d1/d41/apitest__iathook_8h_source.html

 #ifndef _APITEST_IATHOOK_H
 #define _APITEST_IATHOOK_H

 static PIMAGE_IMPORT_DESCRIPTOR FindImportDescriptor(PBYTE DllBase, PCSTR DllName)
 {
     ULONG Size;
     PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = RtlImageDirectoryEntryToData((HMODULE)DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size);
     while (ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk)
     {
         PCHAR Name = (PCHAR)(DllBase + ImportDescriptor->Name);
         if (!lstrcmpiA(Name, DllName))
         {
             return ImportDescriptor;
         }
         ImportDescriptor++;
     }
     return NULL;
 }

 static BOOL RedirectIat(HMODULE TargetDll, PCSTR DllName, PCSTR FunctionName, ULONG_PTR NewFunction, ULONG_PTR* OriginalFunction)
 {
     PBYTE DllBase = (PBYTE)TargetDll;
     PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = FindImportDescriptor(DllBase, DllName);
     if (ImportDescriptor)
     {
         // On loaded images, OriginalFirstThunk points to the name / ordinal of the function
         PIMAGE_THUNK_DATA OriginalThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->OriginalFirstThunk);
         // FirstThunk points to the resolved address.
         PIMAGE_THUNK_DATA FirstThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->FirstThunk);
         while (OriginalThunk->u1.AddressOfData && FirstThunk->u1.Function)
         {
             if (!IMAGE_SNAP_BY_ORDINAL32(OriginalThunk->u1.AddressOfData))
             {
                 PIMAGE_IMPORT_BY_NAME ImportName = (PIMAGE_IMPORT_BY_NAME)(DllBase + OriginalThunk->u1.AddressOfData);
                 if (!lstrcmpiA((PCSTR)ImportName->Name, FunctionName))
                 {
                     DWORD dwOld;
                     VirtualProtect(&FirstThunk->u1.Function, sizeof(ULONG_PTR), PAGE_EXECUTE_READWRITE, &dwOld);
                     *OriginalFunction = FirstThunk->u1.Function;
                     FirstThunk->u1.Function = NewFunction;
                     VirtualProtect(&FirstThunk->u1.Function, sizeof(ULONG_PTR), dwOld, &dwOld);
                     return TRUE;
                 }
             }
             OriginalThunk++;
             FirstThunk++;
         }
         skip("Unable to find the Import %s!%s\n", DllName, FunctionName);
     }
     else
     {
         skip("Unable to find the ImportDescriptor for %s\n", DllName);
     }
     return FALSE;
 }

 static BOOL RestoreIat(HMODULE TargetDll, PCSTR DllName, PCSTR FunctionName, ULONG_PTR OriginalFunction)
 {
     ULONG_PTR old = 0;
     return RedirectIat(TargetDll, DllName, FunctionName, OriginalFunction, &old);
 }

  #endif // _APITEST_IATHOOK_H

PCHAR
signed char * PCHAR
Definition: retypes.h:7

lstrcmpiA
int WINAPI lstrcmpiA(LPCSTR lpString1, LPCSTR lpString2)
Definition: lstring.c:42

TRUE
#define TRUE
Definition: types.h:120

_IMAGE_IMPORT_BY_NAME
Definition: pedump.c:328

Size
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361

PIMAGE_IMPORT_BY_NAME
struct _IMAGE_IMPORT_BY_NAME * PIMAGE_IMPORT_BY_NAME

ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:65

_IMAGE_IMPORT_DESCRIPTOR::Name
ULONG Name
Definition: ntimage.h:579

FALSE
#define FALSE
Definition: types.h:117

IMAGE_SNAP_BY_ORDINAL32
#define IMAGE_SNAP_BY_ORDINAL32(Ordinal)
Definition: ntimage.h:524

BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94

FindImportDescriptor
static PIMAGE_IMPORT_DESCRIPTOR FindImportDescriptor(PBYTE DllBase, PCSTR DllName)
Definition: apitest_iathook.h:4

NameRec_
Definition: apinames.c:48

RestoreIat
static BOOL RestoreIat(HMODULE TargetDll, PCSTR DllName, PCSTR FunctionName, ULONG_PTR OriginalFunction)
Definition: apitest_iathook.h:57

_IMAGE_IMPORT_BY_NAME::Name
BYTE Name[1]
Definition: pedump.c:331

PCHAR
#define PCHAR
Definition: match.c:90

_IMAGE_IMPORT_DESCRIPTOR::OriginalFirstThunk
ULONG OriginalFirstThunk
Definition: ntimage.h:575

_IMAGE_THUNK_DATA32::Function
ULONG Function
Definition: ntimage.h:513

DWORD
unsigned long DWORD
Definition: ntddk_ex.h:95

_IMAGE_THUNK_DATA32::AddressOfData
ULONG AddressOfData
Definition: ntimage.h:515

VirtualProtect
BOOL NTAPI VirtualProtect(IN LPVOID lpAddress, IN SIZE_T dwSize, IN DWORD flNewProtect, OUT PDWORD lpflOldProtect)
Definition: virtmem.c:144

RtlImageDirectoryEntryToData
#define RtlImageDirectoryEntryToData
Definition: compat.h:668

_IMAGE_IMPORT_DESCRIPTOR::FirstThunk
ULONG FirstThunk
Definition: ntimage.h:580

_IMAGE_THUNK_DATA32::u1
union _IMAGE_THUNK_DATA32::@2088 u1

RedirectIat
static BOOL RedirectIat(HMODULE TargetDll, PCSTR DllName, PCSTR FunctionName, ULONG_PTR NewFunction, ULONG_PTR *OriginalFunction)
Definition: apitest_iathook.h:20

NULL
#define NULL
Definition: types.h:112

_IMAGE_THUNK_DATA32
Definition: ntimage.h:510

FunctionName
ACPI_BUFFER *RetBuffer ACPI_BUFFER *RetBuffer char ACPI_WALK_RESOURCE_CALLBACK void *Context ACPI_BUFFER *RetBuffer UINT16 ACPI_RESOURCE **ResourcePtr ACPI_GENERIC_ADDRESS *Reg UINT32 *ReturnValue UINT8 UINT8 *Slp_TypB ACPI_PHYSICAL_ADDRESS PhysicalAddress64 UINT32 UINT32 *TimeElapsed UINT32 ACPI_STATUS const char UINT32 ACPI_STATUS const char UINT32 const char * FunctionName
Definition: acpixf.h:1274

IMAGE_DIRECTORY_ENTRY_IMPORT
#define IMAGE_DIRECTORY_ENTRY_IMPORT
Definition: pedump.c:260

skip
#define skip(...)
Definition: atltest.h:64

ULONG
unsigned int ULONG
Definition: retypes.h:1

PCSTR
const char * PCSTR
Definition: typedefs.h:52

PAGE_EXECUTE_READWRITE
#define PAGE_EXECUTE_READWRITE
Definition: nt_native.h:1308

void
Definition: nsiface.idl:2306

_IMAGE_IMPORT_DESCRIPTOR
Definition: ntimage.h:572

PBYTE
BYTE * PBYTE
Definition: pedump.c:66

PIMAGE_THUNK_DATA
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
Definition: ntimage.h:566