Description

It's surprising to learn that a lot of people assume that using x86 single-stepping is no longer possible without debugging functions (available in Win32 API). This simple demo shows that setting TF flag works the same old way as in DOS era...
Apart from debugging, single-stepping can help to detect the fact that certain APIs have been intercepted (hooked).

Source (tracer.zip) is available below. If you happen to use my code, it would be nice if you credit KaKeeware.

Requirements

Windows 2000/XP or newer

License

Freeware (+sources freely available)

How to detect hooked API functions?

When you execute any Windows API, its executions path is quite predictable - it will start within your code, then it will go through system modules to end up (usually) with a SYSENTER (SYSCALL or int 2Eh) instruction that will transfer the control to a Kernel mode. Now... If the API is hooked (in User mode), it will (at some stage) usually go through the detours-like dispatching function that is usually put in a memory block allocated with VirtualAllocEx and basically, doesn't belong to any module.
So... by tracing the execution of the function that is potentially hooked, we may discover that the program is being analyzed f.ex. with API monitor.
See the images below:

Program executed normally:

Program ran under user-mode API monitor:

Download

Tracer.zip