⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 ahexts.txt

📁 Cracker终结者——提供最优秀的软件保护技术
💻 TXT
字号:
🔍 
 ApiHooks debugging support
---------------------------

  ShowHooks and all AHexts can display nonsens or nothing if ApiHookChain
is exposed via GetApiHookChain (the utilities resolve simple GetApiHookChain
forms).
  ShowAH can display nonsens or nothing when ApiHookChain is packed/crypted.

----------------------------------------------------------------------------------
  AHexts.dll can be loaded into user debugger (ntsd, cdb, windbg).

Commands:
!ahexts.load - load AHexts.dll  (or !load ahexts)
!ahexts.help - help
!ahexts.ahh <address> - print API hooks at given <address>
!ahexts.ahm <address> - print API hooks in module loaded at <address>
!ahexts.eah <ModuleWithHooks> - load <ModuleWithHooks> and establish API hooks
!ahexts.lom <Module>  - load <Module>
!ahexts.ulo <Module>  - unload <Module>
!ahexts.unload - unload AHexts.dll

  !eah, !lom and !ulo commands are finished after process is initialized
(do G MainModuleEntry or set BP MainModuleEntry and then execute those !commands).

  NT4: !commands can be finished only during debugger's WaitForDebugEvent.

----------------------------------------------------------------------------------
Windows 9x note:

Q: My program calls EAH functions to hook itself. When I debug it in Win9x it
   isn't hooked. Where is the problem?
A: This is caused by use of HOOK_BY_ADDRESS flag (= force EAH to find API to hook
   using GetProcAddress).
   Problem is GetProcAddress in debuggee returns everytime other address for
   given API:
     // hModule is > 2GB (system DLLs in shared memory)
     a=GetProcAddress(hModule,"givenAPI");
     b=GetProcAddress(hModule,"givenAPI");
     if(a!=b) printf("I'm debugged in Win9x/n");
   Solution: Temporarily change HOOK_BY_ADDRESS to HOOK_BY_NAME (but it will not
   work with packed file). Every call to GetProcAddress with API residing in
   shared memory returns address of new built stub (takes 10 bytes). Try to debug
   program which contains:
     for(i=0; i<BIG_NUMBER; i++)
      if(!GetProcAddress(GetModuleHandle("KERNEL32"), "Sleep")) break;
   and you'll hear a pagefile soon.
----------------------------------------------------------------------------------

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -