API Monitor

Features Limitations Requirements Screenshots Version History API List Discussion Forum Download

Overview

API Monitor is a software that monitors and displays API calls made by applications. Its a powerful tool for seeing how Windows and other applications work or tracking down problems that you have in your own applications. The current version include Filters to monitor the following API Categories. A complete list of API categories and API's is available here. For a complete list of changes in the current version, please refer to the Version History.

API Category	Sample API's
Registry	RegCreateKeyExW, RegConnectRegistryA, RegGetKeySecurity, RegOverridePredefKey, GetPrivateProfileIntA, WriteProfileStringW
File I/O	CreateFileW, FindFirstFileA, GetDriveTypeW, SetFileApisToOEM, SetVolumeLabelW, _lopen, ReadFileEx, GetLongPathNameA
Dynamic-Link Libraries	GetModuleFileNameA, GetModuleHandleW, GetProcAddress, LoadLibraryExA, LoadModule
Network Management	NetGetDCName, NetMessageBufferSend, NetReplImportDirLock, NetShareAdd, WNetAddConnection2A, WNetEnumResourceW
NT Services	CreateServiceA, EnumServicesStatusW, SetServiceStatus, StartServiceCtrlDispatcherW, OpenSCManagerA
Device Input and Output	DeviceIoControl
Processes and Threads	CreateProcessA, ExitProcess, SetThreadPriorityBoost, SetEnvironmentVariableA, ExitThread, CreateProcessAsUserW, WinExec
NT Native API	NtQuerySecurityObject, NtRaiseHardError, NtSecureConnectPort, NtW32Call, NtUnloadDriver, NtWriteVirtualMemory, CsrClientCallServer, CsrNewThread, LdrFindResource_U, LdrShutdownProcess, RtlAddAce, RtlApplyRXact, RtlCreateHeap, DbgPrint, KiRaiseUserExceptionDispatcher, SaveEm87Context, PfxRemovePrefix
NT Security API	LookupPrivilegeValueA, LookupAccountNameW, RevertToSelf, SetNamedSecurityInfoW, AdjustTokenPrivileges, EqualSid
Windows Sockets	accept, bind, connect, htons, listen, WSAIsBlocking, gethostname, WSACancelAsyncRequest, WSCEnumProtocols
Debugging	ContinueDebugEvent, FlushInstructionCache, SetThreadContext, WriteProcessMemory, OutputDebugStringA
Handles and Objects	CloseHandle, DuplicateHandle, GetHandleInformation
Windows	CreateWindowExW, GetGUIThreadInfo, GetWindowTextLengthA, EnumThreadWindows, IsWindowUnicode, LockSetForegroundWindow
Dialog Boxes	CreateDialogIndirectParamA, GetDlgItemTextW, MessageBoxIndirectA, GetDlgCtrlID, GetDialogBaseUnits
Memory Management	IsBadCodePtr, GlobalSize, VirtualAllocEx, GlobalUnWire, LocalCompact, HeapReAlloc
Window Classes	GetClassLongPtrA, SetWindowLongPtrA, SetClassWord, GetClassInfoW

Features

API Filter - API's can be filtered based on their category. Only API's from the selected categories will be monitored. All other API's will be bypassed
Process Filter - A process filter is used to select processes that are to be monitored. You can either specify an include process filter or an exclude process filter. The process filter can also be disabled, so that API Monitor will include all processes

Detailed API Information - For each API call made by an application, the following information is displayed

Information	Description
Process ID	A process identifier uniquely identifies the process throughout the system. The Process ID is valid until the process terminates.
Process Name	Name of the process that made the API call
API Called	API that was called
Parameters	This includes a complete list of parameters that were passed to the API The parameter list now includes the name of the parameter.
Return Value	The return value of the API
Status	Status is used to indicate whether the API call passed or failed
GetLastError Code	If the Status of the API is FAILED, then this is the value of the calling thread's last-error code value

Unicode and ANSI Support - Besides displaying the API called, API Monitor also displays information about the encoding used by the API. For Unicode API's the character "W" is appended to the name of the API. For ANSI API's the character "A" is appended to the API. For e.g. if an application calls the Unicode version of CreateFile, API Monitor displays CreateFileW. If the ANSI version is called instead, API Monitor displays CreateFileA.
Message Log - When a capture is started, API Monitor displays the process name and process ID of each process it finds. It also displays information about whether the process is being monitored or not
Error Code Lookup - API Monitor includes an Error Code lookup tool that can be used to get a description of an error, given the error code. It provides description for the following types of errors: Standard Win32 Network NTSTATUS - Windows NT Only Windows Sockets - Only English Messages
IOCTL Decoder - A tool to decode IOCTL codes. It gives full information about the IOCTL, which includes the IOCTL Name, Device Type, Function Code, Access Type and Method. You can also try our online IOCTL Decoder.
NT Native API: - Support for NT's Native API Calls. More calls have been added in this version. Parameter Information, Return Type and Error Codes have been included for most of the Ntxxx API's and some Rtlxxx API's. For undocumented Native API's, a stack dump of 10 (possible) arguments is displayed
Process Loader - API Monitor includes a process loader that can be used to monitor API's called by console mode applications or to monitor API's called very early in the program. It can also be used to monitor API's in programs like RUNDLL32
Monitor Running Process: - This version of API Monitor includes a Monitor Running Process tool that can be used to monitor API's in a background or console process that is already running. A complete list of processes that are currently running in the system is displayed, and you can select the one that you want to monitor. DO NOT try to monitor NT Services using this method as they will hang. It is highly recommended that you use till tool only when all other methods of monitoring the process fail.s
GetProcAddress Hook - A new option has been added, where in, you can select if API's called using LoadLibrary-GetProcAddress are hooked or not.
API Details - Double-clicking or pressing the return key on an API opens up the API Details window, which displays the details of the API in a easy to read format. It also provides a description of the error if the API call failed
Buffer Display - For some API calls like WriteFile, ReadFile, send, RegSetValueExW, etc. buffers can be displayed using the display buffer button in API Details.
Integrated MSDN Help - This feature allows you to view MSDN context-sensitive help for the currently selected API. You need to have MSDN library installed for this to work.
Standard Features - API Monitor allows a capture to be saved for later viewing. If a capture is started when a capture while is open, monitored calls are appended to the file. This feature allows you to view MSDN context-sensitive help for the currently selected API. You need to have MSDN library installed for this to work.

Main Window	API Filter	Process Filter
API Details	IOCTL Decoder	Process Loader
Buffer Display	Error Lookup Tool	Monitor Running Process

Products

CGI/Perl Scripts

Source Code

Site

Contact Me

API Monitor

Overview

Features

Requirements

Limitations

Screenshots