API Moniter -- Help ??? [Archive] - RCE Messageboard's Regroupment

View Full Version : API Moniter -- Help ???

Clandestiny

November 9th, 2000, 16:38

Hi,

I recenly downloaded API Spy api moniter and was wondering which functions I should include ??? At first I just included all of the standard function libraries (gdi, kernel32, user32 ...ect), but this does not seem to be a good choice for a couple of reasons.

1) it slows my system terribly when trying to moniter an app

2)There are hundreds api functions and many of these functions are useless in context of examining an app's protection and it becomes very difficult to sort through the log.

On the other hand, I don't want to exclude api functions which might be useful (which my newbie knowledge might exclude in not realizing their benefit).

Thanks in advance,
Clandestiny

Kayaker

November 9th, 2000, 17:49

Hi Clandestiny,

I usually start by doing Kernel32.fnl seperately to get an overview of what's going on. After a few times doing this on several programs, you'll find several API's that you don't usually want included (EnterCriticalSection, LeaveCriticalSection, AddAtomA and other crap like that that comes up all the time but are kinda useless). Then you can modify the fnl file with LibEdit.exe and delete them, saving your own personal version which you can develop over time.

Same with User32.fnl and Advapi32.fnl. You can also make your own fnl's with combinations of several calls, for example CreateFileA/ReadFile from Kernel32 and RegOpenKeyExA/RegQueryValueExA from Advapi32. This can be really useful because you get a sense of WHEN certain calls are being made relative to each other, as well as WHAT.

You can also add just the Imports from the file you're monitoring from the Imports button, but most of them are VOID, which I *think* means there is no parameter information, so you'd have to add that in the .fnl format.

Generally I find setting up a Kernel and/or User fnl library slightly modified and running them seperately so as not to hog CPU works fine, and then the stock Advapi version.

Hope this helps,

Kayaker

NikDH

November 9th, 2000, 20:40

I think that if u r intereseted only in app protection scheme its better 4 u to include only a few very important group of api:
For protections dealing with registry import some useful function by ADVAPI32.DLL like:
RegCreateKey, RegOpenKey,... and their corresponding Extended

For protections dealing with files import some functions like CreateFile, ReadFile, WriteFile,...
I think that functions like GetWindowText,... r always welcome

pepperman

November 16th, 2000, 13:27

is this program better than regmon/filemon?