API Tracer Level One - freeware version 2003.01

About API Tracer Level One

API Tracer Level One (API Tracer) is yet one API spy that allows examining of program's code flow.

This freeware version is just a demonstration of new powerful trapping technology developed and owned by Evgeny Khirin. This technology allows trapping of ANY function in ANY DLL. Trapping engine require only function address in order to trap it. So it does not limited by intercepting exported functions only. Moreover, it can install trap even in middle of function. It allows effectively intercepting of: DLL exported functions, callback functions like windows procedures, C++ members methods, COM objects etc.

The engine is very fast among with its power and flexibility.

SDK's are available! There are two SDK: one for intercepting functions with known prototype and one for intercepting unknown functions.

When known functions are intercepted, then engine's consumer obtains address of original function and calls it by itself. Or consumer can provide its own improved implementation for trapped API. This technique can be used in API inspector development, in patching and performance improvement of third party applications etc.

When unknown functions are intercepted, then engine's consumer gets notifications before intercepted function is about to start and after it terminates. Consumer gets additional information on these notifications including:

Before API starts: array of CPU registers, address of first parameter. If consumer can obtain number and types of parameters, then it is possible to walk all function parameters using va_arg macro and address of first parameter. For example, number and type of COM object method parameters can be obtained using type libraries.
After API terminated: array of CPU registers.

This technique can be used in profiler development or in tracing down COM objects methods calls, etc.

Both SDK's provide additional useful notifications: thread start/termination, module load/free and others.

Module load notification issued when module is loaded into memory and its entry point routine (DllMain) is about to start. Module free notification issued after module's DllMain(DLL_PROCESS_DETACH) is terminated and module is about to be freed.

Same function can be intercepted multiple times with both SDK's. It means that few traps could be installed for same original API.

Both SDK's have DLL injection routines. Inject routines can inject DLL in newly started process. Inject routines load consumer's DLL in address space of required process and then call DLL initialization routine with optional parameter supplied by consumer. Initialization routine is just function exported by injected DLL and has following prototype:

unsigned

__stdcall

Init(

void * mpvInitParam,

size_t mjInitParamSize);

After initialization routine is terminated, its return value passed to consumer.

This injection technique has following advantages:

· Init routine receives parameters.

· Return value of Init routine passed to consumer for analysis.

· Init routine does not have limitations peculiar to DllMain.

· Injected DLL can be debugged on very early stages.

Routine for DLL injection in running process can be easy added by customer request with same advantages.