info.txt

Cracker终结者——提供最优秀的软件保护技术

  ExitWin hooks ExitWindowsEx globally in Win9x.
ExitWindowsEx is
a) unoverwriteable due to instruction design (~API is short)
   in USER32.DLL retail build.
b) overwriteable in USER32.DLL debug build.

1) HOOK_ALL_SAFE first tries to overwrite ExitWindowsEx;
   HOOK_HARD is set - can be overwritten even if it is shared;
   - overwriting ExitWindowsEx succeeds in debug build. Go 4)
   - overwriting ExitWindowsEx fails in retail build.
2) HOOK_ALL_SAFE tries PE.IAT patching - HOOK_BY_NAME | HOOK_BY_ADDRESS
   and ALL_MODULES are set in ApiHook.
3) Final ApiHook for ExitWindowsEx is 
   HOOK_BY_NAME | HOOK_BY_ADDRESS | HOOK_HARD, ALL_MODULES
4) .exe calls GetApiHookChain - it returns NULL in case of OVERWRITE
   (debug build), otherwise it returns
   address of static hooks in case of ALL_MODULES ->
     5a) .exe must apply static hooks to every existing process.
     5b) Finally, PE.EAT is patched and unbound.


Note:
  Pure PE.EAT patching in the step 5b) is not enough. When are modules,
that are mapped in existing process/es mapped into new process, their IAT
is not changed according to patched EAT (~they are bound).
Example: 
  1) Run ExitWin.
  2) Invoke "Shut down Windows" dialog from Start menu.
  3) Press OK
  4) RunDll32 process is spawn, SHELL32.dll is loaded.
  5) SHELL32.dll calls ExitWindowsEx.
  SHELL32.dll is bound to USER32.dll. The hook procedure would be missed
  without unbinding.