我自己用Delphi写了个，可惜没hook成功，也不知道是哪出了问题，请各位帮忙看看咯。谢谢！

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls,TLHelp32,ImageHlp, ExtCtrls, ComCtrls,JwaWinNT;

type
  TForm1 = class(TForm)
    Panel1: TPanel;
    Button1: TButton;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;


type
    pFunction=function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
var
  Form1: TForm1;
  pThunk:PIMAGE_THUNK_DATA;
  function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
  procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                         pStrFunctionName:pchar;pNewFunction:Pointer);
implementation

{$R *.dfm}

procedure HookFunction(hFormModule:HMODULE; pStrFunctionModule,
                       pStrFunctionName:pchar;pNewFunction:Pointer);
var
    pid:PIMAGE_IMPORT_DESCRIPTOR;
    //pThunk:PIMAGE_THUNK_DATA;
    uSize:ULONG;
    dllName:String;
    originalProc,pFunc:FARPROC;
    memoryInfo:MEMORY_BASIC_INFORMATION;
    lpflOldProtect:DWord;
    error:DWORD;
    lpNumberOfBytesWritten,Protect: DWORD;
    msgbox:pFunction;
begin
    pid:=PIMAGE_IMPORT_DESCRIPTOR(ImageDirectoryEntryToData(Pointer(hFormModule),
                                  True,IMAGE_DIRECTORY_ENTRY_IMPORT,uSize));
    if pid=nil then exit;
    while pid<>nil do begin
          dllName:=PChar(hFormModule+pid^.Name);
          if dllName=pStrFunctionModule then break;
          inc(pid);
    end;
    if pid^.Name=0 then exit;
    pThunk:=PIMAGE_THUNK_DATA(hFormModule+pid^.FirstThunk);
    originalProc:=GetProcAddress(GetModuleHandle(pStrFunctionModule),'MessageBoxA');
    while pThunk^.Function_<>0 do begin
          if pThunk^.Function_=DWORD(originalProc) then break;
          inc(pThunk^.Function_);
    end;
    VirtualQuery(@pThunk^.Function_,memoryInfo,SizeOf(memoryInfo));
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
                          PAGE_READWRITE,Pointer(@memoryInfo.Protect)) then begin
      exit;
    end;
    pThunk^.Function_:=DWORD(pNewFunction);
    //WriteProcessMemory(GetCurrentProcess,@pThunk^.Function_,@pNewFunction,4,lpNumberOfBytesWritten);
    //if not WriteProcessMemory(GetCurrentProcess,@pThunk^.Function_,
                              //@pNewFunction,4,lpNumberOfBytesWritten) then begin
        //exit;
    //end;
    if not VirtualProtect(memoryInfo.BaseAddress,memoryInfo.RegionSize,
           PAGE_READONLY,@Protect) then begin
        exit;
    end;
end;

function MessageBoxB(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
     exit;
end;

procedure TForm1.Button1Click(Sender: TObject);
begin
     HookFunction(hInstance,'user32.dll','MessageBoxA',@MessageBoxB);
     MessageBoxA(0,'xx','xx',mb_ok);
end;

end.


















(*function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar;
  pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer;
var
  pfnOriginalProc: Pointer;
  pDosHeader: PImageDosHeader;
  pNTHeader: PImageNtHeaders;
  pImportDesc: PImage_Import_Descriptor;
  pThunk: PImageThunkData;
  dwProtectionFlags,dwScratch: DWORD;
  pszModName: PAnsiChar;
  memInfo:TMemoryBasicInformation;
  xxx:array[0..1024] of char;
  func:Pointer;
begin
  Result := nil;
  pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule),pszFunctionName);
  pDosHeader := PImageDosHeader(hFromModule);
  pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^.e_lfanew));
  pImportDesc := PImage_Import_Descriptor(DWORD(pDosHeader)+
                                        DWORD(pNTHeader^.OptionalHeader.
                                        DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
                                        VirtualAddress));
  while pImportDesc^.Name <> 0 do
  begin
    pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name)));
    if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break;
    Inc(pImportDesc);
  end;
  if pImportDesc^.Name = 0 then Exit;
  pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk));
  while pThunk^.Function_ <> 0 do
  begin
    if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then

    begin
      VirtualQuery(@pThunk^.Function_,memInfo,SizeOf(memInfo));
      if true then begin
      dwProtectionFlags := PAGE_READWRITE;
      if VirtualProtect(@pThunk^.Function_,4,PAGE_EXECUTE_READWRITE,@dwScratch) then
      pThunk^.Function_ := DWORD(pfnNewProc);
      //func:=@MessageBoxB;
      //WriteProcessMemory(GetCurrentProcess(), @pThunk^.Function_, @pfnNewProc, 4, dwScratch);
      Result := pfnOriginalProc ;
      Break;
      end;
    end;
    Inc(pThunk);
  end;
end;*)

进来，哼一声也好吧。。。

竟然不是C语言，

说实话 WIN汇编里的函数个数 看的我蛋疼
我哼了声了哦

用ollydbg调试了，调试过程如下
首先断在还没有hook之前的MessageBox,对应程序中的代码即是红色那句
procedure TForm1.Button1Click(Sender: TObject);
begin
     MessageBoxA(0,'original','original',mb_ok);
     HookFunction(hInstance,'user32.dll','MessageBoxA',@MessageBoxB);
     MessageBoxA(0,'xx','xx',mb_ok);
end;
反汇编代码是:

在call那里按F7进入到

双击黄色标示那句jmp代码，然后弹出一个窗口，很明显这句代码是jmp到地址4534CC处。
如果没理解错的话这个地方应该就是pThunk^.Function_的地址。   
接着当我获取pThunk^.Function_地址时却发现不是这个地址，而是004531B8这个地址,很明显这是跳到
user32.GetKeyt...的地址。难道我程序获取错了thunk function address。观察中。。。。

我写过，不过是WIN32 C的，而且只能钩住本程序的函数。
当然稍微修改下可以钩别的进程。
你需要？

微软有个官方开源库，是专门用来钩API的，你可以搜索看看

请flyue兄借来参考下，谢谢！呵呵。。。

Windows核心编程

#include <windows.h>


typedef int (__stdcall* MYMESSAGEBOX)(
                       HWND hWnd,          // handle to owner window
                       LPCTSTR lpText,     // text in message box
                       LPCTSTR lpCaption,  // message box title
                       UINT uType          // message box style
                       );

PROC dwRealAddr = NULL;
MYMESSAGEBOX my = NULL;
int Fuck_MessageBox(  HWND hWnd,          // handle to owner window
                     LPCTSTR lpText,     // text in message box
                     LPCTSTR lpCaption,  // message box title
                     UINT uType  )
{
    my = (MYMESSAGEBOX)dwRealAddr;
    return  my( NULL, L"Fuck", L"fuck you", 1 );
}

BOOL HookIat( char* pModule,char* pName )
{
    BOOL bRetCode = FALSE;
    PIMAGE_DOS_HEADER pDosHeader = NULL;
    PIMAGE_NT_HEADERS pNtHeaders = NULL;
    PIMAGE_IMPORT_DESCRIPTOR  pImport = NULL;
    PIMAGE_THUNK_DATA          pThunk = NULL;
    PIMAGE_IMPORT_BY_NAME     pByName = NULL;

    HMODULE hMod = GetModuleHandle(0);//LoadLibraryExA( pModule, NULL, DONT_RESOLVE_DLL_REFERENCES );
    dwRealAddr = GetProcAddress( LoadLibraryA("user32.dll"), "MessageBoxA" );

    if ( hMod == NULL )
    {
        OutputDebugStringA( "加载失败!" );
        goto Exit0;
    }

    pDosHeader = (PIMAGE_DOS_HEADER)hMod;
    pNtHeaders = (PIMAGE_NT_HEADERS)(pDosHeader->e_lfanew + (DWORD)hMod);
    pImport = (PIMAGE_IMPORT_DESCRIPTOR)(pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (DWORD)hMod);

    do
    {
        if (pImport->FirstThunk)
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->FirstThunk+(DWORD)hMod);
           
        }
        else
        {
            pThunk = (PIMAGE_THUNK_DATA)(pImport->OriginalFirstThunk+(DWORD)hMod);
        }
       
        printf("Dll Name: %s: \n",pImport->Name + (DWORD)hMod);

        do
        {
            pByName = (PIMAGE_IMPORT_BY_NAME)(pThunk->u1.AddressOfData);
            printf( "pThunk->u1.Function = 0x%x",pThunk->u1.Function);
            if ( dwRealAddr == (PROC)(pThunk->u1.Function))
            {
                printf( "相等\n" );
                MEMORY_BASIC_INFORMATION mbi = {0};
                VirtualQuery( pThunk,&mbi, sizeof(MEMORY_BASIC_INFORMATION) );
                VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
                (pThunk->u1.Function) = (DWORD)Fuck_MessageBox;
                break;
            }
            printf("Api Name: %S \n Api Addr: 0x%08x",pByName->Name, pThunk->u1.Function);
            pThunk++;
        } while ( pThunk->u1.ForwarderString );
   
        pImport++;
    } while (pImport->Characteristics );

Exit0:

    return bRetCode;
}

int _tmain(int argc, _TCHAR* argv[])
{
    MessageBoxA( NULL, NULL, NULL,NULL);
    HookIat( "user32.dll","MessageBoxA" );
    MessageBoxA( NULL, NULL, NULL,NULL);
    system("pause");
    return 0;
}

上班无聊的时候写的