Comparing Data Loss Prevention Products

At Nektra we develop custom DLP solutions that can be run as individual components or integrated into third party products. In our comments below we focus on critical capabilities: mobile, BYOD, cloud, operating system coverage, and compliance regulation. We built a feature comparison matrix for data loss prevention products to gain a better understanding of the products currently available on the market. It is available in Google Sheets or pdf form. It is a good starting point for organizations looking to acquire DLP products and will save them a lot of time comparing vendors.

How Data Loss Prevention (DLP) can be applied to mobile devices

Demand for Bring Your Own Device (BYOD) infrastructure is on the rise. BYOD allows sensitive data to be synced and shared across employees’ mobile devices and allows private and business apps to be used at the same time. However, not all DLP vendors offer integrated solutions for mobile situations. The design of mobile operating systems often restricts the visibility and enforceability of security capabilities, making mobile DLP a special challenge.

A complete DLP solution for mobile devices must address:

  • Risk of device loss
  • Insecure hardware
  • OS’ with different security standards and reputations
  • The use of employee-owned devices (BYOD)
  • The separation between private and business use (Dual Persona)
  • Ex-employee access to sensitive data (Remote Data Wipe)
  • Installation of insecure apps (Whitelisting)
  • Absence of antimalware
  • Access to unsecured networks and access points (Virtual Private Networks)
  • Unapproved and public cloud services

DLP Hardware

To protect mobile hardware, Samsung uses TrustZone Integrity Measurement Architecture (TIMA) in Samsung KNOX. TIMA acts as a buffer between the Android OS Kernel and the mobile processor and uses hardware-based mechanisms to isolate business data[1].

The Boeing Black, the Blackphone 2, and the Theorem embed advanced hardware security features for the defence and government communities[2]. The Boeing Black is approved for the US Department of Defense and has a self-destruct feature, deleting all data when someone attempts to open the case.

Vendors like MobileIron add more functionality to Samsung KNOX devices with their own Enterprise Mobility Management (EMM) platform[3].

Non-physical containerization for DLP

To protect the sensitive data of businesses, non-physical containerization can be adopted at various levels on mobile devices. In a sandboxing approach, business apps run in one isolated container, and security policies apply to all apps in that container. A more fine-grained approach is to use application-based containers where policies can be adjusted individually. To configure the policies, vendors offer specific Software Development Kits (SDKs).

Recent advances in the iOS, Android and Windows operating systems offer an alternative to proprietary methods by building Mobile Application Management (MAM) and containerization capabilities into the operating system itself[4].

Virtual Private Networks (VPNs) like those used by Symantec[5] and RSA[6] complement the existing mobile device management (MDM) system to protect the communication of mobile devices, including iPhones and iPads which are often left unprotected. BYOD devices using desktop and application virtualization technology from Citrix or VMware can be protected by DeviceLock’s Virtual DLP, which fully controls virtual corporate environments[7].

In addition to conventional DLP methods, such as encryption and monitoring, further measures can be deployed to safeguard business applications and corporate data. These methods include remote data wiping from past employees or stolen devices, as well as app and URL whitelisting, copy/paste DLP, stripping, geofencing, two-factor-authentication (2FA), device locking, and anti-malware.


Keeping up to date about new security risks

Current trends will increasingly affect all Internet of Things (IoT) and wearable devices. Environments with new access points like smartwatches or fitness trackers will be the next target for protection coverage. Security strategies must be designed to keep employees and technology updated as new security risks arise. Employees must follow best-practices to preempt security breaches[8]. Last but not least, employees should know how to keep their personal data private.

Regulatory compliance

Countries establish laws and regulations which protect the private data of employees, customers and patients. Substantial fines are imposed for failure to comply or when data is misused. To conform to recent regulatory changes and to prevent infringement, DLP products must be frequently updated. This can be a complex task if the product is sold in many countries, and provides an interesting opportunity for niche players to develop products for specific countries.

Adapting DLP to small and medium-sized enterprises (SMEs)

SMEs are also vulnerable to cybercrime and subject to tight compliance and regulatory mandates, but state-of-the-art DLP technology is too complex and expensive for most.

A full DLP solution for a multinational corporation can cost up to $500,000[9] for three years. If vendors want to enter the SME sector, they need to adapt their products, services and prices to the needs and budgets of SMEs. The creation of new formats such as Pay-Per-Use, Software as a Service (SaaS) and services without the need for dedicated IT personnel, could be one way to go.

DLP for the cloud

Companies are often sceptical about entrusting their most carefully guarded business secrets to cloud services, SaaS, and file sharing services like Microsoft OneDrive, Google Drive, Box and Dropbox. On the other hand, the outstanding benefits of cloud computing are undeniable: flexibility, scalability, collaboration, mobility, remote access and BYOD compatibility. Reliable DLP security for the cloud is a challenging and growing market; 90% of DLP violations happen in cloud storage apps[10]. This means that it is important for companies to feel confident when data is leaving their premises. To ensure adequate protection, the DLP vendor must know the data model, sharing semantics and access rights of the cloud service he or she wants to protect. Or, alternatively, the cloud provider must integrate its own DLP mechanisms. Symantec currently offers a cloud security product called Symantec DLP 14 and collaborates closely with Box and Microsoft Office 365[11]. Netskope offers another DLP service for the cloud which  monitors cloud apps and shadow IT[12]. Finally, CloudCodes secures Google Apps by enforcing security policies using Cloud Access Security Brokers (CASBs)[13].

OS X

According to Zoran Cocoara of CoSoSys[14], OS X has recently become an important attack vector and deserves DLP mechanisms. CoSoSys, McAfee, Digital Guardian, and others now offer DLP solutions for OS X. However, since there are still significantly fewer security solutions available for OS X than for other OS’, companies’ IT teams often leave out security measures for Macs. Macs sharing the same network with PC’s thus become a risk factor.

Niche market

New situations and vulnerabilities which are not covered by the standard DLP products arise from the combination of on-premises DLP, SME needs, mobile use, BYOD infrastructure and cloud computing. New niche products with special features are needed to address these vulnerabilities.

For example, if hospital employees use a specific mobile device to manage patient data on the cloud, a special feature could be implemented to apply kiosk policies and prevent patient data loss. The users of the mobile device would not be able to use browsers or other apps. An administrator would be able to set exact specifications and lock apps.

The increasing demand for individual solutions generates a highly fragmented market and encourages smaller vendors to operate as niche players.

At Nektra, we specialize in custom solutions for the DLP market. These are some examples of our work:

  • Developing Microsoft Outlook, Ootw/OWA, and Office 365 add-ins to prevent leaks of information in emails and attachments
  • Developing Microsoft Windows drivers to limit access to files depending on their content
  • An API which restricts Microsoft Windows system shortcuts, blocks execution of alien applications, and disables execution on virtual machines

Conclusion

It is difficult to find a single product that covers the full spectrum of data loss prevention needs. Our data loss prevention products matrix helps customers and vendors understand the full array of available features and make an informed choice.

This work by Nektra Advanced Computing is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

References

[1] https://news.engr.ncsu.edu/2014/11/tima-technology-is-core-to-samsungs-state-of-the-art-knox-platform/

[2] http://www.zdnet.com/pictures/the-most-secure-smartphones-in-the-world-pictures

[3] https://www.mobileiron.com/en/solutions/multi-os-management/android/knox-solution

[4] http://blogs.air-watch.com/2015/10/byod-containerization-building-sustainable-mobile-strategy/#.Vvlok2ErJpg

[5] http://searchsecurity.techtarget.com/feature/How-to-deploy-the-right-DLP-products-for-the-right-jobs

[6] http://www.emc.com/collateral/data-sheet/h12413-rsa-dlp-for-byod-ds.pdf

[7] http://www.devicelock.com/products/byod-virtual-dlp.html

[8] http://searchmobilecomputing.techtarget.com/tip/Six-data-loss-prevention-strategies-for-mobile-environments

[9] http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/rpt_infotech-research_dlp-vendor-landscape.pdf

[10] http://www.infosecurity-magazine.com/news/90-data-loss-prevention-violations/

[11] http://searchcloudsecurity.techtarget.com/news/4500247414/Symantec-breaks-into-the-cloud-DLP-market-teams-with-Box

[12] http://security-musings.blogspot.com.ar/2015/04/comparing-cloud-access-security-broker.html

[13] https://www.cloudcodes.com

[14] https://www.helpnetsecurity.com/2015/05/06/the-importance-of-data-loss-prevention-for-os-x

Benchmarking Windows Packet-Capture Methods for Windows Driver Development

Below, we compare different ways of intercepting network packets, and of filtering and analyzing their content to see if kernel drivers which use NDIS and WFP frameworks perform better than WinPcap.

We tested the performance of each method. See table.

Testing

We measured network bandwidth after applying a basic filter which:

  1. Intercepts all packets
  2. Verifies whether they are TCP/IP packets, and whether their source/destination is a certain IP
  3. Copies the packets’ data to a buffer
  4. Calls an empty callout function to process the packets’ payloads

We applied the filter to each of the methods. See source codes here. We used iperf3, a tool that generates network traffic and provides IP network statistics, to measure maximum achievable bandwidth. It is highly configurable and flexible and worked very well for our purposes.

Both the client and server’s operating systems were Windows Server 2008 R2 x64. We used HP NC552SFP 10GbE 2-port network cards. We followed the same steps for each method:

  1. Set up the testing environment on the server.
  2. Start iperf3 on the server in server mode (iperf3 -s).
  3. Start Iperf3 on the client in client mode (iperf3 -c <server-ip> -P 16). Configure server IP and number of threads to start generating maximum achievable traffic.
  4. Measure how fast the server receives the packets.

Test Results

(in Gbit/s) Native WinPcap NDIS 6.0 WFP
Average 9.33 9.15 8.01 2.11
Min 9.25 9.09 7.02 1.25
Max 9.54 9.39 9.3 2.44
Std. Deviation 0.25 0.33 0.95 1.1

Test Conclusion

As one can easily see, WinPcap outperforms the others and WFP is significantly slower.

Suggestions

If you can do it with WinPcap, do it with WinPcap. Given the ease of use of WinPcap’s API, and the test results, we strongly recommend WinPcap for traffic inspection, packet payload analysis, basic filtering, raw packet transmitting, and basic network statistics.
However, WinPcap cannot be used for firewalling or to analyze application-level connections. In addition, the pcap filtering language is not designed to classify packets, so if this is a priority you will have to add a deep packet inspection library.

Both NDIS and WFP can be used for firewalling, but only NDIS works in XP and older operating systems. WFP is your only option when you need to peer into the plaintext of an IPsec-protected packet, query the identity of the user or application that originally sent a packet, authorize the creation of a socket, or monitor loopback traffic. Unlike NDIS, WFP is actively supported by Microsoft.

Source Code

  1. WinPcap, NDIS, and WFP testing code
  2. NDIS original source
  3. WFP original source

Credits

This article and code would not have been possible without the support of our Windows driver development team and custom development software engineers.

References

Is Google Spying on You? How to Quickly Craft an Ad Hoc Security Sandbox

In June, 2015 there was an alarming bit of news when people over at the Debian project realized that Chromium silently downloaded a closed source NaCl binary extension. It was the hotword extension which implements speech recognition techniques. When someone says “OK Google” within range of the microphone, Chrome interprets what follows as a command. This is an essential component of the hands free voice search feature offered in newly opened tabs or on Google’s homepage. It was not just alarming that open-source Chromium was installing a closed-source module, but also that this module could use your microphone to passively listen to you.

In Using Deviare to Create a Temporary Zero Day Patch we used Deviare to show how you can prevent an attack before a patch is available (without shutting down your computers). Here we show a simple and fast way to sandbox Google Chrome and know if it wants to listen to you. The Python code is available here.

A quick perusal of the Chrome project reveals that Core Audio APIs are used to obtain low-level access to recording hardware. Chrome instantiates an IMMDeviceEnumerator object and then uses the IMMDevice::Activate() method to instantiate an IAudioClient object. IAudioCaptureClient is instantiated through IAudioClient::GetService(). We hook CoCreateInstance() so that the call to create an IMMDeviceEnumerator is ignored and all interaction with microphones is blocked. More fine-grained control and monitoring capabilities can be achieved by hooking more specific functions.

Prerequisites

  1. Windows Vista or later (1)
  2. Python 3 (tested with Python 3.4.3) with its pywin32 bindings
  3. Deviare COM registration, see below
  4. Chrome (tested with Chrome 43.0.2357.130)

Deviare COM Registration

Navigate to the bin directory of Deviare2 and execute regsvr32 DeviareCOM.dll. If you are using a 64-bit operating system, execute regsvr32 DeviareCOM64.dll.

You must also configure Chrome to enable the hotword “OK Google” extension. To do so, go to chrome://settings and set the default search engine to Google. A checkbox should appear just below. “Enable “OK Google” to start a voice search.” After you check it, the hotword NaCl extension module should load automatically whenever you visit Google’s homepage or open a new tab, provided that your country is supported. If this is not the case (you won’t see “Say “OK Google”” within the search textbox, or any equivalent in your language), you will have to use http://www.google.com.

Using the Script

There are two ways to run the demonstration script.
The first method is without arguments. In this case, the script will try to guess the path to the Chrome executable and launch it. Immediately after that, the hooks are created and attached to the process.
The second way (2) is to invoke it with a list of PIDs in this fashion:
python3 ChromeAudioCaptureSandbox.py pid1 pid2 pid3 … pidn
In this case, it will attach the created hooks to the specified PIDs.

Credits

Thank you for our teams Windows driver development and custom development software.

Notes

  1. This script was not written for Windows XP, and presumably will not work since it hooks APIs available in Windows Vista or later. However, it should not be difficult to hook the API used in XP.
  2. Hooking the Chrome processes when the hotword NaCl module is running may cause Chrome to crash because Chrome assumes the existence of a recording device. We trick it into thinking there is no such device, which is outside the possible normal execution flow.

If you liked this article, you might also like:

  1. Injecting a DLL in a Modern UI Metro Application
  2. Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking
  3. How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin

Watermark Printed Documents in Windows

Sample

Our Data Loss Prevention Development team used Deviare to add watermarks to printed documents by intercepting XPS Print API interfaces. This technique can be applied to all printing jobs on virtual or physical printing devices. Get the code.

The requirements are:

  • An operating system with XPS Print API (Windows Vista SP2 with Platform Update or higher)
  • Visual Studio 2008 with Service Pack 1
  • MS Windows Platform SDK 7.1 or higher
  • .NET Framework 2.0
  • Internet Explorer 9.0 or higher

This solution consists of two C# projects and one C++ project. The first C# project is IEPrintWatermark, which initiates the hooking process and loads the custom C++ DLL and C# plugin. The second is IEPrintWatermarkHelperCS, which is the plugin itself and does all the internal XPS watermark drawing operations. The C++ project is IEPrintWatermarkHelper, and it just gets a pointer to a specific internal interface.

To build the project, we use the “Batch Build” feature of the VS IDE. Since the x64 binaries depend on the x86 version of IEPrintWatermarkHelper, first we build the solution for the x86 platform so the x64 build can obtain the required dependencies. This is required due to the IE architecture where the main process runs in 64-bits, while the child IExplore.exe processes run in 32-bits.

After a successful build, run IEPrintWatermark. The default IE installation will be launched. Navigate to your desired page, and print the page to an XPS-compatible printer. A sample watermark consisting of a purple box and semitransparent, rotated text strings will be superimposed on the text or image on the page.

Additional notes

We used the .NET framework tools to import the Microsoft XPS Print API from the SDK xpsobjectmodel.idl file. The converted file, MSXPS.DLL, is located in the binary folders.

Additional code snippets were included to make it easier to use XPS Document API in C#. See for example the MakeMatrixTransform function which generates transformation matrices for rotating, translating and scaling the visual objects in the XPS document, and the MakeXPSColorfunction which generates a proper RGBA color value.

In XPS documents, all font resources are embedded from file streams. We have included a small font name to TTF filename mapping code (see GetSystemFontFileName function) for easier handling. Font name is case sensitive.

XPS font size is specified in “ems”, not pixels or points. 1 document inch equals to 96 XPS logical units.

All object transformations are relative to page origin (top-left is 0,0).

References

Credits

The article was written by our Windows driver development team and custom development software engineers.

If you liked this article, you might also like:

RemoteBridge Is Now Open Source: Inspect and Control Java and COM Objects Remotely in Windows

RemoteBridge is now open source and available on GitHub as are Deviare Hooking Engine and Deviare-InProc. RemoteBridge allows you to access the COM and Java objects instanced in a process as if they were your own object instances. You can access their methods, properties and events from your own application. It is implemented as a COM itself so you can use it in almost every programming and scripting language in Windows, including .NET languages. RemoteBridge is handy If you want to modify the behavior of a closed Windows-based application: you can even access hidden COM instances and Java objects.

Legacy Integration and Workflow Automation

RemoteBridge enables you to modernize Windows legacy applications so they interact with web and mobile applications. You can also use RemoteBridge to extend the functionality of closed-source applications. Finally, RemoteBridge helps you add COM and Java applications to your automated workflow.

RemoteBridge Internals

To interact with a COM object, RemoteBridge initially hooks common COM object creation APIs like CoCreateInstance. Your applications receives a marshallable reference for every COM object so you can access the object’s methods and properties directly.

If the target application is running Java, RemoteBridge attaches itself to the Java Virtual Machine. Objects are gathered using standard Java Native Interface methods and a COM object wrapper is created. This wrapper allows your application to call methods and get/set properties of the wrapped java object.

SpyStudio Is Now Free: Create and Troubleshoot Application Packages for Windows

SpyStudio is now free and available for download here. It is a Swiss Army knife for cyber security analysts, DevOps, QA engineers, and developers. You can take a look at the articles “Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging” and “How Nektra Improved Desktop Virtualization for Symantec Corporation” to see how big vendors are using it. This multi-tool is useful for application virtualization, troubleshooting windows applications, application performance monitoring, malware analysis, and as a process monitor complement.

Windows 10 Support

Both, SpyStudio and Deviare In-Proc, and Deviare Windows hooking engine, work on Windows 10.

Application Virtualization

Creation

SpyStudio creates virtualization packages and layers for VMware ThinApp and Symantec Workspace Virtualization. You can see it in action in the videos Harvesting Applications and Creating VMware ThinApp Packages with SpyStudio and Creating a VMware ThinApp package for Firefox in less than two minutes with SpyStudio.

Troubleshooting

SpyStudio troubleshoots application virtualization issues in products like Microsoft App-V, VMware ThinApp, Symantec Workspace Virtualization, Citrix XenApp, Cameyo, and Spoon.

See the video Nektra SpyStudio and Troubleshooting ThinApp Package by Peter Björk Lead Specialist, EMEA EUC Practice at VMware.

Catalog of Ready To Use Application Virtualization Packages

Additionally, Nektra offers custom software packages built by our engineers for Microsoft Office, Microsoft Lync, Internet Explorer or any other application. The Microsoft Office and Lync packages support volume licenses which require Microsoft Key Management Server (KMS).

Troubleshooting Windows Deployment Issues

When you don’t know why an application works in some environments but not in others you can use SpyStudio to help you spot the differences.

Please take a look at Fixing an Internet Explorer Issue Using SpyStudio video.

Application Performance Monitoring

With SpyStudio you can benchmark applications running in different environments and identify performance issues that are degrading the end-user experience. Windows native and .NET applications are supported.

Look at the following example: “Benchmarking Microsoft Office’s PowerPoint Virtualization” compares App-V and SWV“.

Malware Identification

SpyStudio performs dynamic analysis on 64-bit and 32-bit Windows applications. The application execution patterns allow you to detect malicious behavior.

The book “Malware Forensics: Investigating and Analyzing Malicious Code and Malware Forensics Field Guide for Windows Systems” discusses one way SpyStudio can be used to fight malware.

Process Monitor Complement

Process Monitor is great for looking at issues that can be detected in kernel mode but it does not show Windows API usage.

SpyStudio reads Process Monitor logs and displays them in a friendly UI to quickly spot issues connected to the Windows API.

Support

Our custom software development engineers can help you with any specific feature you may need.

Deviare Hooking Engine is Open Source and Deviare In-Proc Supports .NET Hooking

We have good news for those interested in Windows Hooking. Deviare Hooking Engine is now open source and available on GitHub. The license is GPL but a commercial license and support are also available for users who want to distribute closed-source products based on Deviare. Our other open source hooking product, Deviare In-Proc, now supports hooking .NET methods. Our main competitor Microsoft Detours does not.

People can now use, learn from, and fork Deviare Hooking Engine. If you are new to Deviare and want to bootstrap a project please take a look at our related blog posts. Academic users might be interested in the following resources:

We have also added a new option to Deviare In-Proc which disallows reentrancy. If a hook is marked with the disallow reentrancy flag, then calling the hooked function from the detoured one will jump to the original API function. It also provides helper methods to facilitate DLL injection into other processes.

For other differences between Deviare Hooking Engine and Deviare In-Proc see the reddit thread: GPL alternative library to Microsoft Detours for binary instrumentation.

Case Studies

Related Solutions

Registration-Free Activation of Deviare Hooking Engine COM in x86 and x64 platforms

Deviare 101 Part 1

Welcome to the first installment of Deviare 101.

In this article, we’ll explain how to use Deviare’s Reg-Free COM capability to easily deploy applications on end-user machines.

This guide uses Visual Studio 2013 but can also be followed on earlier versions.

The Manifest File

Reg-Free COM requires an XML file called a “manifest”. Manifest files specify which DLLs to load, and sets other application run-time properties.

If your project includes multiple Windows target platforms, you must use a different manifest for each platform.

This is what the manifest we use to support Deviare in the x86 platform looks like:

<?xml version=”1.0″ encoding=”utf-8″?>

<asmv1:assembly manifestVersion=”1.0″ xmlns=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv1=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv2=”urn:schemas-microsoft-com:asm.v2″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>

<assemblyIdentity version=”1.0.0.0″ name=”myApp” processorArchitecture=”x86″/>

 

<dependency>

<dependentAssembly>

<assemblyIdentity type=”win32″ name=”DeviareCOM” version=”2.0.0.0″ processorArchitecture=”x86″ />

</dependentAssembly>

</dependency>

 

</asmv1:assembly>

Here is the manifest we use to support Deviare in the x64 platform:

<?xml version=”1.0″ encoding=”utf-8″?>

<asmv1:assembly manifestVersion=”1.0″ xmlns=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv1=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv2=”urn:schemas-microsoft-com:asm.v2″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>

<assemblyIdentity version=”1.0.0.0″ name=”myApp” />

 

<dependency>

<dependentAssembly>

<assemblyIdentity type=”win32″ name=”DeviareCOM64″ version=”2.0.0.0″ processorArchitecture=”amd64″ />

</dependentAssembly>

</dependency>

 

</asmv1:assembly>

You must specify your application assembly name and version in the application’s <assemblyIdentity> tag. Additional attributes are optional.

How to Connect Your Application to the Manifest File

There are two ways to connect your application to the manifest file:

  • Place the manifest file in your application home directory. This requires the manifest file to have the same name as your application executable, with the “.manifest” suffix. For example, if your application executable is MyApp.exe, you must name the manifest MyApp.exe.manifest.
  • Embed the manifest in your application executable as a resource.

The second option involves a bit of work with project settings, and is described in the section below.

Deviare DLLs and database files should be placed in your application’s home directory or another searchable location (e.g: in the system path). Be aware that when you mix projects using Deviare with the Reg-Free COM mechanism with other projects using manual registration you may experience issues such as versioning problems. You can use the regsvr tool with the /U option to manually unregister Deviare.

Visual Studio C++ Project Setup Guide

To use Reg-Free COM Deviare in a C++ VS application, follow those steps:

  1. Create one manifest file for each target platform as shown at the beginning of this article. Name them “RegFreeCOM_x86.manifest” and “RegFreeCOM_x64.manifest”. Copy those files to your source file directory.
  2. Open your project settings, select the desired platform, go to “Manifest Tool >> Input and Output” and enter the filename in “Additional Manifest Files”. You can specify variables such as $(SolutionDir), $(ProjectDir) to modify the manifest path. Make sure the selected platform and manifest file platform match.

settings_c++_x86

Do the same for the other platforms in your project,. In this case, the x64 platform:

settings_c++_x64

DeviareCOM DLLs must be in the same directory as your executable. You can copy them manually; or use “Post-Build Event” in “Project Settings” to automate this step.

settings_postbuild

In the screenshot above, we show an example of how to use the “Command Line” field to copy Deviare DLLs and databases from a DLL directory within the solution directory ( $(SolutionDir) variable) to the output directory where the application executable is generated ( ($OutDir) variable).

  1. Build your project and test your application.

C# Project Setup Guide

Important: Visual Studio uses VSHOST.EXE to improve debugging when you launch an application. As a result Visual Studio ignores your embedded manifest and COM components are not loaded properly. There are two workarounds: 1) execute your application outside Visual Studio or 2) uncheck “Enable the Visual Studio hosting process” in your project settings:

vshost

If you want to use a single custom application manifest in a C# project, it’s easy to access the project settings dialog and choose a manifest file:

settings_c#

However, unlike Visual Studio C++ projects it is not possible to configure multiple-platform projects to use one manifest for each platform in Visual Studio C# projects. The above dialog only sets up a global manifest for the application.

Since Deviare 32-bit and 64-bit are different COM DLLs, you need to use different manifests to load them:

  1. Create manifest files as shown at the beginning of this article, one for each target platform. Name them “RegFreeCOM_x86.manifest” and “RegFreeCOM_x64.manifest”. Copy these files to your source file directory.
  2. Use a text editor to open your C# project file (“.csproj” extensión). Look for the “PropertyGroup” tags. There is one “PropertyGroup” for each configuration and platform target pair.

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x86′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x64′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x64′”>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x86′”>

</PropertyGroup>

  1. With either VS closed or the project unloaded to allow modifications, you must insert the manifest declaration using the proper manifest file platform below the “<PropertyGroup …>” opening tag. If we have the RegFreeCOM_x86.manifest and RegFreeCOM_X64.manifest to use on the x86 and x64 builds, respectively, first, we’ll add the manifest declaration of the x86 build:

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x86′”>
<ApplicationManifest>RegFreeCOM_x86.manifest</ApplicationManifest>

</PropertyGroup>

Repeat for all configuration combinations; be careful not to delete the existing tags between the PropertyGroup opening and closing tags.

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x64′”>
<ApplicationManifest>RegFreeCOM_x64.manifest</ApplicationManifest>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Release|x64′”> <ApplicationManifest>RegFreeCOM_x64.manifest</ApplicationManifest>

</PropertyGroup>

<PropertyGroup Condition=”‘$(Configuration)|$(Platform)’ == ‘Debug|x86′”>
<ApplicationManifest>RegFreeCOM_x86.manifest</ApplicationManifest>

</PropertyGroup>

  1. Save the file, and reopen it in Visual Studio. Build the x86 and x64 platforms and test your application.

Checking Embedded Manifests

You may want to see if a manifest is properly embedded (or embedded at all) for debugging purposes. The Windows SDK included with VS provides a tool (MT) to work with manifest files.

To extract the manifest from your application, simply use the -inputresource and -out flags:

mt -inputresource:RegFreeComTest.Exe;#1 -out:CON

“CON” displays the manifest in the console. You can specify a filename to save it.

Additional Information

There’s plenty of general information about manifest files, and Registration-Free COM. Here are some useful links.

If you liked this article, you might also like:

Related Services

Don’t forget to read our data loss prevention solution developmentWindows driver development and Windows software development services.

The Changing Landscape of the Application Performance Monitoring Market

If you look at the last Gartner’s Magic Quadrant for APM and compare it with what is really happening in the market you will notice two things:

  1. With the exception of Compuware, the leaders, New Relic and AppDynamics, are all newcomers. All the old established companies are excluded from the leader’s quadrant.
  2. Gartner separates APM and analytics products, suggesting that the latter are mere complements. However, when paired with third-party applications, these analytics products are perfectly capable of replacing APM.

Our hypothesis is that the whole APM market will move into two specializations: analytics engines and agents for gathering performance metrics across different monitoring disciplines. Many new analytic or log management products are entering the market. Our new product ActivityLogger can send desktop and server metrics to an analytics product. In the example below, we send user experience metrics to Elasticsearch and display the results with Kibana.

Resources

If you liked this article, you might also like:

Related Services

Please, support our blog reading our services: Windows driver developmentWindows software development and application packaging services.

64-bit Microsoft Office Applications Do Not Like Stack Walking

Our Office plugin development team was researching some problems with Office and they found this problem.

Our SpyStudio tool intercepts application system calls and retrieves the called functions by inspecting the call-stack.

We were unable to access stack information in the last few 64-bit releases of Microsoft Office products. When we use SpyStudio to intercept an Office installation or most Office applications like Word or Excel, they start normally, but eventually exit silently.

Our initial research showed the culprit to be the Office Software Protection Platform, which would make sense, as it is supposed to hide an application’s safety mechanisms.

However, the Office Software Protection Platform did not keep us from intercepting the 32-bit version of Microsoft Office, so we decided to investigate further.

The .pdata Section

How does the 64-bit operating system do a stack walk when an exception occurs, and how can a debugger know who called a function?

Microsoft added new metadata information  which is stored on a special section named “.pdata” in the PE file format specification. When an application is compiled, the compiler stores information related to the prolog of each function. If a function handles exceptions, the compiler also stores data about actions that must happen when the unwind operation is executed.

The operating system and the debugger use a series of RUNTIME_FUNCTION structures to retrieve a variety of information about each function, like how much stack space is reserved for each function usage, which callbacks must be called in an unwind operation, and where assembly registers are stored.

If you want to do your own stack walking, you can start from the current program counter (the RIP register in x64) and look for the RUNTIME_FUNCTION that belongs to it. Then process the UNWIND_INFO items to determine stack usage, and lastly, retrieve the location of the return address of the parent function.

Fortunately, there are some new APIs which makes the job easier. They are RtlLookupFunctionEntry and RtlVirtualUnwind. A stack walking code sample:

VOID StackTrace64(VOID)
{
    CONTEXT Context;
    KNONVOLATILE_CONTEXT_POINTERS NvContext;
    UNWIND_HISTORY_TABLE UnwindHistoryTable;
    PRUNTIME_FUNCTION RuntimeFunction;
    PVOID HandlerData;
    ULONG64 EstablisherFrame, ImageBase;

    DbgPrint("StackTrace64: Executing stack trace...\n");
    // First, we'll get the caller's context.
    RtlCaptureContext(&Context);
    // Initialize the (optional) unwind history table.
    RtlZeroMemory(&UnwindHistoryTable, sizeof(UNWIND_HISTORY_TABLE));
    UnwindHistoryTable.Unwind = TRUE;
    // This unwind loop intentionally skips the first call frame, as it shall
    // correspond to the call to StackTrace64, which we aren't interested in.
    for (ULONG Frame = 0; ; Frame++)
    {
        // Try to look up unwind metadata for the current function.
        RuntimeFunction = RtlLookupFunctionEntry(Context.Rip, &ImageBase,
                                                 &UnwindHistoryTable);
        RtlZeroMemory(&NvContext, sizeof(KNONVOLATILE_CONTEXT_POINTERS));
        if (!RuntimeFunction)
        {
            // If we don't have a RUNTIME_FUNCTION, then we've encountered
            // a leaf function.  Adjust the stack approprately.
            Context.Rip  = (ULONG64)(*(PULONG64)Context.Rsp);
            Context.Rsp += 8;
        }
        else
        {
            // Otherwise, we call upon RtlVirtualUnwind to execute the unwind
            // for us.
            RtlVirtualUnwind(UNW_FLAG_NHANDLER, ImageBase, Context.Rip,
                             RuntimeFunction, &Context, &HandlerData,
                             &EstablisherFrame, &NvContext);

        }
        // If we reach an RIP of zero, this means that we've walked off the
        // end of the call stack and are done.

        if (!Context.Rip)
            break;
        // Display the context
        DbgPrint("FRAME %02x: Rip=%p Rsp=%p Rbp=%p\n", Frame, Context.Rip,
                 Context.Rsp, Context.Rsp);
    }
    return;
}

Source: Programming against the x64 exception handling support, part 7

Because the .pdata section is created when the application is compiled, if the program generates dynamic code, like the .NET JIT profiler does, it should also create the corresponding RUNTIME_FUNCTION metadata and inform the operating system of the new dynamic code.

The RtlInstallFunctionTableCallback API adds an entry in an internal processes table maintained by NtDll.dll that helps RtlLookupFunctionEntry and RtlVirtualUnwind find information on how to walk the stack when your dynamically generated code is in the middle of the function calls chain.

Microsoft Office Installer and Applications

So what explains the silent exit of an Office application like Word?

At first we thought that some kind of intentional data corruption was happening in the internal table. It seemed like some kind of anti-debugging technique to keep reverse engineers from seeing the product activation mechanism.

After some trial and error we noticed that RtlInstallFunctionTableCallback was installing a callback to a suspicious routine. Surprisingly, that routine calls TerminateProcess API! When our stack walker function wanted to know the chain of calls, RtlLookupFunctionEntry indirectly called that routine and the program terminated silently.

Could the guys at Microsoft have decided to use this strange method to protect their code? The annoying callback function was added and removed frequently during many operations.

The solution was to add a simple hook to the RtlInstallFunctionTableCallback API to keep it from being added. Now the issue is resolved and the fixed versions of Deviare “Hooking for the Masses” and SpyStudio will be available soon.

Acknowledgements

The support of our Outlook plugin development team, custom development software programmers and data loss prevention development was essential for this article. Thank you!

If you liked this article, you might also like: