Detect Wow64 User-Mode Hooks (Method 2)

//http://waleedassar.blogspot.com - (@waleedassar)
//Code to detect Wow64 user-mode hooks
#include "stdafx.h"
#include "windows.h"

struct UNICODE_STRING
{
    unsigned short len;
    unsigned short max_len;
    wchar_t* pStr;
};

extern "C"
{
    int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
}

wchar_t* GetBaseName(wchar_t* string)
{
     unsigned long i=lstrlenW(string);
     while(string[i-1]!='\\') i--;
     return &string[i];
}

int main(int argc, char* argv[])
{
    unsigned short cs_=0;
    unsigned char* WOW32Reserved=0;
    unsigned long PEB64=0;
    __asm
    {
        pushad
        mov eax, dword ptr fs:[0xC0]
        mov WOW32Reserved,eax
        mov eax,dword ptr fs:[0x30]
        add eax,0x1000
        mov PEB64,eax
        mov cs_,cs
        popad
    }
    if(!WOW32Reserved) return 1;  //not 64-bit system
    if(  (*WOW32Reserved==0xEA)&&( *(unsigned short*)(WOW32Reserved+5)!=cs_ )  )
    {
        unsigned long CpupReturnFromSimulatedCode=*(unsigned long*)(WOW32Reserved+1);
        MEMORY_BASIC_INFORMATION MBI={0};
        VirtualQuery((void*)CpupReturnFromSimulatedCode,&MBI,sizeof(MBI));
        if(MBI.Type==MEM_IMAGE)
        {
             char* p=(char*)LocalAlloc(LMEM_ZEROINIT,0x1000);
             if(ZwQueryVirtualMemory(GetCurrentProcess(),(void*)CpupReturnFromSimulatedCode,0x2 /*filename*/,p,0x1000,0) >= 0)
             {
                  if( ((UNICODE_STRING*)p)->len)
                  {
                         if(lstrcmpiW(L"wow64cpu.dll",GetBaseName(((UNICODE_STRING*)p)->pStr))==0)
                         {
                             LocalFree(p);
                             return 1;
                         }
                  }
             }
             LocalFree(p);
        }
    }
    MessageBox(0,"Hooked Wow64 process","waliedassar",0);
    return 0;  //hooked
}