char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00 , 0x90, 0x90, 0x90, 0x90};

nt!NtCreateFile:
8056cdc0 8bff            mov     edi,edi
8056cdc2 55              push    ebp
8056cdc3 8bec            mov     ebp,esp
8056cdc5 33c0            xor     eax,eax
8056cdc7 50              push    eax
8056cdc8 50              push    eax
8056cdc9 50              push    eax
8056cdca ff7530          push    dword ptr [ebp+30h]
8056cdcd ff752c          push    dword ptr [ebp+2Ch]
8056cdd0 ff7528          push    dword ptr [ebp+28h]
8056cdd3 ff7524          push    dword ptr [ebp+24h]
8056cdd6 ff7520          push    dword ptr [ebp+20h]
8056cdd9 ff751c          push    dword ptr [ebp+1Ch]
8056cddc ff7518          push    dword ptr [ebp+18h]
8056cddf ff7514          push    dword ptr [ebp+14h]
8056cde2 ff7510          push    dword ptr [ebp+10h]
8056cde5 ff750c          push    dword ptr [ebp+0Ch]
8056cde8 ff7508          push    dword ptr [ebp+8]
8056cdeb e87bfeffff      call    nt!IoCreateFile (8056cc6b)

NTSTATUS CheckFunctionBytesNtCreateFile(){
	int i=0; char *p = (char *)NtCreateFile;
	char c[] = {0x8b, 0xff, 0x55, 0x8b, 0xec, 0x33, 0xc0, 0x50, 0x50, 0x50};	// win xp sp3
	while(i<10){DbgPrint("NtCreateFile - 0x%02X ", (unsigned char)p[i]);if(p[i] != c[i]){return STATUS_UNSUCCESSFUL; }i++;}
	return STATUS_SUCCESS;
}

__declspec(naked) my_function_detour_NtCreateFile(){
	__asm{		
         mov     edi,edi
         push    ebp
         mov     ebp,esp
         xor     eax,eax
         push    eax
         push    eax
         push    eax
		_emit 0xEA
		_emit 0xAA
		_emit 0xAA
		_emit 0xAA
		_emit 0xAA
		_emit 0x08
		_emit 0x00
	}
}
VOID DetourFunctionNtCreateFile(){
	char *actual_function = (char *)NtCreateFile;
	char *non_paged_memory;
	unsigned long detour_address;
	unsigned long reentry_address;
	int i = 0;

	char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00, 0x90, 0x90, 0x90};		// win xp sp3
	reentry_address = ((unsigned long)NtCreateFile) + 10;		// win xp sp3
	non_paged_memory = ExAllocatePool(NonPagedPool, 256);
	
	for(i=0;i<256;i++){
		((unsigned char *)non_paged_memory)[i] = ((unsigned char *)my_function_detour_NtCreateFile)[i];
	}

	detour_address = (unsigned long)non_paged_memory;
	*( (unsigned long *)(&newcode[1]) ) = detour_address;

	for(i=0;i<200;i++){
		if( (0xAA == ((unsigned char *)non_paged_memory)[i]) &&
			(0xAA == ((unsigned char *)non_paged_memory)[i+1]) &&
			(0xAA == ((unsigned char *)non_paged_memory)[i+2]) &&
			(0xAA == ((unsigned char *)non_paged_memory)[i+3])){
			*( (unsigned long *)(&non_paged_memory[i]) ) = reentry_address;
			break;
		}
	}
	for(i=0;i < 10 ;i++){
		actual_function[i] = newcode[i];
	}
}

nt!NtCreateFile:
8056cdc0 ea005fe1850800  jmp     0008:85E15F00
8056cdc7 90              nop
8056cdc8 90              nop
8056cdc9 90              nop
8056cdca ff7530          push    dword ptr [ebp+30h]
8056cdcd ff752c          push    dword ptr [ebp+2Ch]
8056cdd0 ff7528          push    dword ptr [ebp+28h]
8056cdd3 ff7524          push    dword ptr [ebp+24h]
8056cdd6 ff7520          push    dword ptr [ebp+20h]
8056cdd9 ff751c          push    dword ptr [ebp+1Ch]
8056cddc ff7518          push    dword ptr [ebp+18h]
8056cddf ff7514          push    dword ptr [ebp+14h]
8056cde2 ff7510          push    dword ptr [ebp+10h]
8056cde5 ff750c          push    dword ptr [ebp+0Ch]
8056cde8 ff7508          push    dword ptr [ebp+8]
8056cdeb e87bfeffff      call    nt!IoCreateFile (8056cc6b)