EAT Hook
 

typedef int (__stdcall *pfnMessageBoxA)(HWND hWnd ,
                                         LPCSTR lpText ,
                                         LPCSTR lpCaption ,
                                         UINT uType
                                         );
 pfnMessageBoxA OldMessageBoxA = NULL ;
 LPVOID HookEAT ( HMODULE hMod , char * szApiName , LPVOID lpHookRoutine );
 int __stdcall HookMessageBoxA ( HWND hWnd , LPCSTR lpText , LPCSTR lpCaption , UINT uType );
 int _tmain ( int argc , _TCHAR * argv [])
{
         HMODULE hUser32 = LoadLibraryA ( "user32.dll" );
         OldMessageBoxA = ( pfnMessageBoxA ) HookEAT ( hUser32 , "MessageBoxA" , HookMessageBoxA );
         if ( ! OldMessageBoxA )
         {
                 printf ( "Hook EAT failed. " );
                 goto __exit ;
         }
         pfnMessageBoxA MsgBox = ( pfnMessageBoxA ) GetProcAddress ( hUser32 , "MessageBoxA" );
         if ( ! MsgBox )
         {
                 printf ( "Get MessageBoxA failed. " );
                 goto __exit ;
         }
         MsgBox ( 0 , "Hello" , "Hello" , 0 );
 __exit :
         system ( "pause" );
         return 0 ;
}

 LPVOID HookEAT ( HMODULE hMod , char * szApiName , LPVOID lpHookRoutine )
{
         LPVOID lpOldAddr = NULL ;
         PIMAGE_DOS_HEADER pDosHdr = ( PIMAGE_DOS_HEADER ) hMod ;
         PIMAGE_NT_HEADERS pNtHdr = ( PIMAGE_NT_HEADERS )(( DWORD ) hMod + pDosHdr -> e_lfanew );
         PIMAGE_EXPORT_DIRECTORY pExpDir = ( PIMAGE_EXPORT_DIRECTORY )
                 (( DWORD ) hMod + pNtHdr -> OptionalHeader . DataDirectory [ IMAGE_DIRECTORY_ENTRY_EXPORT ]. VirtualAddress );
         WORD * pwOrds = ( WORD *)(( DWORD ) hMod + pExpDir -> AddressOfNameOrdinals );
         DWORD * pdwRvas = ( DWORD *)(( DWORD ) hMod + pExpDir -> AddressOfFunctions );
         DWORD * pdwNames = ( DWORD *)(( DWORD ) hMod + pExpDir -> AddressOfNames );
         int i = 0 , j = 0 ;
         char * pszApiName = NULL ;
         for ( i = 0 ; i < pExpDir -> NumberOfFunctions ; i ++)
         {
                 pszApiName = NULL ;
                 if ( * pdwRvas )
                 {
                         for ( j = 0 ; j < pExpDir -> NumberOfNames ; j ++)
                         {
                                 if ( i == pwOrds [ j ] )
                                 {
                                         pszApiName = ( char *)(( DWORD ) hMod + pdwNames [ j ]);
                                         break ;
                                 }
                         }
                         if ( _stricmp ( szApiName , pszApiName ) == 0 )
                         {
                                 DWORD dwOldProtect ;
                                 lpOldAddr = ( LPVOID )(( DWORD ) hMod + * pdwRvas );
                                 printf ( "Hook EAT : %s.0x%08X. " , pszApiName , lpOldAddr );
                                 DWORD dwDelta = ( DWORD ) HookMessageBoxA - ( DWORD ) hMod ;
                                 printf ( "Delta : 0x%08X. " , dwDelta );
                                 VirtualProtectEx (
                                         GetCurrentProcess (), pdwRvas , sizeof ( DWORD ),
                                         PAGE_READWRITE ,& dwOldProtect );
                                 * pdwRvas = dwDelta ;
                                 break ;
                         }
                 }
                 pdwRvas ++;
         }
         return lpOldAddr ;
}

 int __stdcall HookMessageBoxA ( HWND hWnd , LPCSTR lpText , LPCSTR lpCaption , UINT uType )
{
         return OldMessageBoxA ( hWnd , lpText , "EAT Hook Demo" , uType );
}
e1bddcd257edb22c3bf3cf12.jpg