hi,

i was playing a bit with masm32, and my code snippets ended forming a api spy program.

run dbgview.exe(from www.sysinternals.com), then execute apispy.exe <pid> (use the included ps.exe to get the pid), and all api usage should be logged in dbgview.exe window.

as the program is very verbose, i recommend using the 'filter' option in dbgview.exe. it should run in w9x and w2k/xp

main problem should be the ugly way i use to separate system dlls from non-system dlls in w2k/xp.

ancev

ps: in next version, i want add api parameter loggin. while i can easily output things like user32!MessageBoxA(0,0044140h,0044040h,9,0) (using a tool to extract the info from masm32?s .inc files), i cant do user32!MessageBoxA(0,"blah","blah1",9,0), as i dont have how know what :DWORDs are ptrs. any suggestion? parsing c .h files instead of masm32 .incs?

<attachment deleted - see next posts>
Posted on 2004-03-14 20:09:15 by ancev
Should have an option for parsing the api function params from either masm or c/c++ headers, making the application useful to more people :)
Posted on 2004-03-14 21:47:13 by Homer
EvilHomer2k,

the problem, as i said, is that masm inc files are too simple (dont differ different DWORD types), and c/c++ are too complex :grin:

ancev
Posted on 2004-03-14 22:01:01 by ancev
re,

following evilhomer2k advice, i improved the apispy program. now it output the parameters from the api logged.

a new commandline option was added, so nao you can execute apispy.exe <pid> <base>, to hook only APIs from that module. left it blank to hook all.

the gendat.asm parse the .inc files from masm32, that must be in same directory, and generate a compressed database, that apispy.exe use.

ancev
Posted on 2004-03-15 16:29:45 by ancev
re,

pre-compiled, to the lazy ones... :cool:

ancev
Posted on 2004-03-15 16:30:43 by ancev
vecna,

These look good and everything built first time with no problems at all.

Compliments :alright:
http://www.asmcommunity.net/board/cryptmail.php?tauntspiders=in.your.face@nomail.for.you&id=2f46ed9f24413347f14439b64bdc03fd
Posted on 2004-03-15 21:29:43 by hutch--