| Version 6.9.7 March 25 2024 |
WinApiOverride:
- Asynchronous symbols loading : avoid to freeze interface when downloading symbols from microsoft server
- HexControl updated to Helium Hex Editor release v2.6.10
- Bug correction: since v6.9.2, reloading logs file of v6.9.1 or previous versions could fail if logs contain DISPPARAMETERS or VARIANT.
Specific case if your are impacted by this bug for logs saved with v6.9.1: as v6.9.1 logs can't be distinguish from v6.9.x, you need to change version inside your xml logs files to 6.8, so it can be parsed correctly by v6.9.7 and upper
Stub Resolver:
- Regression introduced in WinApiOverride v6.9.6 solved
Dumper:
- Solved Module integrity checking : hide rebasing option regression since WinApiOverride v6.7.1 solved
- Added UserTime and Kernel Time for processes
|
|
| Version 6.9.6 March 2 2024 |
WinApiOverride:
- Faster dll stub resolving
- PE parsing bug solved : In some cases some ordinal only exports could miss
- HexControl updated to Helium Hex Editor release v2.6.9
Stub Resolver:
- Added option to choose folders order for dll resolving
|
|
| Version 6.9.5 February 6 2024 |
WinApiOverride:
- PE parsing bug solved : Forwarded functions without Hint was not properly detected
- HexControl updated to Helium Hex Editor release v2.6.8
|
|
| Version 6.9.4 February 4 2024 |
WinApiOverride:
- PE parsing regression introduced in v6.9.3 solved
- HexControl updated to Helium Hex Editor release v2.6.7
|
|
| Version 6.9.3 November 28 2023 |
WinApiOverride:
- Disasm improvements
- PE parsing improvements
- HexControl updated to Helium Hex Editor release v2.6.6
- Minor fixes
Monitoring file builder
- Speed improvement for extracting functions definition from header files
|
|
| Version 6.9.2 January 14 2023 |
WinApiOverride:
- Fuzzing : added capability to fuzz c++ objects methods
- Monitoring file builder : solved crash when retrieving data from microsoft documentation
- HexControl updated to Helium Hex Editor release v2.6.1
|
|
| Version 6.9.1 October 27 2022 |
WinApiOverride:
- Added: Fuzzing capabilities from monitoring files. All functions of the fuzzed monitoring file will be called with parameters set to 0 or random value
- Added: Skip Call and Raise Exception from the Break dialog
- Small GUI changes and toolbar icon reordering
- Monitoring files updated (ntdll, kernelbase, kernel32, ...)
- x86 bugs (hooking, disasm,...) due to bad lib rebuild solved (Affected version 6.8.2)
- COM components : 64 bits version of WAO list 64 bits and 32 bits COM components
- Monitoring file builder : speed increase for Dll export partial generation
|
|
| Version 6.8.2 September 03 2022 |
WinApiOverride:
- Hooking of some functions with specific relative instructions crash solved (x64 ony)
- Better handling of exception thrown by monitored function (x64 only)
- Monitoring files (ntdll, kernelbase, kernel32, ...) reworked and updated with addition of win10 new functions
|
|
| Version 6.8.1 February 06 2022 |
WinApiOverride:
- Added support and monitoring files for DirectX 9, DirectX 10, DirectX 11 and DirectX 12
- DirectX monitoring tutorial and tutorial videos added
- Logs file size reduced by 50% and reloading speed increased by 25%
- Crash on Exception detail information display solved
- COM object IDispatch parsing for IUnknown solved
- Listview bad rendering solved
- Crash on incorrect enum description solved
Monitoring file builder
- Can extract functions definition from header files (windows sdk headers supported up to 10.0.22000.0)
- Web search are done on docs.microsft.com instead of google
Dumper
- Noisy Popup messages removed
|
|
| Version 6.7.2 November 19 2020 |
WinApiOverride: VM detection bug solved
|
|
| Version 6.7.1 November 15 2020 |
WinApiOverride
- Use of the Helium Hex Editor control to display parameters. This allows post logging structures mapping on buffer parameters.
This is usefull for functions like DeviceIoControl which have generic lpInBuffer and lpOutBuffer LPVOID parameters.
For one call you can map buffer to a struct, and for an other call map buffer to another struct
- Disasm parser updated
- Struct parsing bugs solved. Added Bit fields support of "next_field_define_values_file" pragma
- License : Incorrect Virtual Machine detection when Hyper V was enabled solved
- Small bugs solved
Dumper
- Process integrity checking improvement
DebugInfoViewer
- Added Raw search
Monitoring File Builder
- Online Microsoft function definition auto retrival search updated due to google and docs.microsoft changes
- Monitoring wizard : added binaries internal functions detection (x64 only)
Internal functions start addresses and number of parameters are automatically retrieved to generate the monitoring file specific to the application
|
|
| Version 6.6.6 December 08 2018 |
WinApiOverride
- Added option to enable/disable main window logs tooltips
- Monitoring wizard : added search in monitoring files for a function name
- Monitoring wizard : added help button for direct access to monitoring file syntax
- Small bugs solved
DebugInfoViewer
- Display equivalent Raw address after RVA and VA successful searchs
- Added search history
Monitoring File Builder
- Update to support the new MSDN website for API definition retrieval
|
|
| Version 6.6.5 July 14 2018 |
WinApiOverride
- Bad rip instruction address resolving at hooking time solved
- Some noisy message boxes removed
- Saving with symbol resolving speed improvement
- Invalid binary signature bug solved
|
|
| Version 6.6.4 June 14 2018 |
- WinApiOverride : added new licenses for usage of WinApiOverride at home inside Virtual Machine
|
|
| Version 6.6.3 March 27 2018 |
- WinApiOverride : still license trouble solved
|
|
| Version 6.6.2 March 25 2018 |
- WinApiOverride : license trouble solved
|
|
| Version 6.6.1 March 10 2018 |
WinApiOverride
- Detailed view split in 3 tabs : General, Registers, Call Stack
- Break Dialog reworked for direct parameter editing
- Allow to save and reload call stack information across computers
- Disassembly output improvements
- Structure parsing improvements (#include support, endianess management, new pragma)
- Added configuration file to discard IDispatch interface parsing for some specific IID (COM_IID_BlacklistedForIDispatchParsing.txt)
- x86/x64 Remote Call in specific thread bugs solved
- Small bugs solved
- Some GUI improvements
- Monitoring File Builder : looping not found dll message bug solved
|
|
| Version 6.5.5 April 19 2017 |
- Win 10 Dll Stub Resolving bugs solved : WinApiOverride, Monitoring File Builder, Dumper and Stub Resolver affected
- Dll Stub Resolver : display all OS redirections for an "*" search
- Small GUI bugs solved
|
|
| Version 6.5.4 February 5 2017 |
- Random name generation for injected dll and shared events to avoid detection by malwares
- New parameters conditional logging/breaking keywords added
- Struct parser improved
- Bug correction: Error launching 32 bits application from the 64 bits version (bug in 6.5.3 version only)
|
|
| Version 6.5.3 November 6 2016 |
- Added support for multiple debug symbol servers
- Better symbol server dll registration (symbol loading could fail with previous versions depending on computer configuration)
- Bugs corrections, user interface improvements, monitoring files and default user types updates
|
|
| Version 6.5.2 December 19 2015 |
- Provides function names for jumps and calls in the disassembly windows
- Bugs corrections, user interface improvements, monitoring files and default user types updates
|
|
| Version 6.5.1 April 02 2015 |
- Begin of support for Win 8 and Win 10
- Auto resume and monitoring file/overriding dll auto reloading for application hooked at startup
- pragma packing support for users struct
- Call tree update and live call tree available
- Syntax and threads highlighting
- Copy as Html added
- Bugs corrections in sequences auto detection
- Bugs corrections in log files compare
- Dead lock for command line solved
- Bugs corrections, user interface improvements, monitoring files and default user types updates
|
|
| Version 6.4.1 April 14 2014 |
WinApiOverride
- Attach to all new processes : added filters for parent process name
- Monitoring file : added the "|FunctionPointer" option for easier syntax for exported function
- Automatic failure hilight for NTSTATUS and HRESULT return
- Hooked functions first bytes analysis improvement
- Bugs corrections, user interface improvements, monitoring files and default user types updates
New tool: UserTypesAndDefinesChecker
- Checks the user types and user defines files stored in "UserTypes" and "UserDefines" diretcories
|
|
| Version 6.4.0 December 02 2013 |
WinApiOverride
- Attach to all new processes :
On Vista or higher, csrss can be used instead of driver to spy created processes (drivers are no more required, and so driver signing not required)
Better virtual machine shared network drive support
- Added threads window to access and act on hooked processes threads (accessible from main window and break dialog)
- Added all call stacks retrieval at once (accessible from main window and break dialog)
- Small bugs resolution, user interface improvements
Dumper
- Added all call stacks retrieval at once
|
|
| Version 6.3.1 September 16 2013 |
WinApiOverride
- New Parameters Options : PointerReference, PointedElementsCount, ProcessorDependent. Thanks to Martin Bonner for ideas
- Break Dialog : Added Stack information
- Global Stats : Added "Cumulated Duration" and "Percent of Total Duration"
- Added Check for update at startup option (enabled by default)
- Added Logs Dequeuing progress
- Added Loading and Saving progress
- Bug correction: Read memory from break dialog solved (6.3.0 regression). Thanks to Sergio Martins and Socrates Filippatos for report.
- Bug correction: Potential font troubles fixed. Thanks to Socrates Filippatos for report.
|
|
| Version 6.3.0 July 19 2013 |
WinApiOverride
- Added Thread Filtering
- Added Quick Services Hooking
- Added Compare Log Files
- Break dialog improvement (quick display of stack, heaps, modules sections, quick disassembly)
- Bug correction: monitoring file parsing error for templates and parameter functions solved. Thanks to Christopher Kohlert for report.
- Bug correction: command line NoGui and AppId failure solved (regression since 6.1 version). Thanks to Andrey Gorokhov and Christopher Kohlert for report.
Dumper
- Services highlightment
- Memory intergrity checking improvement for wow64 processes
Monitoring file builder
- Bug corrections thanks to Christopher Kohlert and scz reports
Debug Infos Viewer
- Xp pre sp2 compatibility error solved thanks to Christopher Kohlert report
|
|
| Version 6.2.0 April 30 2013 |
- New tools to find sequence of API calls
Sequences Auto Detection : detect content of loops or content of event/timer callbacks
Known Sequences Search : search for specific sequence. Can be used for threat detection
- Process to monitor can be created under another user account
- MonitoringFileBuilder is able to create monitoring files from map files (supported map files format : IDA, Borland, Visual)
Fill free to disassemble with IDA (Hex-Rays) and monitor with WinApiOverride
- Multiple remote calls allowed in same time : first remote call don't need to be finished you can do another one with another remote call window
- C++ functions unmangling: added support for Borland and Gcc
- Dumper : Owner of process added
- Bug correction : WinApiOverride : parameter log filtering doesn't work for "Out" parameters (regression since 4.1.0 version). Thanks to Brutalis for report.
InputTextDataRetrival.txt monitoring file updated
- Bug correction : DebugInfosViewer : search by function name failure corrected
|
|
| Version 6.1.1 February 28 2013 |
- Detailed stats for functions : added number of calls per thread / caller, average and standard deviation for duration, easier failure/success recognition
- Timing Chart : function without return spying duration is now guess through callees duration
- New small utility to undecorate CPP functions
- Direct access to COM and .NET hooking options
- Quicker logs deleting
- Bug correction : command line parsing error (Thanks to Antonio Borneo for report) regression since v6.0.0
- Command line size for attached at startup increased from 260 to 2048 chars
|
|
| Version 6.1.0 Tools Update Jaunary 14 2013 |
|
Monitoring file builder 1.6.1 : import generation bug solved thanks to David Hucul report
|
|
| Version 6.1.0 December 15 2012 |
- Added return pointed data parsing (string, pointer on structs, arrays)
- Return defines support
- New options for return (|ReturnPointedDataSize=, |ReturnDefine=)
- Timing chart wheel mouse zoom
- Allow to hook multiple already started processes at once without driver
Bug Corrections:
- Detailed stats crash bug correction
- Potential .Net errors after exception solved
- Charts focus bug correction
- Monitoring File Builder bugs correction
- Parameter option :PointedDataSize=Arg1 bug solved
- Call depth error after logs removal for call stack analysis and timing charts solved
|
|
| Version 6.0.0 October 11 2012 |
WinApiOverride : First 64bits Release
- x64 Monitoring and overriding for API, COM and .NET
- x64 Detailed exceptions report for monitored functions
- x64 Hooked processes interaction
- x64 Remote call inside hooked processes
- Timing Charts and Detailed Stats
- Cross session interaction available for vista and seven (services and other users processes)
- Automatic stack walking on exception, even if stack walking is disabled for other logs
- Microsoft debug symbols servers can be used for stack walking
- Fast .Net framework monitoring changed for better stability
- Support of Borland fastcall calling convention (x86)
- LargeReturn : support of function returning types larger than a single register size
- Remote call : buffer overrun protection and report
- Bugs correction
New keywords for monitoring file and overriding dll
- DoNotHookReturn (stack stealth mode hook)
- DontCheckModulesFilters
- NoStackShadowSpace (x64)
- Monitoring files update (kerne32, user32, ntdll) are available for Windows 7 (x86+x64)
|
|
| Version 5.5.3 April 27 2011 |
WinApiOverride
- Added support of cross session hooking for Vista and Seven (currently cross session hooked process interaction is still not implemented for these OS)
- .Net jitted function hook enabling or disabling from plugin thanks to Yury Polulyakh
- Filtering bug solved by Yury Polulyakh when LogOnFailure and LogOnSuccess where set
- Bug solved : potential crash when clearing logs during a log session
- Stack integrity checking for stack retrieval
- Registry monitoring files update
- New monitoring file for text setting/displaying
Dumper
- Minimal x64 compatibility (avoid error and display process info. No other action will success on 64 bits processes)
Registry Emulation
- Now in beta state (tutorial video to make application portable available here)
|
|
| Version 5.5.2 February 10 2011 |
WinApiOverride
- deadlock break if loader not finished
- support of dll side by side assembly for dll finding
Monitoring file builder
- bug solved thanks to Sergey Dindikov ( Zeroes ) detailed reports
Dll Export Finder
- Can search in different file type (exe, ocx, dll, sys, cpl, scr... ). Done for Wiebe Walstra
New tool added : Static Import Finder
- Looks for dll or functions inside import tables of binaries (exe, dll, ocx, sys, cpl, scr...)
|
|
| Version 5.5.1 Tools Update December 22 2010 |
|
Monitoring file builder : multiple bugs solved thanks to Sergey Dindikov ( Zeroes ) detailed reports
|
|
| Version 5.5.1 December 13 2010 |
WinApiOverride
- Improvement : New keyword "DontCheckModulesFilters" : allow to bypass modules filtering for some functions calls. Available for monitoring files and overriding dll
- Improvement : Support of debugger software control flow change after an uncatched exception occurs inside a hooked function
This allow people developping overriding dll to change flow after an uncatched exception occured inside their dll to do more debugging
- Bug correction : small bugs on filtering filters solved
StubResolver tool added : allow to know where the API-MS-WIN-CORE-XXX.dll are redirected (for Vista and Seven)
Registry Emulation example added to help people developping portable applications Pre Alpha version only
|
|
| Version 5.5.0 September 23 2010 |
WinApiOverride
- Improvement : New menu for Stats window allowing global operation on apis
- Improvement : Windows 7 stub dll support added
- Improvement : Better user type parsing
- Improvement : Filename associated to inclusion/exclusion list auto switching
- Bug correction : since 5.2 bad object pointer value was displayed for __thiscall logs
Dumper
- Integrity checking improvement : aware of exe rebasing, dll rebasing, Windows 7 stub dll
Debug Infos Viewer
- Better user type generation
- New toolbar button to quickly check project objects
|
|
| Version 5.4.4 July 07 2010 |
WinApiOverride
- Improvement : .Net 4 support
- Improvement : Option to stop logging and kill launched application after a timeout
Dumper
- Bug correction : Thread toolbar wasn't fully visible on some computers
|
|
| Version 5.4.3 June 10 2010 |
WinApiOverride
- Improvement : Log columns reordering
Dumper
- Improvement : Display dll load count for each process
- Improvement : Display process and thread information from any window/dialog; interesting to get thread call stack next
|
|
| Version 5.4.2 April 30 2010 |
- Bug correction : better hooked process crash detection and report
- Bug correction : "Inject before statically linked dll execution" option now supports softwares with bound import directory
- Bug correction : potential import PE parsing issue solved
|
|
| Version 5.4.1 April 19 2010 |
WinApiOverride
- Bug correction : mangled C++ definitions in monitoring file can be parsed again (bug since 5.4.0) (Thanks to Yannick Lahay for report)
- Improvement : process filters apply only to process name instead of process full path
Monitoring File Builder
- Updated to support new online msdn format
- Improvement : let calling convention for mangled C++ definitions
- Improvement : avoid to be banished by google during web search
|
|
| Version 5.4 March 4 2010 |
WinApiOverride
- Improvement : Hooking can start before statically linked dll Tls or DllMain call (Thanks to Shmuel Y. Yungraiz for idea)
- Improvement : In detail view, when a parameter is clicked, the signed, unsigned and binary representation are displayed
- Improvement : support of parameter static arrays in monitoring file ex: f(int Array[2][4][5],short Array2[5])
- Bug correction : PointedDataSize=ArgX parameter option wasn't working for when ArgX was a pointed type (Thanks to Sven Fabricius for report)
Dumper
- Bug Correction : Crash can appear during module integrety checking (Thanks to Lenny F. Halseth for report and solution)
Monitoring File Builder
- Bug correction : potential crash can appear for some COM component
|
|
| Version 5.3.1 January 8 2010 |
WinApiOverride
- Potential buffer overflow for COM Interface ID to name conversion solved (Thanks to Timothy for report)
- Log selection, if calling module was not found, crash solved
Monitoring File Builder
- Buffer overflow solved (Thanks to Robert Riebisch for report)
- Progress bar completion for import parsing bug solved
- DisplayName option bug solved("|" was not written to output file)
|
|
| Version 5.3 November 30 2009 |
WinApiOverride
- Plugin support. Overriding dll can communicate with plugins too.
- Monitoring file PointedDataSize extension. Now you can write ":PointedDataSize=ArgU*ItemSize" where ItemSize is the size of a single item. For functions like
Mydll.dll|void MyFunction(DWORD* ArrayOfDword:PointedDataSize=Arg2*4, SIZE_T ArrayItemsCount)
- .NET static file loading bug introduced in 5.2 version solved (Thanks to Noybdh for report)
- Bug solved in .Net : calling convention was not set correctly in some cases
- Avoid monitored or overrided api to be bypassed by dll unloading and reloading (Thanks to Jung Woo Young for report)
- SYSTEMTIME parsing bug in case of bad wDayOfWeek value solved
Debug Infos Viewer
- Generates user types required for generated monitoring functions
|
|
| Version 5.2.0 October 27 2009 |
WinApiOverride
- Support of user data types (enum, struct, union)
- Support of user defines
- kernel speed improvement
- Bug correction : potential infinite loop in faking mode introduced in 5.1.12 solved
- Monitoring library function search improvement
- Bug correction : Monitoring library, in some case selected state changes wasn't taked into account
- "Use List" module option unchecking now implies all modules logging (to avoid confusion)
- Bug correction : Module Filters could inverse module logged state
Monitoring File Builder
- Bug correction : Update action was case sensitive and was checking full module path
|
|
| Version 5.1.12 July 20 2009 |
WinApiOverride
- Hooking kernel improvement : speed, multithreading safety, re-entering functions are logged for FirstBytesCanExecuteAnywhere or VTBL hooks
- Caller address bug corrections and improvement (Thanks to Shmuel Y. Yungraiz for correction and improvement)
- SavingFileName command line option added for NoGui mode
Debug Infos Viewer
- Bug correction : potential bad monitoring generation for thiscall calling convention for methods with no args
- Bug correction : mixed mode disassembly doesn't show full source code
|
|
| Version 5.1.11 May 25 2009 |
WinApiOverride
- Bug Correction : Since version 5.0 target application was crashing in case of not hookable exceptions handler (Thanks to Shmuel Y. Yungraiz for report)
- Caller address bug corrections and improvement (Thanks to Shmuel Y. Yungraiz for correction and improvement)
- Bug Correction : Potential crash for "Attach Application At Startup" if no command line specified solved. (A single space was sent as parameter instead of an empty string, and some target application command line parser crash) (Thanks to Shmuel Y. Yungraiz for report)
- Better call stack presentation and use of debug information (if any) for stack display in detailed view
Dumper
- Better call stack presentation and use of debug information (if any) for stack display
Debug Infos Viewer
- Memory leaks solved
|
|
| Version 5.1.10 April 09 2009 |
WinApiOverride
- Vista and newer os, exe dynamically based support (Thanks to Eugene Ingerman for detailed reports and tests)
- Added new keywords in monitoring file syntax to support exe dynamically based (EXE_INTERNAL_RVA, EXE_INTERNAL_RVA_POINTER)
- Quick ending programs error message boxes solved
Debug Infos Viewer
- Generate monitoring files from debug information using EXE_INTERNAL_RVA, instead of EXE_INTERNAL
Monitoring File Builder
- Generates COM auto monitoring files from type libraries (.tlb)
|
|
| Version 5.1.9 March 23 2009 |
WinApiOverride
- Manual modules filters bug correction (Thanks to X05 for report)
Dumper
- Added processes and threads creation time
|
|
| Version 5.1.8 March 15 2009 |
- Bug Correction : hooked functions floating stack wasn't preserved in some cases and can throw errors (Thanks to Semil Core for detailed report)
- Manual modules filters bug correction
- Manual modules filters GUI enhancement
|
|
| Version 5.1.7 January 21 2009 |
WinApiOverride
- Bug correction : Errors on Vista32/64 using "Attach to a running process" startup option solved (Thanks to Erik M. Pilsits and Vangelis Dimou for their reports and tests)
- Added support for monitoring files with template functions definitions
DebugInfosViewer
- Added template functions definitions generation support
- Potential crash during monitoring files generation solved
|
|
| Version 5.1.6 January 14 2009 |
- Bug correction : .Net services couldn't be hooked. This was because windows services.exe was not affected by environment variables changes
- Caller address improvement (for Shmuel Y. Yungraiz)
- Bug correction : potential troubles when clearing logs solved
|
|
| Version 5.1.5 December 15 2008 |
- Bug correction : Com auto hooking CoGetClassObject API was only catching IClassFactory interface. (Thanks to Brian Atkins for report)
- Monitoring library small bugs solved
Debug Info Viewer:
- Bug correction : for object method with explicit calling convention (__stdcall or other),
generated monitoring file had not the object pointer as first parameter
|
|
| Version 5.1.4 December 08 2008 |
- Small pe parsing bug resolved
Monitoring File Builder:
- Detects exported variables
- Monitoring file builder doesn't crash anymore if you try to call functions to detect number of parameters
(call is done inside another process for better security)
- Drag & drop support added
|
|
| Version 5.1.3 November 27 2008 |
- Added a static library WinApiOverride.lib project and small application example in sources (located in WinAPIOverride32\_lib directory),
for developpers who want to use WinApiOverride core components
- Small GUI changes
- Small bugs corrections
|
|
| Version 5.1.2 November 17 2008 |
- Better memory protection for COM multi-threading
- Bug correction: conditionnal parameter breaking
- Bug correction: COM auto-monitoring error if created object was first parameter
|
|
| Version 5.1.1 October 27 2008 |
- Don't try to hook invalid TLS (thread local storage) callbacks [some packers use TLS callbacks array to put data]
- Bug correction: Monitoring wizard quick edit changes where taken into account only if their monitoring state changed
|
|
| Version 5.1.0 October 5 2008 |
- Can hook exe TLS (thread local storage) callbacks with monitoring, breaking and overriding capabilities (applies to "Attach at application startup" options)
- COM hooking improvement : COM objects created by interfaces methods can be hooked (see COM monitoring files syntax)
- Added definitions to hook DirectDraw and Direct3D
- COM hooking bugs correction
- IDispatch parsing bug correction
- WSAPROTOCOL_INFO parsing bug resolved
- no more error message at exit for users with limited rights
- menu bug correction (some system were affected by the use of MNS_AUTODISMISS)
|
|
| Version 5.0.1 July 14 2008 |
- Monitoring Wizard : added a quick way to restore monitoring file default values
- Monitoring Wizard : on right click on monitoring file list, quick operations are available (create new, rename, edit and remove)
- Small GUI changes
|
|
| Version 5.0.0 July 14 2008 |
WinAPIOverride :
- New hooking way
No stack pointer change
No base pointer change (allow to hook functions compiled with /Oy optimization)
Exceptions are not catch and rethrown but just spyed, and exception registers are logged
Call analysis doesn't require the "try to retreive call stack" option
- support of __thiscall and __fastcall calling convention
- first try of .NET monitoring and overriding (Framework version 1.0 and upper supported) Notice: should be concidered as beta
- Remote calls : new calling convention supported, .NET support
- Some code optimization
- Some bugs removal
Dumper :
- Allow to quickly inject/eject a dll to/from a process
- Module / Process Integrity Checking
Debug Info Viewer :
- First version
For software having associated debug information (.pdb file) :
1) Generates monitoring files for internal functions spying
2) Display generated function asm codes
Dll Export Finder :
- First version
Finds dll exported function(s) your looking for
|
|
| Version 4.0.5 July 7 2008 |
- In case of bad COM monitoring file, infinite inclusion was possible, generating a stack overflow. Protection has been added now
- Corrected IOleWindow and IOleInPlaceObject COM monitoring files provided since 4.0.1 version responsible of stack overflow and target process crashing when activating COM auto hooking
|
|
| Version 4.0.4 April 21 2008 |
- bug correction: since v4.0.0, bad exception handler restoration for hooked functions.
Consequence : troubles when next exception occurs
|
|
| Version 4.0.3 March 13 2008 |
- New version WinApiOverride for bug correction: since v4.0.1, when starting from command line all columns were hidden
(Thanks to Richard Pirk for report)
|
|
| Version 4.0.2 March 09 2008 |
- New version WinApiOverride to correct int32 formating bug due to bad SHORT cast (bug introduced in 4.0.0 version)
(Thanks to hanimaro to report it, cause bug was corrected in my working version, and so I thought bug wasn't in published version)
|
|
| Version 4.0.1 January 11 2008 |
- Added COM tool to list all CLSID available on computer
- Added COM interface monitoring files.
|
|
| HeapWalker version 1.0.1 December 14 2007 |
|
- HeapWalker memory error bug correction
|
|
| Version 4.0.0 December 13 2007 |
WinAPIOverride :
- COM / OLE / ActiveX hooking support :
Monitoring
Overriding
COM interaction : you can call method of hooked object and show property page
Display methods virtual and raw address (and virtual and raw VTBL address)
- Pre and Post API call hooking chain (you can install multiple hook for the same function)
- Can monitor functions throwing hardware and software exceptions
- New keywords EXE_INTERNAL_POINTER@ and DLL_INTERNAL_POINTER@ added to hook functions pointers
- Option to export full parameters content
- Only/Not logged module list support jokers ("*", "?") and new path shortcuts (<ProgramFiles>,<ProgramFilesCommon>,<TargetDir>)
- New failure options according to GetLastError() result : "FailureIfLastErrorValue=", "FailureIfLastErrorValue!=", "FailureIfLastErrorValue<", "FailureIfLastErrorValue>"
- New supported types : SAFEARRAY, SAFEARRAYBOUND, VARIANT, VARIANTARG, DECIMAL, BSTR, OLECHAR, LPOLESTR, MULTI_QI, EXCEPINFO, DISPPARAMS
- Remote calls : hardware exceptions are catched; direct support of ansi and unicode string as parameters: "ansi" L"unicode"; direct support of variants and pointer to variants VT_xx, VT_xx_BYREF, &VT_xx
- Some code optimization
- Drag and Drop support for log file reloading, monitoring file loading, overriding dll loading and application path.
Dumper :
- New easiest and cleaner Interface
HeapWalker :
- First version
Bug Corrections :
- "Attach at application Startup" deadlock for .Net applications
- PE parsing
- Lost of messages before application unload
- Infinite loop in case of conditionnal parameter buffer logging
|
|
| Version 3.1.3 May 09 2007 |
- Option "Break Dialog don't break ApiOverride threads" added with it's command line equivalent "DontBreakAPIOverrideThreads"
- Bug correction for wait cursor (introduced in 3.1.2 version)
- Bug correction for errors that can appear after log removal.
|
|
| Version 3.1.2 April 22 2007 |
- Avaibility to hook services and other users application (if enough rights)
- Command line improvement
- ESP spying added to check calling conventions
- Process monitor blue screen on high rate application launching solved (thanks to Shang Yu Liang for reporting a detailed description of this error)
- More options saved and restored
- Bug correction
- Example of use of CAPIOverride class added in documentation
|
|
| Version 3.1.1 April 3 2007 |
- Bug correction
|
|
| Version 3.1 April 2 2007 |
WinAPIOverride :
- Zombie length size disassembler added for more automatically powerful hooks
- Callstack and call stack parameters retrieval for all functions calls (option)
- Callstack post call analysis to easely hilight subfunctions
- Size of a parameter can be defined according to another parameter value : by the way for ReadFile we can use
kernel32.dll|BOOL ReadFile( HANDLE hFile, LPVOID lpBuffer:PointedDataSize=Arg4, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)|Out
- Datation changed from milliseconds to microseconds
- Multithreaded remote calls : you don't need to wait the end of the first one to do another one.
- New saving files format .xml.zip (a zip file containing an .xml) to earn space on hard drive. Of course, the old file format is still supported.
- Dll ordinal only fully supported (at least)
- Support UNICODE_STRING and ANSI_STRING as their full struct not only the string content like in older versions
- Monitoring file debug mode added
- New hooking tutorial added
Monitoring File Builder :
- New interface and more functionnalities, Lot's of bug correction in PE parsing
Dumper :
- Kernel mode added
Monitoring files :
- Size of a parameter can be defined according to another parameter value
- new keywords : DLL_ORDINAL, FirstBytesCantExecuteAnywhere, FirstBytesCanExecuteAnywhereWithRelativeAddressChange, FirstBytesCanExecuteAnywhereWithRelativeAddressChange=
- First bytes can execute anywhere size grow from 20 to 64 bytes
Bug Corrections :
- "Load in all new process" blue screen that can appear on multiple core processor at hook stop removed (thanks to Arno Garrels for reporting trouble with solution)
- PE parsing (lots of bugs)
- First argument lost in command line for option "Attach at application startup" solved.
- some minor changes to generic monitoring files
|
|
| Version 3.0 December 9 2006 |
- New hooking algorithms (hook in 5 opcodes, asm registers integrity)
- Parameter filters
- Function return filters
- Optionnal break before or after the function call
- Can hook asm functions with args passed through registers
- Failure code support
- More types supported (including floating return)
- Monitoring files generation
- Call Comparison
- Search through results
- Remote Call Interface
- Statistics
- Export to CSV and HTML added
|
|
| Version 2.1.1 June 21 2006 |
- Ordinal log number added for sorting results
- modules filters bug in Unicode version removed (Ansi version not affected)
- other small bugs removed
|
|
| Version 2.1.0 June 17 2006 |
WinAPIOverride
- Caller address is presented as raw and relative from module
- Filters can be defined depending calling module
- Injection in suspended mode works for all applications now
- Better injection performances when injecting to all applications
- New faking dll source code provide as tutorial
(src code available under Tools\Process\APIOverride\FakeAPIDllSample\HideMe directory)
It shows you how to hide yourself from the hooked process. The HideMe.dll comes with the binaries archives.
It's only a proof of concept, handles are not hidden
Dumper
- Fully changed for better performance
- Allow Allocate, Read, Write or Free memory in remote processes
- Allow to make raw dump
- Allow to set processes/threads priority, suspend, resume or terminate them
- Retreives Eip of threads (and if thread is not system locked, its context)
- Show process threads and parent Id
|
|
| Version 2.0.1.0 April 24 2006 |
- Memory protection removal bug removed : PAGE_EXECUTE and PAGE_EXECUTE_READ protection flags weren't removed in previous versions. The effect was a memory write fault, crashing host process, when we tried to hook or monitor a func
|
|
| Version 2.0.0.0 April 11 2006 |
- Can hook multiple processes in same interface
- Can hook all created processes (filters can be defined)
- Better process hooking at startup handling
- Unicode conversion
- New InNoRet hooking type: it allows to send log to WinApioverride before the function is called, so even function crash we get logs
- Monitoring files parsing improved: now you can let the return type of the function; parameter keywords const, struct, far, in, out, inout are ignored; pointer detection troubles solved (char *psz type will now be recognize as char*)
- Some memory leaks removed
- The injected library is staticaly linked only with kernel32 (user32.dll will be loaded only on errors). So hooking can be done sooner
|
|
| Version 1.0.0.1 January 29 2006 |
- Some insignificant bug correction
- Add of some Api definitions in monitoring files
- manifest resource added to exe
|
|
| Version 1.0 November 14 2005 |
Initial version.
|
