Nektra Advanced Computing Blog

This week Mozilla launched Firefox 3 officially. It was covered in a couple of sites like:

• It’s Firefox 3 world record download day (techcrunch)
• A Few Firefox 3 Followups (slashdot)

We have released a new version of Cookiepie firefox extension available for download, and we have a number of features and a long wish list from users that we hope can be introduced in next months. Also we are designing some T-Shirts for our Cookiepie fans! More updates will be notified in the Cookiepie mailing list

Using our API hooker SpyStudio I wrote a script to intercept http requests done using wininet.dll API coming from a specific module of a process. The script keeps request information (server and url) to display in next calls and let filter requests to a specific server. Its name is httpReport.py and can found in SpyStudio v1.0.1 distribution.

httpReport navigates the stack in each call to wininet.dll functions to see what module called the hooked function, filtering all modules except the specified. This feature and server name filtering, allow a fine interception.

To use the script keep only one instance of iexplore.exe (the script will only hook the first instance if there are more than one) and type these lines in SpyStudio python console:

import httpReport
httpReport.startIe(’toolbarqueries’, [’googletoolbar2.dll’])

The script will display queries done to a server that contains the string ‘toolbarqueries’ coming from module ‘googletoolbar2.dll’.

For example, if TechCrunch page is inserted in the address bar we get a wininet.dll!InternetConnectA call to ‘toolbarqueries.google.co.uk’ server and then a GET request to this url:

/search?client=navclient-auto&googleip=O;64.233.169.147;266&iqrn=ZjbD&orig=0PnmJ&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fwww%2etechcrunch%2ecom%2f&ch=751153802320

There are some parameters that need more research to be understood but there are some others we can tell something:

googleip: indicates Google server used for the query

ie: iexplore encoding?

oe: maybe Outlook Express encoding?, only a bad guess

features: what we are asking to the server (here ‘Rank’)

q: encoded url (http%3a%2f%2fwww%2etechcrunch%2ecom%2f = http://www.techcrunch.com/)

ch: it looks as a function to the url to prevent other client to do the same requests

Then, wininet.dll!InternetReadFile return the http response:

‘Rank_1:1:8\n’

that indicates that the page visiting has PageRank 8.

This process is repeated for every page you visit so Google can collect all the pages browsed by all the users using GoogleToolbar. That’s why it may be considered as a spyware.

Introduction to SpyStudio:

SpyStudio is a powerful application that simplifies the code execution interception operations, also called “hooking”. Users can now easily monitor and gain control over processes in their systems, to really know what is happening in the Operating System and it’s applications.

With SpyStudio you can monitor and intercept API calls at any time, change its parameters, and resume execution.

SpyStudio uses the Deviare API technology to intercept functions’ calls, this allows the user to monitor and hook applications in real time.
Deviare is a very complex technology, that can be used through the most simple interfaces.

This useful application provides the ability to break process execution and inspect the function’s parameters at any level, and even change its values.

Here is a screenshot of the main window of SpyStudio v1.0.0b, with the new Python console:

Latest improvements on the 1.0.0b version:

• New Python tabbed console allows to handle hooks!
• Python scripts can be loaded from files.
• An initial Python script can be executed on every tab opened.
• New Deviare Database Editor allows to expand the modules and functions database!
• Breakpoint params browser: The return value and the error code are now editable
• Now SpyStudio can run with SeDebugPrivilege enabled or disabled.
• Processes monitoring options are now combinable.
• Select all (Ctrl + A) and Copy (Ctrl + C) options are now available for the output window.
• ‘Filters’ concept changed to ‘Actions’.
• Database expanded: wininet.dll added and winternl.h functions of ntdll.dll added.
• Fixed: Changing a parameter on the params browser made SpyStudio to crash.
• Fixed: Trying to hook a function that was not in the database made SpyStudio to crash when closing.
• Fixed: Changing the ‘Default hook mode’ option was not reflected on the output.

We are glad about how SpyStudio is evolving and we expect users’ reports, comments and suggestions to keep it growing!

Cookiepie is one of the favorite Firefox extensions for web developers and users of webmail services like Google Gmail, Yahoo and Hotmail.Web developers use cookiepie to test their sites.In the past, if a site (e.g. home banking, community site) required extensive testing simulating many different users, the developer needed to open different browsers. Currently all browsers, including Firefox, have just one place to store cookies.Some users of webmail services have more than one web account to log into. People are using each web account for different purposes but they can’t login to the same site at the same time in the same browser.The Cookiepie Firefox Extension is a solution to this problem, as it allows users to log into different webmail accounts on separate tabs. Try it with two or more of your Gmail, Yahoo or Hotmail accounts.This new release fixes problems experienced in Gmail 2.0, and supports many complex sites like the new Yahoo mail. Even webmail embedded chat is working now!We have made a short video so you can see it in action:

Cookiepie is Free Open Source Software under the GPLv2 license. You can install it now from Nektra Cookiepie site.Please, if you have comments leave them in our group here. We would particularly like to hear about your experience with other sites, such as Facebook. We are making a list of supported websites.

We have released the first version of Deviare. A free trial is available for download.Deviare is a component for ‘easy hooking’ of Windows DLLs. Now you don’t need to be an expert to incercept operating system functions because you use a COM object abstracting many of the complexities.To show the power look at the following code snippet in CSharp (.NET):

DeviareTools.IProcesses procs = _mgr.get_Processes(0);
DeviareTools.IProcess proc = procs.get_Item("msnmsgr.exe");
DeviareTools.IPEModuleInfo mod = proc.Modules.get_ModuleByName("ws2_32.dll");
DeviareTools.IExportedFunction fnc = mod.Functions.get_ItemByName("send");
hook = mgr.CreateHook(fnc);
hook.Attach(proc);
hook.OnFunctionCalled += new Deviare.DHookEvents_OnFunctionCalledEventHandler(hook_OnFunctionCalled);
hook.Properties = (int)DeviareCommonLib.HookFlags._call_before;
hook.Hook();
void hook_OnFunctionCalled(DeviareTools.Process proc,DeviareParams.ICallInfo callInfo, Deviare.IRemoteCall rCall)
{
    DeviareParams.IParams pms = callInfo.Params;
    DeviareParams.IEnumParams enm = pms.Enumerator;
    DeviareParams.IParam pm = enm.First;
    pm = enm.Next;
    object[] args = new object[1];
    string msg = "Transmition -> ";
    msg += pm.Value;
    msg += "\r\n";
    args[0] = msg;
    txtOutput.Invoke(new AppendHandler(Append), args);
}

With this simple code you hook the send function in the WinSock dll for the Messenger process and our own function hook_OnFunctionCalled is called before the ‘real send’The code can be written in any COM friendly programming language like: C++, C#, VB, Java, Python, Perl, Ruby and many others. API Hook examples in C++, C#, VB.Many applications can now be built on Deviare Technology like Spy Studio a tool to monitor Windows API and available for free.

As you may already know, Nektra core skills & knowledge can be briefly summarized in system internals & problem solving, innovation and creativity. We were working hard to introduce new products in the market and it’s very stimulating when you receive “Wows!” from people who can appreciate the complex stuff we have made.

Our next play is Spy Studio, Deviare, OEAPI for Vista & NKTWAB license change to LGPL:

Spy Studio is a new tool for hooking microsoft windows applications, it has an intuitive interface and you don’t need to be an expert in assembler or reverse engineering to insert hooks into different API’s or DLL’s. It has many interesting applications like seeing what your software is doing internally, and from the business perspective it’s very useful for monitoring, isolating processes access to some API or DLL, debugging, litigation & software forensics, support, software engineering blackbox testing, etc. You can download it now from here. We would be very glad to receive you comments in our forums

Deviare is the component to do your own applications and the framework used to develop Spy Studio. You can do your own hooking application with it, and extends Spy Studio’s possibilities to your own requirements, for example your own api monitors, administration tools, themes/skins/gui (i.e: scrollbar issues), posture agents, intrusion detection at the application level, etc.

OEAPI has been growing and now supports Vista’s Windows Mail in addition to Outlook Express. We are currently at the version 3.1.2 and 3.2.0 will be released very soon. OEAPI has really improved in demos, documentation, performance and capabilities. There is an updated list at What’s new section.

NKT WAB is now LGPL and it shows how to implement features not available or documented in the microsoft windows api. This component is useful for accessing the WAB (Windows Address Book), creating groups & folders and now supports Vista’s contacts too.

There is new stuff coming, but the most important thing is that our customers continue expressing their Wows!

Sebastian Wain from Nektra has submitted CookiePie extension to Firefox Extend Contest with great expectations to be one of the finalists, since it is an innovative piece of software and push beyond the standard capabilities of Firefox. Although it doesn’t came finalist he waited for the announcements to release it publicly without publishing it on Internet until now.Mauro Asprea from Nektra has been contributing on improving user experience.

• What is CookiePie?
  • CookiePie is a firefox extension enabling you to maintain different cookies storage in different tabs and windows.

• How I can obtain and use it?
  • Download it from: CookiePie Extension
  • Use the tab context menu to enable CookiePie
  • For example: Toogle CookiePie in three tabs, and login to different GMail account in both.

• Where the idea came from?
  • We need to use it internally at Nektra, and finally decide to publish it for the community.

• What does CookiePie means for the end user?
  • It means that you can for example open multiple GMail/Yahoo Mail/Hotmail accounts in different tabs and windows simulteanously.

• What does CookiePie means for web developers?
  • Developers working on Web Software supporting multiple users or profiles can use CookiePie to simultaneusly test their software with each user without needing to open a different browser.

• How CookiePie was made?
  • A first look at the FireFox extensions capabilities let us think this extension was almost impossible to do. One of the limitations was the unconnected parts between http transactions and UI being difficult to correlate an UI to a specific http request/response, more when AJAX/XmlHttpRequest (i.e: GMail) is involved.
  • The work involved mainly short term research and trying to push to the extreme FireFox capabilities without knowing nothing of Mozilla Extensions at the start of development.

• What are the current known limitations:
  • Gecko 1.8.1 has some implementation errors: FireFox store cookies although our http observer changes the response header. This means the common cookies are changed in the FireFox extensions for every transaction on each tab. More information at: Mozilla Bugzilla
  • The reordering of tabs is breaking GMail account opened tabs.
  • GMail has added after we finish this extension, an alert we hope to repair it so GMail doesn’t know about another connection on another tab or window.
  • User may experience problems with another Firefox extensions (for example Tab Mix Plus)

• What are the features we would like to have in the future?
  • Listen to users feedback.
  • Complete Cookie commitment to standards/security
  • Compatibility to another extensions.
  • Add configuration options
  • Enable CookiePie by default
  • Cookies inheritance checkbox: If a user opens a new tab/window from a CookiePie tab, the new opened tab can inherit the cookie container.
  • Cookie pipeline handling: Have a configuration like the Firefox option to choose what cookies needs to be individualized and what cookies needs to be used from the firefox container.
  • Persist/Save/Load Tab Cookies
  • Code: better & cleaner.
  • Testing: Test & Fix in complex scenarios.

• What we suggest for future versions of Firefox?
  • We suggest to have this capability embedded natively on Firefox and not as a third party addin. We know this will involve changing relations between objects in Firefox but it’s an obvious step to do in the browser war.

• What platforms are supported?
  • Currently it ran fine on Windows and Linux. We need to check why Mac is not supported because this software is standard JS code, not platform dependent.

• Finally:
  • Webpage at: Cookiepie
  • You can subscribe directly to our mailing list at Nektra-CookiePie

New release of Outlook Express API

We are proud to announce our new release of Nektra’s Outlook Express API.

OEAPI is the first and unique Outlook Express API with all the functionality for adding your own toolbars, buttons, completely manage message storage, message selection and receive events. While a few other companies are giving a solution for adding toolbars and a few set of operations on messages, we give a full API for professional software development.

OEAPI goes beyond IStoreFolder and IStoreNamespace standard interfaces and enables you to develop addins for Outlook Express like: antispam, antiphishing, antivirus, integration of your company software with an email software built in Windows.

Resources for the developer:

• OEAPI trials here
• Detailed description of interfaces provided are in the OEAPI documentation
• Community OEAPI Group
• IStoreFolder and IStoreNamespace sample with source code in this zipped file.