

APIScan 2.2      By Sirmabus
=============================================================================


Intro
------
APIScan is a simple tool to gather a list of APIs that a target process uses.

You can use this list in an initial analysis to help determine a target's
general operating nature.  Also can be used to help determine patch/update
changes by doing a WinDif on "before" and "after".

There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.  
APIScan catches dynamically/delayed loaded modules too; and dumps them as a
simple list.

While only tested only on Windows XP SP2 32bit, should work on everything from 
W2K to Vista) 32bit only.


How to use it:
---------------
Two ways of running APIScan:  Invoke it directly (a file dialog will come up),
or run it from the command line.  The command line will allow passing
parameters to the target.
I.E. "APIScan C:\MyTarget\TheTarget.exe -P MyParms -C MoreParms"

Once you started the target:
1. Run it, excising it's options that should cause any modules to be loaded
   dynamically, etc.

2. Exit the target application.  Even though the APIScan splash screen is 
   gone, the hook DLL continues to collect information until the application
   is fully closed. Only after this point is the output list file complete 
   and valid.

The output file:
-----------------
The output file (to be stored in the target directory) is simply a list of 
alphabetically sorted modules followed by the API call names.  The calls are
listed (unsorted) as they are parsed and loaded.

The API flags provide some additional information:
 'I' = There is one or more IAT reference.
'D'  =  One or more times the API was dynamically loaded (via 
       GetProcAddress()").
'O'  =  One or more reference where the API was accessed via ordinal.
'F'  =  One or more attempted dynamic load that failed (as in if the module or
        the export doesn't exist)


How it works:
--------------
It loads the specified process and injects "apiscan.dll" into it before it 
runs. "apiscan.dll" first parses the targets IAT(s) and then apples a 
"GetProcAddress()" API hook to it.  This hook should catch all attempts at 
delayed and dynamic API loading.  The DLL will continue to be resident inside
the target collecting data until the application is closed.  Upon closing 
(detach stage) the data is collated and the list file saved into the target-
/source path.

Know issues:
-------------
1. The "GetProcAddress()" hook catches all references target process wide.
   So even APIs dynamically/delayed loaded in modules will show up in the
   list.  In the future there might be a switch to select main module, or 
   "all".

2. Won't catch applications using low level ways to load APIs like 
   "LdrGetProcedureAddress()" from "ntdll.dll".  Using "GetProcAddress()" is
   the WinOS independent way for now.

3. If the target application uses a loader, APIScan will only see/collect data
   form that process, it doesn't currently ride along to child processes.
   This could be done (more API hooks) in the future.

4. Might not work correctly with packed, and, or protected processes
   Not surprising, this is the same problem one might run in to with any
   similar tool.
   One might have to unpack, and, or unprotect the process first.
   APIScan could get around some of this in the future by hooking at a lower
   level layer.


Changes:
--------
2.2  Got rid of the index numbers around the DLL and API dumps, that made
     WinDiff'ing a mess.
    
2.1  Fixed a bug that would occasionally not flag 'O' (ordinal) for some APIs.
     Ordinal export names now resolved (when possible) from the IAT too.
     Now sorts API names too to make the output more consistent and
     useful with WinDif.         

2.0  Reworked with a much better and simpler API hooking then 1.0b.
     Just a single text file output now, no .CSV output file.
     Ordinal references are resolved to export name strings if possible.

1.0b Initial version.


Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk.  We take no responsibly for any damage
that may unintentionally be caused through its use.




