capconsole.txt

window编程,非常的好

CapConsole.dll
--------------
"Capture console" saves console output and std_error output to file console.log.

Imagine you have console application rebase.exe, you can't read output so
quickly, rebase.exe >help.txt doesn't work because rebase.exe writes to console
or to std_error. Then type:
 ApiHooks -nq CapConsole.dll c:\sdktools\rebase.exe
 ren console.log help.txt
 and you're done.

Hooks are applied to all modules in the process.
Hook attributes used are HOOK_EXPORT and HOOK_BY_ADDRESS (= HOOK_ALL).
If module export or import lays above 2GB, it will not be modified.
It is known that in 9x some modules lay above 2GB. Kernel32.dll lays there.
If new module is uploaded to the process, its import table will be modified
according to the ModuleExport's exports. If the export couldn't be modified
API calls from the newly uploaded module will not be catched. If newly uploaded
module is packed or protected it often uses GetProcAddress to retrieve API
addresses. So there is nothing easier than to hook GetProcAddress and return
new API addresses from it.
 IF the new module
 <doesn't use GetProcAddress in 9x> (=isn't packed)
 OR
 <has bound import and module to which is the new module bound is loaded on its
  standard image base address (=wasn't relocated) in NT>
 THEN its import won't be changed = API calls won't be catched
Solution:
 9x - use also HOOK_HARD attribute (risky)
 NT - zero bound import directory entry of the new module OR rebase the module
      to which is the newly uploaded module bound (risky) (you can copy this
      module to the given process directory and rebase it there if you want
      system directory files intact)
 OR
 hook LoadLibrary functions, make DYNAMIC_HOOKS and apply them on the newly
 uploaded module inside your NewLoadLibrary functions