API HOOK

原来是我的替代函数原型有问题，贴出来给大家共享一下，免得再象我一样犯这种错误！：
这是我老出异常的替代函数=====》
HANDLE   MyCreateFileW(unsigned   short*   lpFileName,DWORD   dwDesiredAccess,DWORD   dwShareMode,LPSECURITY_ATTRIBUTES   lpSecurityAttributes,DWORD   dwCreationDisposition,DWORD   dwFlagsAndAttributes,HANDLE   hTemplateFile)
{
Beep(1000,100);
return   CreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}

这是修改以后的=========》
static   HANDLE   WINAPI   MyCreateFileW(unsigned   short*   lpFileName,DWORD   dwDesiredAccess,DWORD   dwShareMode,LPSECURITY_ATTRIBUTES   lpSecurityAttributes,DWORD   dwCreationDisposition,DWORD   dwFlagsAndAttributes,HANDLE   hTemplateFile)
{
Beep(1000,100);
return   CreateFileW(lpFileName,dwDesiredAccess,dwShareMode,lpSecurityAttributes,dwCreationDisposition,dwFlagsAndAttributes,hTemplateFile);
}
区别就在
================================================
HANDLE   MyCreateFileW(...)//可以替代CreateFileW，但返回后出异常
static   HANDLE   WINAPI   MyCreateFileW(...)//可以替代CreateFileW,一切正常
===============================================
我替换IAT的函数从www.codeproject.com上down的，呵呵，不要笑我懒啊。。，函数如下，大家可以直接使用。
//---------------------------------------------------------------------------
//   ReplaceInOneModule
//    
//   Replace   the   address   of   the   function   in   the   IAT   of   a   specific   module
//---------------------------------------------------------------------------
BOOL   ReplaceInOneModule(PCSTR   pszCalleeModName,PROC   pfnCurrent,PROC   pfnNew,HMODULE   hmodCaller)  
{
BOOL   bResult   =   FALSE;
__try
{
ULONG   ulSize;
//   Get   the   address   of   the   module 's   import   section
PIMAGE_IMPORT_DESCRIPTOR   pImportDesc   =  
(PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(
hmodCaller,  
TRUE,  
IMAGE_DIRECTORY_ENTRY_IMPORT,  
&ulSize
);
//   Does   this   module   has   import   section   ?
if   (pImportDesc   ==   NULL)
__leave;    
//   Loop   through   all   descriptors   and
//   find   the   import   descriptor   containing   references   to   callee 's   functions
while   (pImportDesc-> Name)
{
PSTR   pszModName   =   (PSTR)((PBYTE)   hmodCaller   +   pImportDesc-> Name);
if   (stricmp(pszModName,   pszCalleeModName)   ==   0)  
break;       //   Found
pImportDesc++;
}   //   while
//   Does   this   module   import   any   functions   from   this   callee   ?
if   (pImportDesc-> Name   ==   0)
__leave;    
//   Get   caller 's   IAT  
PIMAGE_THUNK_DATA   pThunk   =  
(PIMAGE_THUNK_DATA)(   (PBYTE)   hmodCaller   +   pImportDesc-> FirstThunk   );
//   Replace   current   function   address   with   new   one
while   (pThunk-> u1.Function)
{
//   Get   the   address   of   the   function   address
PROC*   ppfn   =   (PROC*)   &pThunk-> u1.Function;
//   Is   this   the   function   we 're   looking   for?
BOOL   bFound   =   (*ppfn   ==   pfnCurrent);

if   (bFound)  
{
MEMORY_BASIC_INFORMATION   mbi;
::VirtualQuery(ppfn,   &mbi,   sizeof(MEMORY_BASIC_INFORMATION));
//   In   order   to   provide   writable   access   to   this   part   of   the  
//   memory   we   need   to   change   the   memory   protection
if   (FALSE   ==   ::VirtualProtect(
mbi.BaseAddress,
mbi.RegionSize,
PAGE_READWRITE,
&mbi.Protect)
)
__leave;
//   Hook   the   function.
                                *ppfn   =   *pfnNew;
bResult   =   TRUE;
//   Restore   the   protection   back
                                DWORD   dwOldProtect;
::VirtualProtect(
mbi.BaseAddress,
mbi.RegionSize,
mbi.Protect,
&dwOldProtect
);
break;
}   //   if
pThunk++;
}   //   while
}
__finally
{
//   do   nothing
}
//   This   function   is   not   in   the   caller 's   import   section
return   bResult;
}