Article 4727 of microsoft.public.win32.programmer.kernel:
Jon Alberghini <john.alberghini@snet.net> wrote in article
<OF6o4TKF9GA.254@uppssnewspub05.moswest.msn.net>...
>  Does anyone know how to hook API calls in an application you do not have
> the source code to..
> 

Matt Pietrek describes a technique in his book Windows 95 System
Programming Secrets (ISBN-1-56884-318-6). The book comes with code but as
some of the stuff he does gets more than a little cozy with the operating
system, some of his samples have broken over time.

As far as the API spy goes, this is what I remember of the technique: First
you have to become the debugger of the task whose calls you want to spy on.
Then you muck with the internals of the executable format. All Win32 calls
call through a table of pointers in the executable header somewhere. This
technique permits a single linker or loader "fix-up" to resolve all the
calls to a single API. Pietrek plays with the table so his code gets
dispatched rather than the underlying API. He logs the thing and then lets
the call go through. Just by the way, he works for the company that sells
Bounds Checker.

Regards,
Will