APIHOOK

#include <stdio.h>

#include <windows.h>

#include <Dbghelp.h>

#pragma comment(lib,"Dbghelp.lib")

#pragma comment(lib,"User32.lib")

typedef int (__stdcall *OLD_MessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType );

OLD_MessageBox g_procOldMessageBox = NULL;

int __stdcall HOOK_MessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)

{

    printf("%s\t%d\r\n",__FUNCTION__,__LINE__);

    if (NULL != g_procOldMessageBox)

        return g_procOldMessageBox(hWnd,lpText,TEXT("不好意思,hook到了!"),uType); 

    else

    return MessageBox(hWnd,lpText,lpCaption,uType); ;

}

int replace_IAT(const char *pDllName,const char *pApiName,void ** OldApiAddr,void * NewApiAddr,bool bReplace)

{

    HANDLE hProcess = ::GetModuleHandle (NULL);

    DWORD dwSize = 0;

    PIMAGE_IMPORT_DESCRIPTOR pImageImport = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hProcess,TRUE,

        IMAGE_DIRECTORY_ENTRY_IMPORT,&dwSize);

    if (NULL == pImageImport)

        return 1;

    PIMAGE_IMPORT_BY_NAME pImageImportByName = NULL;

    PIMAGE_THUNK_DATA pImageThunkOriginal = NULL;

    PIMAGE_THUNK_DATA pImageThunkReal = NULL;

    while (pImageImport->Name)

    {

        if (0 == lstrcmpiA((char*)((PBYTE)hProcess+pImageImport->Name),pDllName))

        {

            break;

        }

        ++pImageImport;

    }

    if (! pImageImport->Name)

        return 2;

    pImageThunkOriginal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->OriginalFirstThunk );

    pImageThunkReal = (PIMAGE_THUNK_DATA)((PBYTE)hProcess+pImageImport->FirstThunk );

    while (pImageThunkOriginal->u1.Function)

    {

        if ((pImageThunkOriginal->u1.Ordinal & IMAGE_ORDINAL_FLAG) != IMAGE_ORDINAL_FLAG)

        {

            pImageImportByName = (PIMAGE_IMPORT_BY_NAME)((PBYTE)hProcess+pImageThunkOriginal->u1.AddressOfData );

            if (0 == lstrcmpiA(pApiName,(char*)pImageImportByName->Name))

            {

                MEMORY_BASIC_INFORMATION mbi_thunk;

                VirtualQuery(pImageThunkReal, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); 

                VirtualProtect(mbi_thunk.BaseAddress,mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect); 

                if (true == bReplace)

                {

                    *OldApiAddr = (void*)pImageThunkReal->u1.Function; 

                    pImageThunkReal->u1.Function = (DWORD)(NewApiAddr);

                }

                else

                   {

                    pImageThunkReal->u1.Function = (DWORD)(*OldApiAddr);

                        *OldApiAddr  = NULL;

                    }

                DWORD dwOldProtect; 

                VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect); 

                break;

            }

        }

        ++pImageThunkOriginal;

        ++pImageThunkReal;

    }

    return 0;

}

int _tmain(int argc, _TCHAR* argv[])

{

    replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,true);

    MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW true;"),TEXT(""),MB_OK);

    replace_IAT("User32.dll","MessageBoxW",(void**)&g_procOldMessageBox,HOOK_MessageBox,false);

    MessageBox(NULL,TEXT("EnumIAT User32.dll MessageBoxW false;"),TEXT("UnHook!"),MB_OK);

    return getchar();

    return 0;

}