hook逻辑写入dll中，注入dll。

#include "pch.h"
#include
#include "windows.h"
//WINBASEAPI
//BOOL
//WINAPI
//WriteFile(
// _In_ HANDLE hFile,
// _In_reads_bytes_opt_(nNumberOfBytesToWrite) LPCVOID lpBuffer,
// _In_ DWORD nNumberOfBytesToWrite,
// _Out_opt_ LPDWORD lpNumberOfBytesWritten,
// _Inout_opt_ LPOVERLAPPED lpOverlapped
//);
typedef BOOL(WINAPI* PFWRITEFILE)(HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped);
FARPROC g_pOrgFunc = NULL;//全局变量

BOOL hook_iat(LPCSTR szDllName, PROC pfnOrg, PROC pfnNew)//负责勾取IAT
{

LPCSTR szLibName;  
PIMAGE\_IMPORT\_DESCRIPTOR pImportDesc;  
PIMAGE\_THUNK\_DATA64 pThunk;  
DWORD dwOldProtect;  
DWORD dwRVA;  
PBYTE pAddr;//8字节

pAddr = (PBYTE)GetModuleHandle(NULL);//pAddr = ImageBase;获得内存中装载的地址  
PIMAGE\_DOS\_HEADER pDosHeader = (PIMAGE\_DOS\_HEADER)pAddr;//指向dos头  
PIMAGE\_NT\_HEADERS64 pNT = (PIMAGE\_NT\_HEADERS64)(pAddr + pDosHeader->e\_lfanew);//指向pe头  
dwRVA = pNT->OptionalHeader.DataDirectory\[1\].VirtualAddress;//pe头--》可选头--》数据目录--》第2项 输入表;取得输入表rva  
pImportDesc = (PIMAGE\_IMPORT\_DESCRIPTOR)(pAddr + dwRVA);//输入表的内存地址

for (; pImportDesc->Name; pImportDesc++)//循环遍历IDT;(IMAGE\_IMPORT\_DESCRIPTOR数组)  
{  
    szLibName = (LPCSTR)(pAddr + pImportDesc->Name);// szLibName = VA to IMAGE\_IMPORT\_DESCRIPTOR.Name  
    if (!\_stricmp(szLibName, szDllName))//找到对应dll名的IID;(IMAGE\_IMPORT\_DESCRIPTOR)  
    {  
        // pThunk = IMAGE\_IMPORT\_DESCRIPTOR.FirstThunk  
        //        = VA to IAT(Import Address Table)  
        pThunk = (PIMAGE\_THUNK\_DATA64)(pAddr + pImportDesc->FirstThunk);//系统装载结束后，FirstThunk指向IAT,  pThunk就是IAT

        for (; pThunk->u1.Function; pThunk++)// pThunk->u1.Function = VA to API 遍历IAT  
        {  
            if (pThunk->u1.Function == (ULONGLONG)pfnOrg)//查找要hook函数的地址  
            {  
                VirtualProtect((LPVOID)&pThunk->u1.Function, 8, PAGE\_EXECUTE\_READWRITE, &dwOldProtect);  
                pThunk->u1.Function = (ULONGLONG)pfnNew;//修改IAT的值  
                VirtualProtect((LPVOID)&pThunk->u1.Function, 8, dwOldProtect, &dwOldProtect);  
                return TRUE;  
            }  
        }  
    }  
}    return FALSE;  

}
BOOL WINAPI MyFunc(HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped)
{
char* pc = (char*)lpBuffer;
//小写转大写-0x20
while (*pc) {
if (*pc >= 'a' && *pc <= 'z')
*pc -= 0x20;
pc++;
}
return ((PFWRITEFILE)g_pOrgFunc)(hFile, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten, lpOverlapped);//调用原WriteFile
}

BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
g_pOrgFunc = GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "WriteFile");//保存原始API地址
hook_iat("kernel32.dll", g_pOrgFunc, (PROC)MyFunc);//使用hookiat!MySetWindowText()勾取kernel32.dll中的WriteFile函数
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
hook_iat("kernel32.dll", (PROC)MyFunc, g_pOrgFunc);//unhook，恢复IAT原来的值
break;
}
return TRUE;
}

64位和32位pe有些结构大小不同，IMAGE_NT_HEADERS64；IMAGE_OPTIONAL_HEADER64；IMAGE_THUNK_DATA64……