The Break dialog appears each time a breaking condition matchs before or after a function call. (see monitoring file advanced syntax)
It allows you to view the callstack, read or modify memory, change registers values and make dump.
When you've finished to do your change, just click on the "Continue" button to continue process execution.
Notice : When a thread display this dialog, for security reason, other threads are suspended (So all your application is supended).
They are resumed after you click the "Continue" button.
 |
To learn how to change parameters value or function return, refer to the tutorial |
 |
Registers : Permits to view and change registers content |
 |
Memory : allow memory operations (read, write, allocate, free) |
 |
Threads : display the threads window for threads operations |
 |
Call stack : retreive the callstack of the selected thread |
 |
All call stacks : retreive the callstack of all the threads of the selected process |
 |
Stack Memory : show memory dialog with stack content |
 |
Heap : display all heaps for current process |
 |
Sections : display sections of loaded modules |
 |
Disasm : display a window for quick memory disasm |
 |
Basic Dump : do a basic dump of the hooked process |
|
Ms Mini Dump : do a mini dump in microsoft format so it can be reloaded with WinDbg |
 |
Refresh Params : Reparse parameters in case of changes not done by break dialog (by the way changes done directly with memory editing) |
Memory
The memory dialog is the same as the WinAPIOverride one, without process selection.
So refer to it's documentation for more information
To learn how to modify parameters or buffer, go to the corresponding tutorial paragraphs :
- Changing basic parameter before a call
- Changing input buffer before a call
Registers
By the way you can modify a function return.
(See tutorial : Changing asm registers before or after call or Changing function return )
Sections
Display all sections of loaded modules
Basic Dump
This dialog allows to make a dump of your exe or any loaded module, or a raw dump.
 |
To make a dump for hooked modules, you get 3 possible ways : - use this dump dialog (hooks are automatically removed for dump and reinstalled next) - use the ms minidump (hooks are automatically removed for dump and reinstalled next) - use the "Remove Hooks temporary for external tool usage" and use your favorite dumping tool The reason is very easy : as for putting hooks we modify first bytes of hooked functions, a classical dumper will save these changes. So to create a dump, WinAPIOverride suspend process, removes the hooks and restore original bytes, do the dump, restores the hooks, and then resume the process. |
First you have to specify your Output file. Here c:\dump.dmp.
Next if you want to dump a full module, select it in the list of "Module Dump" section and Click the "Dump" button.
If you prefer to do a raw dump, fill the "Raw Dump" section fields, "Start Address" and "Size", and next click "Raw Dump"