We have good news for those interested in Windows Hooking. Deviare Hooking Engine is now open source and available on GitHub. The license is GPL but a commercial license and support are also available for users who want to distribute closed-source products based on Deviare. Our other open source hooking product, Deviare In-Proc, now supports hooking .NET methods. Our main competitor Microsoft Detours does not.
People can now use, learn from, and fork Deviare Hooking Engine. If you are new to Deviare and want to bootstrap a project please take a look at our related blog posts. Academic users might be interested in the following resources:
- A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches
- The Defense In-depth Approach to the Protection for Browsing Users Against Drive-by Cache Attacks
- Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides
We have also added a new option to Deviare In-Proc which disallows reentrancy. If a hook is marked with the disallow reentrancy flag, then calling the hooked function from the detoured one will jump to the original API function. It also provides helper methods to facilitate DLL injection into other processes.
For other differences between Deviare Hooking Engine and Deviare In-Proc see the reddit thread: GPL alternative library to Microsoft Detours for binary instrumentation.
Case Studies
- Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging
- How Nektra Improved Desktop Virtualization for Symantec Corporation