Improving Deviare Hooking Performance with Custom Hooks

More Binary Instrumentation Alternatives

Deviare now has custom hooks to improve hooking performance. With custom hooks, two “OnFunctionCall” events are triggered: one in the SpyMgr process, and the other within the agent. The custom hook can send data, or custom parameters. to the SpyMgr process. The custom Deviare modules running in the agent have access to all process data, including file and registry handles. Since custom hooks access local process data, it is now possible to get the full key path of a registry HKEY value and transmit the resulting string as a custom parameter instead of doing a “DuplicateHandle” call in the SpyMgr process. You can also combine asynchronous hooking with custom hooks to keep the “OnFunctionCall” event in SpyMgr from blocking the flow of the application.

The Deviare Hooking Engine aims to simplify the “hooking experience” for people who are outside the Windows internals, x86/x64 Assembly, and reverse engineering fields, there is usually a penalty when you want to abstract something complex like API function hooking in a developer friendly COM component like Deviare. Our custom hooks are designed to meet different needs.

Another interesting advantage of using custom hooks is that you can mix different programming languages. For example, you can add a custom hook in C++ but notify the SpyMgr in C#, or vice versa.

The sample code below monitors and intercepts file mappings via the function MapViewOfFile on notepad.exe 32 and 64 bit. The custom hook analyzes the buffer in search of a specific string posing as malware. The read is cancelled if that string is found in the buffer. The sample code has two modes to illustrate the difference between only using SpyMgr, and relying on custom hooks: the displayed combo switches from one mode to the other. Custom hooks are also essential for video and audio processing. If you are interested in bootstrapping a project that requires audio hooking, do not hesitate to look at our Audio Recorder API. It will save you a lot of time and money. This code also hooks both 32 and 64 bit process from the same (“Any CPU”) assembly.

Code

The code is available on github.

Prerequisites

1. Install the latest Deviare version
2. Register 32 and 64 bit COM DLLs (although registration-free COM can be used in custom hooks too)
3. Download the source code
4. Copy Nektra.Deviare2.dll to the Lib directory inside the project
5. Build the Debug configuration
6. Run Notepad
7. Run the hooking console

1. Windows driver development
2. Reverse Engineering Services
3. Custom Software Development Company
4. Data Loss Prevention Solution Development