Contents of the SHADOW.TXT file
The Shadow 1.01 for Windows September 25, 1991
Written by David Stafford
CIS: 76666,2542 or 72411,2670
What evil lurks in the hearts of buggy WinApps.... the Shadow knows!
This is one of those little utilities you rarely ever need but when
you need it... you really need it!
Basically- it provides a simple way to monitor any API call. I've
devised a method of hooking into virtually any DLL entry point at
run-time. The Shadow uses this method to hook a routine which simply
beeps when the API is called. This can be extremely useful when
you need to know when and if an API is being called.
I said "..._virtually_ any DLL entry point...". There's always a
catch, isn't there! The Shadow will not work with APIs which play
games with the stack that result in moving the return address around.
There is no reliable way to detect this has occured and The Shadow will
crash when unloading the hook. Note that the problem occurs _only_
when The Shadow is trying to unload. If the API is not active at
unload time then there is no problem. At present- I'm aware of only
one Windows APIs which causes this problem: GetMessage. If you really
need to monitor GetMessage or some other troublesome API you can
certainly do it- just don't unload The Shadow once you've begun!
(This means do not close The Shadow or beging monitoring another API.)
If you run into any troublesome API please let me know! I may add
support for these to a future version of The Shadow. There is no
generic solution but I can put together a table of "rude" APIs which
The Shadow could use to locate the return address.
For your education and entertainment you can also try monitoring
Windows APIs at random and observing the results. For example, I
learned that the text in menus is drawn with ExtTextOut and the
little tic mark which indicates a submenu is drawn with BitBlt.
By monitoring CreateWindowEx you can see that submenus on popups are
created dynamically but the main menu is not. Try monitoring
LocalAlloc and you will find it's a popular API! Interesting stuff!
The Shadow knows about the APIs in KERNEL, GDI and USER- including the
undocumented ones so you do not need to enter a DLL name to trace
these functions. For other DLLs you must enter the name and you may
have to specify the API as an ordinal number (if the DLL's name table
is not resident).
There are only four APIs which you cannot monitor. These are:
GlobalAlloc, AllocSelector, PrestoChangoSelector, and ChangeSelector.
The reason is that The Shadow uses these during a critical code
section. The Shadow will not prevent you from _attempting_ to monitor
these four APIs but if you do you will immediately crash.
The Shadow is freeware. I hope it will be as useful to you as it is
to me. Let me know if you like it. You can reach me via CompuServe
(76666,2542) or MCI mail (DSTAFFORD).