Modules Filters

What is module (or Dll) filtering ?

Just imagine you want to hook the strcpy function call from your application.
The trouble is that when you install a hook for a function, it is installed for all loaded modules (dll).
So if you don't filter, as some module like kernerl32.dll can call strcpy many times,
your strcpy application call is quite lost inside all the kernel32 call.
Not very nice isn't it ?
So modules filtering allow you to avoid loging strcpy calls coming from some disturbing modules like kernel32.dll, msvcrt.dll, ...
Finaly you'll get only call that interest you.

Particular case for EXE_INTERNAL and DLL_INTERNAL hooks :
filters are not applied for these functions as they can be called by modules if they are callback.
(For dll it can be wrong if hooked function is exported, but there's no use to declare
it as DLL_INTERNAL instead of it's exported name see monitoring files syntax)

Modules Filters Bar

Modules filters bar
"Apply to monitoring" If checked, modules filters are applied to function monitoring, else no filtering is done for monitoring
"Apply to overriding" If checked, modules filters are applied to function overriding, else no filtering is done for overriding
"Modules Filters" Display the Module filters dialog which allows one by one module filtering for a specific application
"Only base module" Only the base module (your .exe application) will be logged. Usefull if you don't want to hook any dll
"Use list" Provide a list of modules to include or exclude
"Exclusion list"
"Inclusion list"

Specify a set of modules that must be excluded from logs (exclusion list), or a list of only logged modules (inclusion list).

These lists just avoid you to manual inlude or exclude some module from logging each time you start WainAPIOverride.
List files are text files with the following syntax:

";" is used for comments

"*" and "?" can be used as joker

Special path shortcuts :
 - no path for winapioverride.exe path
 - <TargetDir> for hooked application path
 - <windir> for windows directory (typicaly c:\windows)
 - <system> for windows system directory (typicaly c:\windows\System32)
 - <ProgramFiles> for program files directory (typicaly C:\Program Files)
 - <ProgramFilesCommon> for program files common directory (typicaly C:\Program Files\Common)

Example :
apioverride.dll
<system>\kernel32.dll
<TargetDir>\*
<ProgramFilesCommon>\*


Allow to edit exclusion list
Refresh the exclusion list in all hooked processes

 

 

Modules Filters Dialog

Modules Filters Dialog
The not hooked module list is great, but it would be nice to specify, for each process, dll that must be log or not.

This dialog gives you a more precise way for selecting hooked modules.
First click on process to filter more.
The list of hooked or not modules is retrieved from the process and next displayed (checked modules are the hooked ones).
Notice: it may requires some time to display current modules filter state if you are receiving lots of logs in the same time.

Once you've selected modules you want to hook just click on the "Apply" button.