API hooking
1. Tips
At runtime, the IAT(RVA obtained by IMAGE_THUNK_DATA->FirstThunk) is modified by OS loader and points to the real API addresses, so we should use IMAGE_THUNK_DATA->OriginalFirstThunk to refer to the IMAGE_IMPORT_BY_NAME struct to get the API name.
At runtime, the IAT(RVA obtained by IMAGE_THUNK_DATA->FirstThunk) is modified by OS loader and points to the real API addresses, so we should use IMAGE_THUNK_DATA->OriginalFirstThunk to refer to the IMAGE_IMPORT_BY_NAME struct to get the API name.
