You should be in the beginners section learning basics, anyway you asked this question about 2+ times to hook NtTerminateProcess you must
- Grab Address of NtTerminateProcess
- Unprotect 5 bytes of the address
- Add a 5-byte jmp to the prologue of the function, with the operand being the offset between NtTerminateProcess and callback with 0x5 added if you enabled hot-patching to avoid instruction\stack being corrupted
- In the callback you must replace the original stack and perform the overwritten instructions manually then jmp back with offset between NtTerminateProcess and the current EIP location with 0x5 added to avoid the jmp, which would avoid the infinite loop
if done correct you must be successfull.
This is as simple as we can get you see, any good Winapi member can do this in 40 seconds. Easy
Please don't ask me about math of finding offset. It is basic math.
NO! I will not give you the COE, "learn it don't ask it".
Next causally saying "sorry about that" as if it is trivial is not right, hooking is fairly simple topic it.
Thanks!
Sorry - I am not giving code as you are a "beginner" as you said and you still have to learn as Computer Security is about learning and besides learning is better than me giving code to you.