Hi All,

Just to let you know that KAM 1.05 has been released.

There's not too many changes since the previous release, but if you use it,
you may find the newer version more user-friendly (less garbage printed out,
HTML tags shouldn't mess around with output as much as before, and regkeys
should be finally handled properly).

http://www.kakeeware.com/d/kam.exe

Hi,

Thanks for the notice. I've used your previous version several times with some success, when other api monitors seemed to fail or not quite give the information needed. Keep up the good work!

Regards,
Kayaker

Is there a Win9x version available? This would be an excellent tool to use with SoftICE.

LLXX, why are you still using Win9x???

It not run on my Win2000.

Actually it doesn't work for me either on Win2k, haven't tried XP. If I run the new version of kam in the old version of kam (1.03) it gets as far as loading gdi.dll (after kam.ini is created) then says the process (kam 1.05) has terminated. The process remains running in memory and must be terminated manually.

If I run ApiSpy32 (with Kernel32 options selected) on kam 1.05 it shows it hangs here:



If I run ApiSpy32 (with User32 options) it indicates it's hanging on a message loop somewhere.

Hopefully the problem can be fixed.


A curious side note.. I don't think I've ever seen this in an application before, but I notice that kam will not open the folder it is contained in. i.e. if you place an executable to be monitored in the same directory as kam.exe, kam will not allow you to even open that directory and gives this error:

---------------------------
KaKeeware Application Monitor 1.03
---------------------------
Unexpected error occured and Kam has to be shut down.

Please contact us immediately to let us know about the problem. Thank you for your cooperation.


I assume this is by design, though I'm not sure the point of it. I often put copies of executables I wish to monitor into the same directory as the monitoring software in order to analyze them. Not necessary, just convenient.

I'm not complaining about this fact, I'm actually more interested in how this is done programatically if it is indeed deliberate. Kam seems to detect I'm trying to open the "kam" directory with only a single mouse click on the folder icon (from a standard Open Dialog box). Not even a double click, just a highlighting of the folder icon. This sort of raises my reversers curiousity! But I'll leave it at that for now

Kayaker

It integrates well with SoftICE and icedump, and a few other reversing tools I have that won't run on XP. I have XP as well, but I only use it for reversing software that just refuses to run on 9x.
To prevent it from trying to monitor itself and going into an infinite loop? (I.e. the monitor calls an API, which is hooked by the monitor so it records the call but in the course of doing so, also invokes that API, causing infinite recursion?) That "unexpected error" looks like a stack overflow to me.

You questions, but the true source of the answer is in the software itself... you know what you can do and what this board is for...

Hey Guys,

Thx for your posts and help. I hope I fixed W2K bug (I know it should at least run .

Do you mind checking it now?

Thx!

p.s.1.
actually, there's no protection in KAM at all. why bother...

p.s.2.
KAM can't trace itself, also under certain conditions it may hang IE or some apps that use IE indirectly; KAM is using WebControl (same as IE), and there might be some race conditions or problems with synchronization that I am not aware of yet

p.s.3.
No version for 9x as KAM uses NT-specific functionality. sorry

Thanks for the update, it seems to run fine on Win2k now though I haven't tested it extensively. The "blocked folder" business only occurred with 1.03, maybe it was just a glitch with the Open Dialog function or something, a stack overflow as LLXX says sounds good. If it continues to intrigue me I may try to track it down someday

Cheers,
Kayaker

doesnt work here (xp 32 on 64 bit pc.. dep enabled) nor on xp 64...
guessing its something to do with the packer... (cos the mz/pe header is 'illegal')
works in win2k no problems

You have right 50% :-), It's not packer, it's DEP
please look here:

http://www.woodmann.com/forum/showpost.php?p=62575&postcount=8

godfather+

new version fixes that - I was drunk or sth that I missed this one call

http://www.kakeeware.com/i_kam.php

TnX KaKeeware, I hadn't used your Monitoring program before.
I checked the lateset v1.22 on Win 2003 Enterprise, SP1,with latest updates almost, and just nothing happened!
You aware of this bug?
Want me to do any checks, feel free to tell me.

Regards,
-----------
OsIrisOne