The Deviare Interception Engine includes a feature that allows developers to add plugins to hooks. When a hooked API is called, it will raise the OnFunctionCalled method of all attached plugins to allow the reading and writing of parameters, and passing custom parameters to the INktSpyMgr object. Since the method is called in the context of the hooked application, the plugin will have local access to all process data.
We use COM as the bridge between the plugin code and the internal engine to support plugin development in C/C++ and any other .NET language. To use COM, the programmer must either register DeviareCOM libraries using RegSvr32 or use Registration Free COM.
The second method is best as it avoids registering components on the computer and asking for elevated privileges to accomplish the task. However in order to enable RegFree-COM, you will need to access the hooked executable manifest file, which is usually embedded in the application, and modify it, which may infringe copyright and have undesirable side effects. In addition, you cannot attach a manifest file to Deviare’s agent module: it will simply be ignored because the OS loader only parses executable manifests, and only on startup.
When a hooked api is called, an INktHookCallInfoPlugin object is created and passed to the plugins to let them know the context of the api call. But, how did we solve the management of COM objects without registering COM classes nor using a manifest file? Here is where Activation Context API comes in.
Activation context API lets us create, activate and manage activation contexts in the same way Windows loader does. First we embed our manifest file as a resource inside DvAgent.dll. Once the agent is attached to the hooked process, it creates an activation context using the data of the embedded resource.
When a hooked API is called, we must:
- Activate our custom context.
- Create the INktHookCallInfoPlugin object.
- Call the plugins callbacks (letting them manage all DeviareCOM objects as they want)
- Deactivate the custom context and continue execution.
Our benchmark shows that performance penalty in activating/deactivating contexts is minimal. If you need additional help using registration free COM please do not hesitate to ask in our forum.
- Reverse Engineering
- Interception and Filter Drivers Services
- Application Virtualization and Packaging