BOOL WINAPI DetourReplaceExport(HMODULE hModule, PCSTR pszExportName, PVOID *ppCode) { PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; if (hModule == NULL) { pDosHeader = (PIMAGE_DOS_HEADER)GetModuleHandle(NULL); } __try { if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { SetLastError(ERROR_BAD_EXE_FORMAT); return NULL; } PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((PBYTE)pDosHeader + pDosHeader->e_lfanew); if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) { SetLastError(ERROR_INVALID_EXE_SIGNATURE); return FALSE; } if (pNtHeader->FileHeader.SizeOfOptionalHeader == 0) { SetLastError(ERROR_EXE_MARKED_INVALID); return FALSE; } PIMAGE_EXPORT_DIRECTORY pExportDir = (PIMAGE_EXPORT_DIRECTORY) RvaAdjust(pDosHeader, pNtHeader->OptionalHeader .DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); if (pExportDir == NULL) { SetLastError(ERROR_EXE_MARKED_INVALID); return FALSE; } PDWORD pdwFunctions = (PDWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfFunctions); PDWORD pdwNames = (PDWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfNames); PWORD pwOrdinals = (PWORD)RvaAdjust(pDosHeader, pExportDir->AddressOfNameOrdinals); for (DWORD nFunc = 0; nFunc < pExportDir->NumberOfFunctions; nFunc++) { PBYTE pbCode = (pdwFunctions != NULL) ? (PBYTE)RvaAdjust(pDosHeader, pdwFunctions[nFunc]) : NULL; PCHAR pszName = NULL; for (DWORD n = 0; n < pExportDir->NumberOfNames; n++) { if (pwOrdinals[n] == nFunc) { pszName = (pdwNames != NULL) ? (PCHAR)RvaAdjust(pDosHeader, pdwNames[n]) : NULL; break; } } if( (pszName != NULL) && (ppCode != NULL) && (strcmp(pszName, pszExportName) == 0) ) { PVOID dwReplace = *ppCode; DWORD dwOldProtect = 0; if(VirtualProtect(&pdwFunctions[nFunc], 0x04, PAGE_EXECUTE_READWRITE, &dwOldProtect)) { *ppCode = pbCode; pdwFunctions[nFunc] = (DWORD)dwReplace - (DWORD)pDosHeader; VirtualProtect(&pdwFunction[nFunc], 0x04, dwOldProtect, &dwOldProtect); } break; } } SetLastError(NO_ERROR); return TRUE; } __except(EXCEPTION_EXECUTE_HANDLER) { SetLastError(ERROR_EXE_MARKED_INVALID); return NULL; } }