A new version of Nektra Deviare API Hook is now released. This version has lots of fixes to bugs that I found along the last year working with the library in Application Virtualization and Packaging and Reverse Engineering. I found some stability issues, generating dead-locks, stack trace wasn’t working as defined and it has important performance improvements. Also, there are more functions in the database and some data types were not working at all: arrays and enumerations.
New C# hooking console
Highlights
- Process / Module / Function panels
- Functions that are included in the database are displayed with full parameter information.
- Execution hooks (aka: ‘Add Exec Hook’) allow the user to add hooks when an application starts. It’s useful to debug an application that crashes at startup.
- Parameter information could be displayed before and after the function is called.
- Full Stack trace information.
- Function calls can be displayed grouped by thread.
- CLSID and IID are displayed in {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format and with registration information:
- Structures parameters are expanded to show all their fields. This picture shows a call to Kernel32.FindFirstFileW with parameter _WIN32_FIND_DATAW expanded.
- Lots of Windows Messages are supported. LPARAM and WPARAM parameters of user32.dll functions DispatchMessage, PostMessage, SendMessage, PeekMessage and GetMessage are interpreted as the real data type that they are. Here a LVM_INSERTCOLUMNW (ListView_InsertColumnW macro for C++) is sent and the lParam is displayed as a tagLVCOLUMNW*:
- In file $INSTDIRBinDatabaseFunctionTypes.xml you can find all the definitions. They are of the style:
<message value="442">
<name>TB_SETBUTTONINFOA</name>
<return value="">
<returninfo>returns LRESULT in lResult</returninfo>
</return>
<wparam value="INT">
<wname>iID</wname>
</wparam>
<lparam value="LPTBBUTTONINFO">
<lname>
</lname>
</lparam>
</message>
- This definition means that when a message 0x442 is called TB_SETBUTTONINFOA. Parameter WPARAM is a INT and LPARAM is a LPTBUTTONINFO. The code to convert one parameter to another type is very easy using
- :
pm = pm.CastTo("LPTBBUTTONINFO");
if(pm == null)
{
// data type is not in the database
}
Adding other message definitions in that xml will change the C# message handling functions. This method can be used for any other function that has any variable parameter such as DeviceIoControl.
COM Interception
Now Deviare COM Spy is part of Deviare Package, so you can get it downloading Deviare. I’m not very happy with the application and I would like to make big changes in this area.
Deviare Services
Deviare is a very specific tool and it can take a special effort to get acquainted with its mechanism. We have a team of professionals that can help so Just ask.
- Examples of interception code
- Parameter retrieve and change
- Ad-hoc interception techniques for complex problems
- COM Interception (with or without the interface)
- Interception of undocumented API
- 64 bits interception
- Debug server with interception techniques
- Server monitoring
- Sever performance boost
More information in API Hook and Filter Drivers
Download
Request the package in Deviare download section.