alternative.txt

Cracker终结者——提供最优秀的软件保护技术

 This example demonstrates use of (Un)LoadModuleTime APIs and use of
HOOKS_DYNAMIC with EXCLUDED module(s).
1) Alternative.dll is loaded into given process (here current process)
   using LoadModuleTime.
2) Alternative calls EstablishApiHooks with HOOKS_DYNAMIC with one 
   excluded module (Alternative.dll). API MessageBoxA is hooked.
3) Alternative.dll is unloaded using UnloadModuleTime.

 The same effect could be obtained if Alternative.dll would export
hooks statically (and didn't ude dynamic hooks) and EstablishApiHooks
would be called. The disadvantage of the 1st solution is that
ApiHooks.dll must be present in given process.
 (Even if EstablishApiHooks would be used with module with no hooks,
 module is uploaded and dynamic hooks are applied, but hooks can't
 be established and return value will be ErrorRemoteExec)

 If the dynamic hooks would be applied without excluded module
(Alternative.dll) which hooks and imports given API (MessageBoxA)
call to MessageBoxA would never end because MessageBoxA in the module
which hooks it would point to a routine in this module:
 NewMessageBoxA:
  ...CALL [_imp__MessageBoxA]
 but [_imp__MessageBoxA] == NewMessageBoxA


How to exclude modules?
 It is allowed in HOOKS_DYNAMIC only and applies to ALL_MODULES hooks.
UnhookAddresses in the 1st API_HOOK structure (with HOOKS_DYNAMIC)
must point to null terminated list of image bases.

In C syntax:
API_HOOK ApiHookChain[x] = {
 {HOOKS_DYNAMIC, NULL, 0,          NULL,   Excluded, NULL},
 {ModExp,        Api,  Attributes, ModImp, UnhookApi, NewApi},
 //...
 {HOOKS_END}
}

Excluded[N+1] = Base0, Base1, ... BaseN, NULL

 Then when ApiHooks should apply given hooks to ALL_MODULES it will
compare actual module base with bases in exclude list. If it is found
it'll not be hooked.

 Using HOOKS_DYNAMIC with excluded modules makes sense when .dll calls
EstablishApiHooks* with hooks containing ALL_MODULES.