
One major problem and a couple of minor was attached to the "Debug" approach
of the API-hook that I previously released. The method was too restrictive.
This new version overcomes these restrictions in an, if I may say so myself,
elegant fashion.

The first and most serious problem of the debug-approach was it's large
vounerability of anti-debugging code - be it intentional or incidental 
understood as not too wellbehaved exceptionfilters. This stems from the
fact that ring 3 debugging engines are quite unstabile despite MS's heroic
attempts to make it good.

The second and least serious problem is that the spy program itself must be
loaded while running the target. This and the "debug" engine burns lots of 
valuable CPU time and memory. This is ofcause only a minor problem.

With this API-hook I overcome both these problems. 


A detail that I think is worth mentioning is the swap-file. Obviously it's 
possible to do this more elegant. Unfortunately I can't use OpenProcess to
obtain a handle for the mother in the appended code in flaf.dll to retrieve
the original bytes of the entrypoint thru ReadProcessMemory. The reason I 
can't do this is because the mother doesn't automatically have the 
"PROCESS_VM_READ" flag set. Obviously this can be set. There are other ways of
sharing memory too which would be possible - including pipes, memory mapped 
files, etc. The reason I havn't used either of these methods is to clarify the
exposistion of scheme. I feel that the "core idea" would be lost if I spend
a lot of code space on either setting security describtors or createing pipes.
Obviously such sharing methods would also call for synchronization so the 
mother could shut down when the child has read. This again would call for 
setting up a synchronization object (an event most likely) set it's security
etc. etc. I have not done this because I feel it would cloud what's important:
the general method!

To the home-compilist:
Use BUILD.BAT to build the whole thingy. Then open stnapih.exe in a hexeditor
and modify the PE-header so there is write access in the CODE section:
OFFSET 21Fh should be changed from 60h to 0C0h

Two things have to be entered in this API-hook to "calibrate" it to another
target:
1) The Entrypoint in the target PE-file. This goes in to the EP EQU 
2) The IAT-Entry of the function to hook. This goes in the DLL.
Rutines to automatically find this things could be build.

For more info read: "In Memory Patching" by me :) it can be found on my 
homepage.

Comments, bug reports etc.

email: stone@one.se
http://www.one.se/~stone   or   http://www.lordcaligo.org/stone


Regards
Stone / UCF & F4CG

HiHo: G-Rom, The Owl, Marquis, NetWalker.....