cdump.txt

window编程,非常的好

 Cdump is an example of using ApiHooks.
 --------------------------------------

 Cdump was intended to be startup code dumper for programs written in C.
It tries to dump .exe and .dll before their data get initialized
(STATUS_VIRGO_INTACTA).

 Now it is "quick view" - you get new packed application (exe or dll), you
want to see something inside - then try:  
ApiHooks -nq Cdump*.dll NewApp.exe           (* = NT, 9xSoft, 9xHard)
 Then you should find (in the NewApp's current directory) NewAp_.exe and
sometimes *_.dll files which are the memory dumps of NewApp.exe and its dlls.
 If NewAp_.exe/*_.dlls exist they will not be overwritten, so don't forget
to erase them before new use of Cdump.
 -oq option can be used on running application as well.


9xSoft  means that dynamically loaded DLLs are dumped after 1st call to DllMain
        (datas in DLL were initialized) only, while
9xHard  can dump many DLLs during 1st call to DllMain

-------------------------------
Following events are Win9x only and aren't caused by hooking:
 When applying module importing CRTDLL.dll/MSVCRT.dll into the process where
CRTDLL.dll/MSVCRT.dll are already present, CRTDLL's/MSVCRT's handles to console
are messed. So writing to console may fail. Writing to redirected console works
fine.



--------------------------------------------------------------------------------
Remaining text is for developers (=programmers, coders) only:

You can add exec hooks for packers creating new processes,
you can add rebuilder, etc..

1st call to DllMain vs. hooking
-------------------------------
NT: Statically loaded DLLs:
    Apis are hooked AFTER the 1st call to DllMain - Apis called during 1st
    DllMain can't be spied. UM debuggers can do this.
    Dynamically loaded DLLs:
    All Apis are hooked normally (if HOOK_EXPORT was specified).

9x: Statically loaded DLLs:
    Apis in the 1st call to DllMain are hooked normally (if process was created
    suspended) as well as other Apis.
    Dynamically loaded DLLs:
    Apis in the 1st call to DllMain are hooked normally for Apis in user space
    (if HOOK_EXPORT was specified). For exports laying in kernel space must
    be specified HOOK_HARD in addition.


Imagine we have app.exe which imports statically lib.dll.
Now we pack it to app1.exe, so that app1.exe will load lib.dll dynamically.
We'll hook an Api which is exported by KERNEL32(export lays in 9x kernel space).
We'll assume that this Api is called by startup codes only.
The hook will dump PE image from memory to disk.
We will apply Hooks on various pairs. The question is does Hooks catch 
Apis called 1st time from lib's  DllMain?

app-lib:   NT     no
           9xSoft yes
           9xHard yes
app1-lib:  NT     yes
           9xSoft no
           9xHard yes

Now we pack lib.dll to new lib.dll, denoted as lib1.
app-lib1:  NT     no
           9xSoft yes
           9xHard yes
app1-lib1: NT     yes
           9xSoft no
           9xHard yes

 You see that 9xHard can catch everything. But it is hard solution and can
cause difficulties sometimes. You should terminate dumped application asap
and no new apps should start while is the application running.
 While the other 2 dumpers are "stable".

------------------
EliCZ, Oct-31-1999