What is module (or Dll) filtering ?
Just imagine you want to hook the strcpy function call from your application.
The trouble is that when you install a hook for a function, it is installed for all loaded modules (dll).
So if you don't filter, as some module like kernerl32.dll can call strcpy many times,
your strcpy application call is quite lost inside all the kernel32 call.
Not very nice isn't it ?
So modules filtering allow you to avoid loging strcpy calls coming from some disturbing modules like kernel32.dll, msvcrt.dll, ...
Finaly you'll get only call that interest you.
|
Particular case for EXE_INTERNAL and DLL_INTERNAL hooks :
filters are not applied for these functions as they can be called by modules if they are callback.
(For dll it can be wrong if hooked function is exported, but there's no use to declare
it as DLL_INTERNAL instead of it's exported name see monitoring files syntax) |
Modules Filters Bar |
|
Modules filters bar |
"Apply to monitoring" |
If checked, modules filters are applied to function monitoring, else no filtering is done for monitoring |
"Apply to overriding" |
If checked, modules filters are applied to function overriding, else no filtering is done for overriding |
"Modules Filters" |
Display the Module filters dialog which allows one by one module filtering for a specific application |
"Only base module" |
Only the base module (your .exe application) will be logged. Usefull if you don't want to hook any dll |
"Use list" |
Provide a list of modules to include or exclude |
"Exclusion list"
"Inclusion list" |
Specify a set of modules that must be excluded from logs (exclusion list), or a list of only logged modules (inclusion list).
These lists just avoid you to manual inlude or exclude some module from logging each time you start WainAPIOverride.
List files are text files with the following syntax:
";" is used for comments
"*" and "?" can be used as joker
Special path shortcuts :
- no path for winapioverride.exe path
- <TargetDir> for hooked application path
- <windir> for windows directory (typicaly c:\windows)
- <system> for windows system directory (typicaly c:\windows\System32)
- <ProgramFiles> for program files directory (typicaly C:\Program Files)
- <ProgramFilesCommon> for program files common directory (typicaly C:\Program Files\Common)
Example :
apioverride.dll
<system>\kernel32.dll
<TargetDir>\*
<ProgramFilesCommon>\*
|
|
Allow to edit exclusion list |
|
Refresh the exclusion list in all hooked processes |
|
|