四：后记
  拦截的方式多种多样，不过大体的思路却都相同。要时刻注意你要拦截的函数的堆栈状态以及在拦截函数中的对数据的引用和函数的调用（地址问题）。

  
//////////////////////////////////////////////////////////////////////
附录：一个拦截CreateFile函数的简单实现
//////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <Psapi.h>

#pragma comment(lib, "psapi.lib")

typedef struct _RemoteParam {
  DWORD dwCreateFile;
  DWORD dwMessageBox;
  DWORD dwGetCurrentProcess;
  DWORD dwWriteProcessMemory;
  unsigned char szOldCode;
  DWORD FunAddr;
} RemoteParam, * PRemoteParam;

typedef HANDLE (__stdcall * PFN_CREATEFILE)(LPCTSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE);
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
typedef BOOL (__stdcall * PFN_WRITEPROCESSMEMORY)(HANDLE,LPVOID,LPCVOID,SIZE_T,SIZE_T*);
typedef HANDLE (__stdcall * PFN_GETCURRENTPROCESS)(void);

#define PROCESSNUM 128
#define MYMESSAGEBOX "MessageBoxW"
#define MYCREATEFILE "CreateFileW"

void HookCreateFile(LPVOID lParam)
{

  RemoteParam* pRP = (RemoteParam*)lParam;

  DWORD NextIpAddr = 0;
  DWORD dwParamaAddr = 0;

  HANDLE RetFpHdl = INVALID_HANDLE_value;
  LPCTSTR lpFileName;
  DWORD dwDesiredAccess;
  DWORD dwShareMode;
  LPSECURITY_ATTRIBUTES lpSecurityAttributes;
  DWORD dwCreationDisposition;
  DWORD dwFlagsAndAttributes;
  HANDLE hTemplateFile;
  PFN_CREATEFILE pfnCreatefile = (PFN_CREATEFILE)pRP->dwCreateFile;

  __asm
  {
    MOV EAX,[EBP+8]
    MOV [dwParamaAddr], EAX
    MOV EAX,[EBP+12]          
    MOV [NextIpAddr], EAX
    MOV EAX,[EBP+16]
    MOV [lpFileName], EAX
    MOV EAX,[EBP+20]
    MOV [dwDesiredAccess],EAX
    MOV EAX,[EBP+24]
    MOV [dwShareMode],EAX
    MOV EAX,[EBP+28]
    MOV [lpSecurityAttributes],EAX
    MOV EAX,[EBP+32]
    MOV [dwCreationDisposition],EAX
    MOV EAX,[EBP+36]
    MOV [dwFlagsAndAttributes],EAX
    MOV EAX,[EBP+40]
    MOV [hTemplateFile],EAX    
  }

  PFN_MESSAGEBOX pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
  int allowFlag = pfnMessageBox(NULL, lpFileName, NULL, MB_ICONINformATION | MB_YESNO);
  
  if(allowFlag == IDYES)
  {
  unsigned char szNewCode;
  int PramaAddr = (int)dwParamaAddr;
  szNewCode = PramaAddr>>24;
  szNewCode = (PramaAddr<<8)>>24;
  szNewCode = (PramaAddr<<16)>>24;
  szNewCode = (PramaAddr<<24)>>24;
  szNewCode[0]