Monthly Archives :: "December 2008"


A comparison of Deviare and EasyHook

2008 December 16th | By Pablo Yabo | Comments (3) | Permalink

Under: Deviare - opinion - products

We are comparing our hooking engine Deviare with some of the other products available, so that you can get an idea of what each engine can provide.
Here is a comparison of Deviare against Easy Hook.

Functionality Deviare EasyHook
Database with Functions and Data Types Yes No
Intercept multiple functions with a single handler Yes No
Selective Handler for each Function Yes Yes
Relocation of Relative ASM Instructions (RIP) Yes No
Save & access Call Function Context Yes No
Access registers & flags Yes No
Access return address Yes Yes
Get/Set win32 last error Yes Yes
Monitor COM Objects creations Yes Partially
Hook COM Objects Yes No
Provides COM Interfaces accessible from any language Yes No
Enumerate process’ modules Yes Yes
Enumerate module’s exported functions Yes No
Get module path and info Yes Yes
Automated call of original function Yes No
Thread Deadlock Block Yes Yes
64 bits support No Yes
Thread Safe Hook Install Yes No
Native Support Yes Partially
Inter-Process Communication Yes Partially
Custom Library Injection Yes Yes
Stealth Support No Yes
Kernel Mode Hook No Yes
Driver Installation No Yes
Relocation of Instruction Pointer Yes No
Requires .Net Framework No Yes
Use System Runtimes (CRT) Yes No
Hook Terminal Sessions No Yes
Full unload before target termination. Yes No
Execute As Service No Yes
Prevent execution inside OS Loader No Yes
Thread selection filter No Yes
StackTrace Yes Yes
User-mode Wide Hook Yes No

Monitoring Outlook COM Objects with Deviare

2008 December 1st | By Pablo Yabo | Comments (0) | Permalink

Under: .NET - C# - C++ - Deviare - Microsoft - Office 2003 - Office 2007 - Office 2010 - Outlook 2003 - Outlook 2007 - Outlook 2010 - programming - reverse engineer - services

We all remember when Ole Automation came out. We were all impressed how simple it was to implement a few COM Interfaces, place a toolbar and interact with the office package. Soon the competition began to show who could create the best and most creative Add-on. How many times did you wonder how that other plug-ins “did that”? What if now you can even know how Outlook, or any Office application operates? Well, my friend, take a closer a look…

This Deviare example is implemented as an Outlook Add-on. We have used C# .Net, but you can use any language that supports Component Object Model.

We are using 2 threads to avoid freezing the application. The first one is the standard thread where Outlook report its events to us. The second is our worker thread where we create an output window to print our messages and a Deviare Event Proxy to process functions’ calls.

sc1

From the events Outlook provides us to work with we are only interested in OnStartupComplete. Here we know that Outlook is done with all its initialization and we can start hooking its interfaces. As a regular plug-in we ask for the Outlook Application, Active Explorer, CommandBars and create a CommandBarButton. We are going to intercept all of them and see how their members are used.

sc2

Notice that to obtain the interface we don’t use the class implementation, but the underlying interface definition. That’s why, when calling HookInterface, we send the Type of Outlook._Application and not Outlook.Application. The second one, is the .Net wrapper, and the first one is the Ole Interface.

To intercept these objects, Deviare needs some information. The necessary elements are the COM Object Interface (that would be its virtual table), which members we are interested in (specified by index), and the name of the Interface. Identifying the interface by name, will let Deviare find all the information it needs during the call, so you can handle its parameters the same way we did with any function hook. To gather all this the .Net Framework provides us with marshaling facilities (System.Runtime.InteropServices.Marshal), this makes our lives pretty easy ;) .

sc3

And that’s all. We print our calls, and see our results:

sc4

Cheers, and happy coding!