   -----------------------------------------------------------------
    API Tracer Level One - freeware version 2003.01
   -----------------------------------------------------------------
    Copyright (c) 2002-2003 Evgeny Khirin. All rights reserved.


 Contents
----------
 1. About API Tracer Level One.
 2. System Requirements.
 3. Installation.
 4. How it works.
 5. Contact information.


 1. About API Tracer Level One
-------------------------------
 API Tracer Level One (API Tracer) is yet one API spy that allows examining of
 program's code flow.

 This freeware version is just a demonstration of new powerful trapping
 technology developed and owned by Evgeny Khirin. This technology allows
 trapping of ANY function in ANY DLL. Trapping engine require only function
 address in order to trap it. So it does not limited by intercepting exported
 functions only. Moreover, it can install trap even in middle of function. It
 allows effectively intercepting of: DLL exported functions, callback functions
 like windows procedures, C++ members methods, COM objects etc.

 The engine is very fast among with its power and flexibility.

 SDK's are available! There are two SDK: one for intercepting functions with
 known prototype and one for intercepting unknown functions.

 When known function are intercepted, then engine's consumer obtains address of
 original function and calls it by itself. Or consumer can provide its own
 improved implementation for trapped API. This technique can be used in API
 inspector development, in patching and performance improvement of third party
 applications etc.

 When unknown function are intercepted, then engine's consumer gets
 notifications before intercepted function is about to start and after it
 terminates. Consumer gets additional information on these notifications
 including:
     - before API start: array of CPU registers, address of first parameter.
       If consumer can obtain number and types of parameters, then it is
       possible to walk all function parameters using va_arg macro and address
       of first parameter. For example, number and type of COM object method
       parameters can be obtained using type libraries.
     - after API terminated: array of CPU registers.
 This technique can be used in profiler development or in tracing down COM
 objects methods calls, etc.

 Both SDK's provide additional useful notifications: thread start/termination,
 module load/free and others.

 Module load notification issued when module is loaded into memory and its
 entry point routine (DllMain) is about to start. Module free notification
 issued after module's DllMain(DLL_PROCESS_DETACH) is terminated and module is
 about to be freed.

 Same function can be intercepted multiple times with both SDK's. It means
 that few traps could be installed for same original API.

 Both SDK's have DLL injection routines. Inject routines can inject DLL in
 newly started process.Inject routines load consumer's DLL in address space of
 required process and then call DLL initialization routine with optional
 parameter supplied by consumer. Initialization routine is just function
 exported by injected DLL and has following prototype:
     unsigned
     __stdcall
         Init(
             void *     mpvInitParam,
             size_t     mjInitParamSize);
 After initialization routine is terminated, its return value passed to
 consumer.

 This injection technique has following advantages:
     - Init routine receives parameters.
     - Return value of Init routine passed to consumer for analysis.
     - Init routine does not have limitations peculiar to DllMain.
     - Injected DLL can be debugged on very early stages.

 Routine for DLL injection in running process can be easy added by customer
 request with same advantages.


 2. System Requirements
------------------------
 The API Tracer works on:
    Windows NT 4.+/2000/XP


 3. Installation
-----------------
 No installation required.


 4. How it works
-----------------
 There are few reviews of API hooking techniques on the web:
    http://help.madshi.net/ApiHookingMethods.htm
    http://www.codeproject.com/system/hooksys.asp
    http://research.microsoft.com/sn/detours

 5. Contact information
------------------------
 If you encounter any problems or questions with this demo or trapping engine,
 or you are interesting in SDK purchasing, please contact me:
    E-Mail: ekhirin@yahoo.com
    WWW: http://www.geocities.com/ekhirin



