What is Reddit's opinion of
API Monitor?
From 3.5 billion Reddit comments
12 reviews of this app found across Reddit:
These 2 free programs offer what I believe you are looking for:
These are Windows specific applications.
Benutzt Du etwas das 3D-Ausgabe benötigt und deine GPU übernimmt die Aufgabe nicht weil z.B. auf interne Intel-GPU geschaltet wurde?
Ansonsten kannst Du den Prozess dumpen und dir im Dump anschauen was DWM da so beschäftigt. Alternativ wäre noch Live-Beobachtung mit API Monitor http://www.rohitab.com/apimonitor
Well, personally I would start with ghidra, and check how it sends/receives data. since it is multi platform it would probably use bcrypt.dll to encrypt/decrypt data. this would also let you compare versions to see if chunks have been removed (provided you have old client.exes)
then i would use http://www.rohitab.com/apimonitor and see if i can either extract the encryption key, or failing that/skipping that monitoring the encrypt/decrypt data, before the client sends it. (you will have to change the settings to save all 4096bytes rather than the default 2500 api montior saves.)
this should give you the main menu/character loading, and will give you some idea of the match making protocol.
after that... it depends hugely on the game. some are like marvel, where the clients get matchmaked together and the client can be an authority.
I have two questions:
First: Hooking function calls of .NET program: There are not many libraries/tools that allow us to do this. I know Deviare-in-proc which was recently released with a dual license claims to accomplish this. But there is almost no examples on how to do this. To be fair they have a sample program inside the repo that I will be looking at this weekend. There are a few tutorials on Nektra's website (one uses Python) but nothing more. Does anyone have examples or pointers? :)
Second:
This is similar to last one. Is there something similar to ltrace for Windows? I know of API Monitor and have used it in the past, but I am looking for something that I can use like ltrace to monitor calls and then use a functionality like ltrace.conf to look at parameters. I have seen articles pointing towards WinDbg so perhaps creating a WinDbg extension is the way to go? Again if there are not tools that do this, pointers on how to proceed are greatly appreciated (maybe I can try my hand at creating it).
EDIT: I am looking for something more texty than API Monitor. For example if we could export API Monitor's output to text and process it, that would work.
Is it a windows application? If so, you can simply use API monitor to see any function called from a DLL at runtime. Simply attaching the tool to the executable and then causing it to use the private key in a DLL call will reveal it very easily. There are also tools that run through the executable and extract all strings they find.
Finally, if it's a .NET application you can simply decompile it using a tool like ILSpy.
I want to throw in api monitor. It's very convenient for dll injection. I don't think it's actively developed anymore though, so maybe there's alternatives around or the functionality is well available in other tools?
Could be checking the GWL_STYLE/GWL_EXSTYLE https://docs.microsoft.com/en-us/previous-versions/ms960886(v%3Dmsdn.10)
You could use something like http://www.rohitab.com/apimonitor and monitor all the APIs that might be used for window management, although this wont help if its the directx object.
echo "text" > com1 does open the device; why do you think it doesn't? Using API Monitor - trace a command prompt as you run that command, and see:
# Time of Day Thread Module API Return Value Error Duration 70 11:03:37.265 PM 1 KERNELBASE.dll NtCreateFile ( 0x0000001bce6ff570, FILE_READ_ATTRIBUTES | GENERIC_WRITE | SYNCHRONIZE, 0x0000001bce6ff5c8, 0x0000001bce6ff588, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ) STATUS_SUCCESS 0.0007566 74 11:03:37.266 PM 1 KERNELBASE.dll RtlSetLastWin32Error ( ERROR_SUCCESS ) 0.0000002 123 11:03:37.266 PM 1 KERNELBASE.dll NtWriteFile ( 0x000000000000015c, NULL, NULL, NULL, 0x0000001bce6ff440, 0x00007ff6ce7e7b80, 8, NULL, NULL ) STATUS_SUCCESS 0.0000367 129 11:03:37.408 PM 1 cmd.exe _close ( 3 ) 0 0.0000049
Note that NtCreateFile is the way to open files and devices, as well as create them, and in the properties of that call, down in one of the data structures passed, is the name "\?\COM1".
cat and tail work on Unix because "everything is a file", so tools for text files can work on serial ports.
On Windows, everything is not a file, but I don't know how much it is / isn't. I wouldn't expect tools like get-content to work on serial ports. Some features like echoing to COM1 are backwards compatible from DOS which came from CP/M, which did try to treat things as files. Raymond Chen blogs here - https://blogs.msdn.microsoft.com/oldnewthing/20031022-00/?p=42073). I think, but don't know, that they are special-cased into command prompt to make it behave like DOS did.
I looked around a bit and everything I can find is the hosted network. If you really need the mobile hotspot feature you probably need to dive into API Monitor and Process Monitor and see what happens when you switch it on in the UI. If you know that you still need to build an application that repeats what you observed.
I can pop up such a message using simple calls with AutoHotkey, but they're never going to be logged in anyway.
What you'll need is some form of low-level application that can hook into and monitor the system-calls used by all applications to present info there.
Perhaps something like http://www.rohitab.com/apimonitor
imho; Hard to achieve, virtuall impossible to do well.
http://www.rohitab.com/apimonitor
Best of luck if you decide to go that route. Without knowing what calls it, or what it's calling exactly, finding the answer would be pure luck. Somebody much smarter than I could probably find the cause very easily with this tool.
On a normal system you'd see the 1800 start to decrease. So something on your machine is keeping it from idling. I'd start by uninstalling programs you don't need. And run IdleTimer.exe as you do so until you see a drop in that 1800.
If you still don't then you'll need to get dirty and search for the process that's stopping the sleep timer. API Monitor is a tool you can use to do this. You want to capture all calls to SetThreadExecutionState. Since processes generally call this when starting up, you'll have to shut down processes you have running (including non-MS services you have running) and start them again to do the capture.
If you're feeling frisky, you can try doing a complete reinstall of Windows. If sleep still doesn't work after that then you'll know it's hardware related and some input device is sending errant signals.