PECompact 2
API Hook Plug-ins

GetProcAddressWithHintHook

FARPROC GetProcAddressWithHintHook(HMODULE hModule,
                                       TCHAR *ptszApiNameOrOrdinal,
                                       DWORD dwNameHint);
                                      

This function is invoked by the loader each time an API address needs to be resolved. If a hook needs to be applied, it should return the address of the hook procedure instead of the real API address. Otherwise, it should return the API address as resolved via GetProcAddress supplied to the Initialize function.

The first two parameters, hModule and ptszApiNameOrOrdinal, are identical to the first two GetProcAddress parameters. The third parameter is an optional name hint value. It should be ignored unless you are manually resolving APIs by traversing the appropriate export table.

Since code is injected into compressed executables, it can not reference anything outside the bounds of the HOOK_DATA object or reference anything by static addresses, since those addresses will change. Therefore, it inherently can not have any references that require a base relocation.

hModule is the handle to the module the API exists in. This parameter is the same as the corresponding GetProcAddress parameter.

ptszApiNameOrOrdinal is the asciiz name of the API or, if the high word is zero, the low word represents the ordinal value of the API to import. This parameter is the same as the corresponding GetProcAddress parameter.

dwNameHint provides a name hint value for manual traversal of export tables. It should be ignored in most cases.