If the target is to make a user-friendly Windows API monitor, there are tons of ready-to-use tools lying around: Huorong Sword: https://www.huorong.cn/ API Monitor: https://www.rohitab.com/apimonitor Process Monitor from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon So my version of PEDoll will NOT focus on pretty-printing Windows APIs, but on better interoperability with internal procedures ---------- registers to preserve: x86 pushfd/popfd (pushad/popad) eax, ecx, edx, ebx, esp, ebp, esi, edi x64 pushfq/popfq rax, rcx, rdx, rbx, rbp, rsp, rdi, rsi, r8, r9 (?) FP registers st0 ~ st7 (should be empty according to calling convention) xmm0, xmm1, xmm2, xmm3 calling conventions: x86 cdecl/stdcall (stack) fastcall (ecx, edx, stack) x64 msvc (rcx, rdx, r8, r9, stack) gcc (rdi, rsi, rdx, rcx, r8, r9, stack) ---------- *IMPORTANT*: Mark color outputs as a enhancement idea, but not a necessary one `dump` formats: "Commands.Dump.Header" => "Dump #{0} from hook \"{1}\" ({2} bytes), under format \"{3}\":\n\n" hex(default) Similar to (but not the same as) `hexdump -Cv`, 4 part separated with double spaces: Offset /\ 8 bytes /\ 8 bytes /\ ASCII or '.' 00000000 5b 4c 6f 63 61 6c 69 7a 65 64 46 69 6c 65 4e 61 [LocalizedFileNa // ... 00000090 0d 0a .. 00000092 ^ Total length Color: unconverted '.'s are dark gray, bytes are white, others are default color raw Console: like ASCII column in "hex", unconverted '.'s are dark gray, others are white File: untouched ansi, unicode, utf8 Try Encoding.(Default|Unicode|Utf8).GetString() and give out error if exception thrown NOTE: Some of the encodings supports replacing unknown characters into '?'s or similar things x86, x64 Call disassemble engine Offset /\ n bytes (n <= 8) /\ mnemonic, '\t', operands 0000100a 75 0D jne 0x1019 0000100c 66 66 66 66 66 66 66 .. mov bp, sp 00001018 FF db 0xff 00000019 ^ Total length bytes are dark gray, codes are white, others are default color