Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking

We have good news for those interested in Windows Hooking. Deviare Hooking Engine is now open source and available on GitHub. The license is GPL but a commercial license and support are also available for users who want to distribute closed-source products based on Deviare. Our other open source hooking product, Deviare In-Proc, now supports hooking .NET methods. Our main competitor Microsoft Detours does not.

People can now use, learn from, and fork Deviare Hooking Engine. If you are new to Deviare and want to bootstrap a project please take a look at our related blog posts. Academic users might be interested in the following resources:

We have also added a new option to Deviare In-Proc which disallows reentrancy. If a hook is marked with the disallow reentrancy flag, then calling the hooked function from the detoured one will jump to the original API function. It also provides helper methods to facilitate DLL injection into other processes.

For other differences between Deviare Hooking Engine and Deviare In-Proc see the reddit thread: GPL alternative library to Microsoft Detours for binary instrumentation.

Case Studies

Related Solutions

Registration-Free Activation of Deviare Hooking Engine COM in x86 and x64 platforms

Deviare 101 Part 1

Welcome to the first installment of Deviare 101.

In this article, we’ll explain how to use Deviare’s Reg-Free COM capability to easily deploy applications on end-user machines.

This guide uses Visual Studio 2013 but can also be followed on earlier versions.

The Manifest File

Reg-Free COM requires an XML file called a “manifest”. Manifest files specify which DLLs to load, and sets other application run-time properties.

If your project includes multiple Windows target platforms, you must use a different manifest for each platform.

This is what the manifest we use to support Deviare in the x86 platform looks like:

<?xml version=”1.0″ encoding=”utf-8″?>

<asmv1:assembly manifestVersion=”1.0″ xmlns=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv1=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv2=”urn:schemas-microsoft-com:asm.v2″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>

<assemblyIdentity version=”1.0.0.0″ name=”myApp” processorArchitecture=”x86″/>

 

<dependency>

<dependentAssembly>

<assemblyIdentity type=”win32″ name=”DeviareCOM” version=”2.0.0.0″ processorArchitecture=”x86″ />

</dependentAssembly>

</dependency>

 

</asmv1:assembly>

Here is the manifest we use to support Deviare in the x64 platform:

<?xml version=”1.0″ encoding=”utf-8″?>

<asmv1:assembly manifestVersion=”1.0″ xmlns=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv1=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv2=”urn:schemas-microsoft-com:asm.v2″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>

<assemblyIdentity version=”1.0.0.0″ name=”myApp” />

 

<dependency>

<dependentAssembly>

<assemblyIdentity type=”win32″ name=”DeviareCOM64″ version=”2.0.0.0″ processorArchitecture=”amd64″ />

</dependentAssembly>

</dependency>

 

</asmv1:assembly>

You must specify your application assembly name and version in the application’s <assemblyIdentity> tag. Additional attributes are optional.

How to Connect Your Application to the Manifest File

There are two ways to connect your application to the manifest file:

  • Place the manifest file in your application home directory. This requires the manifest file to have the same name as your application executable, with the “.manifest” suffix. For example, if your application executable is MyApp.exe, you must name the manifest MyApp.exe.manifest.
  • Embed the manifest in your application executable as a resource.

The second option involves a bit of work with project settings, and is described in the section below.

Deviare DLLs and database files should be placed in your application’s home directory or another searchable location (e.g: in the system path). Be aware that when you mix projects using Deviare with the Reg-Free COM mechanism with other projects using manual registration you may experience issues such as versioning problems. You can use the regsvr tool with the /U option to manually unregister Deviare.

Visual Studio C++ Project Setup Guide

To use Reg-Free COM Deviare in a C++ VS application, follow those steps:

  1. Create one manifest file for each target platform as shown at the beginning of this article. Name them “RegFreeCOM_x86.manifest” and “RegFreeCOM_x64.manifest”. Copy those files to your source file directory.
  2. Open your project settings, select the desired platform, go to “Manifest Tool >> Input and Output” and enter the filename in “Additional Manifest Files”. You can specify variables such as $(SolutionDir), $(ProjectDir) to modify the manifest path. Make sure the selected platform and manifest file platform match.

settings_c++_x86

Do the same for the other platforms in your project,. In this case, the x64 platform:

settings_c++_x64

DeviareCOM DLLs must be in the same directory as your executable. You can copy them manually; or use “Post-Build Event” in “Project Settings” to automate this step.

settings_postbuild

In the screenshot above, we show an example of how to use the “Command Line” field to copy Deviare DLLs and databases from a DLL directory within the solution directory ( $(SolutionDir) variable) to the output directory where the application executable is generated ( ($OutDir) variable).

  1. Build your project and test your application.

C# Project Setup Guide

Important: Visual Studio uses VSHOST.EXE to improve debugging when you launch an application. As a result Visual Studio ignores your embedded manifest and COM components are not loaded properly. There are two workarounds: 1) execute your application outside Visual Studio or 2) uncheck “Enable the Visual Studio hosting process” in your project settings:

vshost

If you want to use a single custom application manifest in a C# project, it’s easy to access the project settings dialog and choose a manifest file:

settings_c#

However, unlike Visual Studio C++ projects it is not possible to configure multiple-platform projects to use one manifest for each platform in Visual Studio C# projects. The above dialog only sets up a global manifest for the application.

Since Deviare 32-bit and 64-bit are different COM DLLs, you need to use different manifests to load them:

  1. Create manifest files as shown at the beginning of this article, one for each target platform. Name them “RegFreeCOM_x86.manifest” and “RegFreeCOM_x64.manifest”. Copy these files to your source file directory.
  2. Use a text editor to open your C# project file (“.csproj” extensión). Look for the “PropertyGroup” tags. There is one “PropertyGroup” for each configuration and platform target pair.

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x86′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x64′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x64′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x86′”>

</PropertyGroup>

  1. With either VS closed or the project unloaded to allow modifications, you must insert the manifest declaration using the proper manifest file platform below the “<PropertyGroup …>” opening tag. If we have the RegFreeCOM_x86.manifest and RegFreeCOM_X64.manifest to use on the x86 and x64 builds, respectively, first, we’ll add the manifest declaration of the x86 build:

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x86′”>
<ApplicationManifest>RegFreeCOM_x86.manifest</ApplicationManifest>

</PropertyGroup>

Repeat for all configuration combinations; be careful not to delete the existing tags between the PropertyGroup opening and closing tags.

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x64′”>
<ApplicationManifest>RegFreeCOM_x64.manifest</ApplicationManifest>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x64′”> <ApplicationManifest>RegFreeCOM_x64.manifest</ApplicationManifest>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x86′”>
<ApplicationManifest>RegFreeCOM_x86.manifest</ApplicationManifest>

</PropertyGroup>

  1. Save the file, and reopen it in Visual Studio. Build the x86 and x64 platforms and test your application.

Checking Embedded Manifests

You may want to see if a manifest is properly embedded (or embedded at all) for debugging purposes. The Windows SDK included with VS provides a tool (MT) to work with manifest files.

To extract the manifest from your application, simply use the -inputresource and -out flags:

mt -inputresource:RegFreeComTest.Exe;#1 -out:CON

“CON” displays the manifest in the console. You can specify a filename to save it.

Additional Information

There’s plenty of general information about manifest files, and Registration-Free COM. Here are some useful links.

 

If you liked this article, you might also like:

The Changing Landscape of the Application Performance Monitoring Market

If you look at the last Gartner’s Magic Quadrant for APM and compare it with what is really happening in the market you will notice two things:

  1. With the exception of Compuware, the leaders, New Relic and AppDynamics, are all newcomers. All the old established companies are excluded from the leader’s quadrant.
  2. Gartner separates APM and analytics products, suggesting that the latter are mere complements. However, when paired with third-party applications, these analytics products are perfectly capable of replacing APM.

Our hypothesis is that the whole APM market will move into two specializations: analytics engines and agents for gathering performance metrics across different monitoring disciplines. Many new analytic or log management products are entering the market. Our new product ActivityLogger can send desktop and server metrics to an analytics product. In the example below, we send user experience metrics to Elasticsearch and display the results with Kibana.

Resources

If you liked this article, you might also like:

64-bit Microsoft Office Applications Do Not Like Stack Walking

Our SpyStudio tool intercepts application system calls and retrieves the called functions by inspecting the call-stack.

We were unable to access stack information in the last few 64-bit releases of Microsoft Office products. When we use SpyStudio to intercept an Office installation or most Office applications like Word or Excel, they start normally, but eventually exit silently.

Our initial research showed the culprit to be the Office Software Protection Platform, which would make sense, as it is supposed to hide an application’s safety mechanisms.

However, the Office Software Protection Platform did not keep us from intercepting the 32-bit version of Microsoft Office, so we decided to investigate further.

The .pdata Section

How does the 64-bit operating system do a stack walk when an exception occurs, and how can a debugger know who called a function?

Microsoft added new metadata information  which is stored on a special section named “.pdata” in the PE file format specification. When an application is compiled, the compiler stores information related to the prolog of each function. If a function handles exceptions, the compiler also stores data about actions that must happen when the unwind operation is executed.

The operating system and the debugger use a series of RUNTIME_FUNCTION structures to retrieve a variety of information about each function, like how much stack space is reserved for each function usage, which callbacks must be called in an unwind operation, and where assembly registers are stored.

If you want to do your own stack walking, you can start from the current program counter (the RIP register in x64) and look for the RUNTIME_FUNCTION that belongs to it. Then process the UNWIND_INFO items to determine stack usage, and lastly, retrieve the location of the return address of the parent function.

Fortunately, there are some new APIs which makes the job easier. They are RtlLookupFunctionEntry and RtlVirtualUnwind. A stack walking code sample:

VOID StackTrace64(VOID)
{
    CONTEXT Context;
    KNONVOLATILE_CONTEXT_POINTERS NvContext;
    UNWIND_HISTORY_TABLE UnwindHistoryTable;
    PRUNTIME_FUNCTION RuntimeFunction;
    PVOID HandlerData;
    ULONG64 EstablisherFrame, ImageBase;

    DbgPrint("StackTrace64: Executing stack trace...\n");
    // First, we'll get the caller's context.
    RtlCaptureContext(&Context);
    // Initialize the (optional) unwind history table.
    RtlZeroMemory(&UnwindHistoryTable, sizeof(UNWIND_HISTORY_TABLE));
    UnwindHistoryTable.Unwind = TRUE;
    // This unwind loop intentionally skips the first call frame, as it shall
    // correspond to the call to StackTrace64, which we aren't interested in.
    for (ULONG Frame = 0; ; Frame++)
    {
        // Try to look up unwind metadata for the current function.
        RuntimeFunction = RtlLookupFunctionEntry(Context.Rip, &ImageBase,
                                                 &UnwindHistoryTable);
        RtlZeroMemory(&NvContext, sizeof(KNONVOLATILE_CONTEXT_POINTERS));
        if (!RuntimeFunction)
        {
            // If we don't have a RUNTIME_FUNCTION, then we've encountered
            // a leaf function.  Adjust the stack approprately.
            Context.Rip  = (ULONG64)(*(PULONG64)Context.Rsp);
            Context.Rsp += 8;
        }
        else
        {
            // Otherwise, we call upon RtlVirtualUnwind to execute the unwind
            // for us.
            RtlVirtualUnwind(UNW_FLAG_NHANDLER, ImageBase, Context.Rip,
                             RuntimeFunction, &Context, &HandlerData,
                             &EstablisherFrame, &NvContext);

        }
        // If we reach an RIP of zero, this means that we've walked off the
        // end of the call stack and are done.

        if (!Context.Rip)
            break;
        // Display the context
        DbgPrint("FRAME %02x: Rip=%p Rsp=%p Rbp=%p\n", Frame, Context.Rip,
                 Context.Rsp, Context.Rsp);
    }
    return;
}

Source: Programming against the x64 exception handling support, part 7

Because the .pdata section is created when the application is compiled, if the program generates dynamic code, like the .NET JIT profiler does, it should also create the corresponding RUNTIME_FUNCTION metadata and inform the operating system of the new dynamic code.

The RtlInstallFunctionTableCallback API adds an entry in an internal processes table maintained by NtDll.dll that helps RtlLookupFunctionEntry and RtlVirtualUnwind find information on how to walk the stack when your dynamically generated code is in the middle of the function calls chain.

Microsoft Office Installer and Applications

So what explains the silent exit of an Office application like Word?

At first we thought that some kind of intentional data corruption was happening in the internal table. It seemed like some kind of anti-debugging technique to keep reverse engineers from seeing the product activation mechanism.

After some trial and error we noticed that RtlInstallFunctionTableCallback was installing a callback to a suspicious routine. Surprisingly, that routine calls TerminateProcess API! When our stack walker function wanted to know the chain of calls, RtlLookupFunctionEntry indirectly called that routine and the program terminated silently.

Could the guys at Microsoft have decided to use this strange method to protect their code? The annoying callback function was added and removed frequently during many operations.

The solution was to add a simple hook to the RtlInstallFunctionTableCallback API to keep it from being added. Now the issue is resolved and the fixed versions of Deviare “Hooking for the Masses” and SpyStudio will be available soon.

If you liked this article, you might also like:

Case Study: How Nektra Improved Desktop Virtualization for Symantec Corporation

Introduction

Large companies are continually faced with new technologies and shorter technology cycles which render their trusted applications obsolete. Migrating an application from one technology to another is expensive and the timeframe required to carry it out is prohibitive for most companies. In 2010, Nektra developed software which allows old technologies such as Internet Explorer 6 to run on Windows 7. Symantec uses it in their Endpoint Virtualization Suite, but it can be used to virtualize many other applications as well.

The Challenges

Symantec Vision 2010 conference was approaching and Symantec was eager to implement IE6 virtualization in Windows 7, a feature already offered by some competitors. Symantec workspace virtualization also has to support many other technologies that are part of the IE6’s ecosystem: Java, Adobe Flash, and Acrobat Reader, and their updates.

Desktop virtualization products work successfully with the majority of applications but some applications require above-average application packaging skills and a few require tailored solutions.

Solution

Nektra used its SpyStudio and Deviare Interception technologies to virtualize IE6. SpyStudio pinpointed the gaps left by Symantec Workspace Virtualization, while Deviare filled in these gaps enabling IE6 to run in Windows 7. Brian Madden celebrates this new functionality in his blog and includes a video demo.

Nektra also provided third level escalation support, sopport for updated browser plugins, and fixes for the IE6 virtualization.

More recently, Nektra successfully tackled the issues related to virtualizing Microsoft Office with volume licensing for all versions of Windows up to 8.1.

Accomplishments

  1. Adding a key feature to a product that leveraged Symantec’s position in the virtualization market
  2. Delivery in time for Symantec Vision 2010 conference
  3. The 3rd level escalation support service was able to handle all requests successfully

If you liked this article, you might also like:

  1. Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging

Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging

Nektra’s SpyStudio provides tools allowing for application harvesting and simplified packaging for the VMware ThinApp offering

Nektra and VMware, Inc. have been collaborating to significantly improve the process of creating and troubleshooting VMware ThinApp application virtualization packages with the SpyStudio application. The video below shows the SpyStudio new ability to harvest applications directly from the operating system to create VMware ThinApp packages even for applications where customers no longer have the installer media. The new SpyStudio release can be downloaded free from http://www.nektra.com/products/spystudio-api-monitor/download/. A fully featured version requires a license.

As companies embrace application virtualization, packaging and troubleshooting in some cases has proven difficult and resource intensive. SpyStudio offers a means to quickly compare application operations to help pinpoint and solve challenging packaging tasks.

The application virtualization market will continue to grow in the next years. Hence, it is critical to be able to make the virtualization process less error prone. Leveraging SpyStudio, a unique and advanced tool will prove to be an essential part of the growth of application virtualization and successful customer implementations.

If you liked this article, you might also like:

  1. Case Study: Nektra Escalation Support for Symantec Workspace Virtualization (SWV)

Resources

Instrumenting Microsoft SQL Server to Abort Dangerous Queries

Hernan has added a new feature to the code offered in our article SQL Server Interception and SQL Injection Attack Prevention. Now it is possible to cancel queries as well as watch them. The code sample uses the Deviare Interception Engine’s call-skipping feature to abort the execution of the CSQLSource::Execute function. The code distribution includes a customized Deviare database for adding the definition of CSQLSource::Execute function parameters. To use this feature you must invoke the application with the “-a” switch in the command line.

We also improved console debugging output and fixed errors that came up when exiting sqlservr.exe. If the developer has a Deviare license, it can be added as a license.txt file in the application directory to disable the splash window.

If you liked this article, you might also like:

  1. Capturing Unencrypted HTTPS Requests and Responses (As Seen at BlackHat USA 2013)
  2. Recording Direct3D Video Games and Calculating Frames per Second
  3. Controlling the Speed of YouTube Videos

Resources

  1. Open Web Application Security Project

Sending Large Files in Outlook via Google Drive

You can download our free Outlook Add-In for Google Drive to sample our Outlook managed file transfer services. Several issues arise when sending large files with Outlook: there is a data overhead for each binary attachments sent via SMTP, Microsoft Exchange limits the size of attachments, and servers often have e-mail quotas. In Integrating Dropbox with Microsoft Outlook we provide a free Outlook add-in to send large files via DropBox. Google Drive is cheaper than DropBox: to send virtual machine images or large media files you need 200gb of storage. On DropBox this costs $ 19.99 per month while on Google Drive it costs $ 9.99. Microsoft SkyDrive is in the same price range as Google Drive.

Features

  • Persist your Google Drive credentials in Outlook
  • Browse your Google Drive files
  • Share files from Google Drive with email recipients
  • Automatically send links to the files you want to share and the corresponding invitations if the files are not public

Quickstart

  1. Install Outlook Drive
  2. Open Outlook
  3. Open a Compose Window
  4. In the “Insert” tab, you will find a new button named “Google Drive Link”. Click it.
  5. A window with two lists will be displayed. The left list is the root directory of your Google Drive account. Select the files you want to share with the email’s recipients and add them to the list on the right either by double clicking files or by using the right mouse button. The files shown in the list on the right will be persisted until the email is sent or the compose window is closed.
  6. Send the email. The recipients will receive links to the files and an invitation email from Google Drive to share any files that were not public.

 

Acknowledgments

The add-on was developed by Guillermo Ares.

If you liked this article, you might also like:

Using Deviare to Create a Temporary Zero Day Patch

Zero day vulnerabilities put organizations at the mercy of vendors. These vulnerabilities are like a ticking bomb: you do not know when someone will exploit them. Writing your own patch for closed source applications is, in most cases, a complex mission that can take even longer than the vendor solution. When you use legacy software which has outlived vendor support you must write your own patch or set up preventive measures. Even if you are using supported software, you can use Deviare to protect yourself from some known 0-day vulnerabilities to 0-day attacks until the vendor patch is available. Below is a code sample which uses Deviare to address CVE-2010-3971. Deviare makes hooking extremely easy, requiring only the most rudimentary programming skills. Deviare is binary instrumentation for the masses!

CVE-2010-3971 is a vulnerability in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. It uses memory after it is freed. We use Deviare to intercept the exploit before the attack is made effective and can achieve a denial of service or execution of arbitrary code.

The CSharedStyleSheet::Notify function manipulates an array of CStyleSheet objects. The function receives a flag as a parameter. If this flag passed is one, it calls CStyleSheet::Notify. The exploit must embed the value of the flag to call this particular function.

Our code hooks the CStyleSheet::Notify function, which is not normally called by Internet Explorer, in all iexplorer.exe processes, to detect the presence of an exploit. We use Metasploit to simulate the attack with the ms11_003_ie_css_import exploit and check our detection method. If an exploit is detected, a message box appears and IE is suspended to prevent damage.
Below is a video showing the attack and defense in action:

Code

The code is available on github.

Prerequisites

  1. Download Deviare and register it for 32-bit or 64-bit
  2. To enable the Deviare engine to use debugging symbols, the following library files are required: symsrv.dll which can be obtained in the Debugging Tools for Windows package and msdiaXX.dll which is part of the DIA SDK, available in Microsoft Visual Studio installation folder, under DIA SDK/bin directory. The Recommended Debugging Tools for Windows version is 6.12.2633 or higher. Tested DIA SDK versions are 9.0 (msdia90.dll), 10.0 (msdia100.dll) and 11.0 (msdia110.dll).
  3. You must copy those 32 and/or 64-bit DLLs to the dllx86 and dllx64 folders in the “bin” directory of the project, depending on which platforms you want to target.
  4. The project platform should match the Internet Explorer platform for the interception to succeed.
  5. Compile the solution
  6. The project will load and cache the symbols in the directory D:\PDB

Acknowledgment

Douglas from Nektra researched and developed the code.

Further Reading

  1. When A DoS Isn’t A DoS
  2. Windows XP SP3 and Office 2003 support ends April 8, 2014

If you liked this article, you might also like:

Capturing Unencrypted HTTPS Requests and Responses (As Seen at BlackHat Arsenal)

Today Manuel Fernandez is presenting HookME at Black Hat USA Arsenal 2013. HookME is software designed for intercepting communications which uses the Nektra Deviare Engine for binary instrumentation. HookME can intercept unencrypted HTTPS web traffic.

Many different proxy servers are used to intercept HTTP traffic. Fiddler is the most popular one for generic purposes. Burp Proxy is the leader for security testing. The issue with intercepting HTTPS traffic is that the proxy application acts as the man in the middle for HTTPS requests and the certificates being presented to the client are not the real ones. For example, intercepting network traffic to Amazon leads to a warning in the browser because the certificate being presented is unsigned. Another issue is that it is time consuming to set up the keys and certificates needed to configure the proxy.

Instead of using a proxy, you can intercept the EncryptMessage function in the Secure32.dll as HookME does:

You can also intercept the WinINet.dll before data is encrypted in the HTTPS request, and after data is decrypted in the HTTPS response. This way, no change is made to any certificate and no man in the middle attack is simulated. These concepts are a starting point for more sophisticated web security, debugging tools, and support for Firefox and Chrome browsers. You can start by intercepting synchronous functions in WinINet.DLL such as InternetOpen, HttpOpenRequest, HttpSendRequest, HttpAddRequestHeaders, InternetReadFile, InternetWriteFile, and their “Ex” functions counterpart.

 

If you liked this article, you might also like:

Related Nektra Products

Related Third Party Products

Further Reading

  1. Sniffing the Unsniffable