info.txt

Cracker终结者——提供最优秀的软件保护技术

WSLogHARD
---------
logs all calls to "gethostbyname" and "send" winsock APIs.
"All calls" implies HOOK_OVERWRITE hook type.  
  NT: All processes are enumerated, winsock dll is mapped to them, hooks are applied.
New processes are hooked via CreateProcessW/CreateProcessInternalW hook. Again
winsock dll is mapped to them and hooks are applied.
  9X: Winsock (LOCAL) APIs are hooked GLOBALLY! Hooks_DLL is loaded into KERNEL32.DLL
process, CallProgramEntry in KERNEL32.dll module is hooked (globally). Now calling
DllMain of EVERY module in 9X is controlled! Processes are enumerated and dynamic
hooks containing winsock hooks only are applied to processes (ApiHookChain is accessible
from any process, hence dynamic hooks; pointer is global). Winsock hook procedures
are shared by all processes. When winsock dll is attached to (new) process, it is
hooked (in CallProgramEntry hook). What's the advantage? Memory/disk space saving that
is of a great importance in 9X and hook precision - really every call is logged.
Otherwise Hooks_DLL had to be mapped to every process. Disadvantage: speciall well-written
Hooks_DLL; only assemblers and VC++ can produce it.