On Thu Feb 20 11:51:19 2025 +0000, Jinoh Kang wrote:
That would render relay useless.[^1] The direct consequence is that we have no way to ignore calls coming direct from `kernel32`, without also losing the ability to trace _any_ `GetProcAddress( hKernel32, "<procname>" )` calls (which is a very common pattern ranging from OS version compatibility to hidden anticheat imports). Maybe we could implement RelayFromExclude in a better way, like checking the return address, but for the time being I don't think we should break an existing functionality too much. (Because, if relay/snoop is not used at all, perhaps we should drop it entirely.) [^1]: sorry for being a bit hyperbolic. maybe *partly*?
See my comment about `process_attach`. It looks like we may need `is_dynamic` for another reason, making my comment here obsolete.