Nektra Advanced Computing Blog

A new version of Nektra Deviare API Hook is now released. This version has lots of fixes to bugs that I found along the last year working with the library in Application Virtualization Solutions and Reverse Engineer.

I found some stability issues, generating dead-locks, stack trace wasn’t working as defined and it has important performance improvements. Also, there are more functions in the database and some data types were not working at all: arrays and enumerations.

New C# hooking console

Highlights

• Process / Module / Function panels
• Functions that are included in the database are displayed with full parameter information.
• Execution hooks (aka: ‘Add Exec Hook’) allow the user to add hooks when an application starts. It’s useful to debug an application that crashes at startup.
• Parameter information could be displayed before and after the function is called.
• Full Stack trace information.
• Function calls can be displayed grouped by thread.
• CLSID and IID are displayed in {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format and with registration information:

• Structures parameters are expanded to show all their fields. This picture shows a call to Kernel32.FindFirstFileW with parameter _WIN32_FIND_DATAW expanded.

• Lots of Windows Messages are supported. LPARAM and WPARAM parameters of user32.dll functions DispatchMessage, PostMessage, SendMessage, PeekMessage and GetMessage are interpreted as the real data type that they are. Here a LVM_INSERTCOLUMNW (ListView_InsertColumnW macro for C++) is sent and the lParam is displayed as a tagLVCOLUMNW*:

In file $INSTDIR\Bin\Database\FunctionTypes.xml you can find all the definitions. They are of the style:

<message value="442">

  <name>TB_SETBUTTONINFOA</name>

  <return value="">

    <returninfo>returns LRESULT in lResult</returninfo>

  </return>

  <wparam value="INT">

    <wname>iID</wname>

  </wparam>

  <lparam value="LPTBBUTTONINFO">

    <lname>

    </lname>

  </lparam>

</message>

This definition means that when a message 0×442 is called TB_SETBUTTONINFOA. Parameter WPARAM is a INT and LPARAM is a LPTBUTTONINFO. The code to convert one parameter to another type is very easy using Deviare:

pm = pm.CastTo("LPTBBUTTONINFO");

if(pm == null)

{

    // data type is not in the database

}

Adding other message definitions in that xml will change the C# message handling functions. This method can be used for any other function that has any variable parameter such as DeviceIoControl.

COM Interception

Now Deviare COM Spy is part of Deviare Package, so you can get it downloading Deviare. I’m not very happy with the application and I would like to make big changes in this area.

Deviare Services

Deviare is a very specific tool and it can take a special effort to get acquainted with its mechanism. We have a team of professionals that can help so Just ask.

• Examples of interception code
• Parameter retrieve and change
• Ad-hoc interception techniques for complex problems
• COM Interception (with or without the interface)
• Interception of undocumented API
• 64 bits interception
• Debug server with interception techniques
• Server monitoring
• Sever performance boost

More information in Deviare Services

Download

Request the package in Deviare download section.

Nektra has released the new WLMailApi v1.0.2

Nektra has released the new WLMailApi v1.0.2, which has many more features & functions, this allows developers to create custom Windows Live Mail plug-ins.

Nektra Advanced Computing is glad to announce the release of the new WLMailApi version 1.0.2 which you can request a download by clicking here. This new version is an update of the official WLMailApi RTM version which has been released over 6 months ago.

Creating addons or plugins for Windows Live Mail Desktop® demands a deep knowledge of its internal behavior, it does not have any public Application Programming Interface.

Windows Live Mail is the desktop email client promoted by Microsoft for Windows XP®, Windows Vista® and Windows 7® as part of the Windows Live Essentials free software.

Contact us to ask any commercial question or use our forum for technical inquiries. For information about pricing or special demos please call 1-(310)237-6506.

The changes for this version are:

* Fixed: Memory leak when moving or deleting many messages left wlmail.exe process running after closing it
* Fixed: WLMail crashed when having an IMAP account
* Fixed: Getting a Toolbar object during the WLMailApiEvents::OnFolderSelectionChange event freezed WLMail
* Fixed the way WLMailApiAgent hooks the WLMail.exe process to avoid WLMailApiLoader.dll to be loaded in every process
* Implemented WLMailApiEvents::OnNewMessageInOutbox event that allows to modify and commit outgoing messages
* Implemented IWLMailApiEvents::OnSendButtonMsgWndClicked which is triggered when a new message window is set to be sent
* Implemented MsgWnd::GetTo(), GetCc(), GetBcc(), GetSubject(), SetTo(), SetCc(), SetBcc() and SetSubject()
* Added IMailAccountManager and IMailAccount interfaces to get the Default Account
* Implemented FolderManager::GetInboxFolder(), GetDraftFolder(), GetSentFolder(), GetJunkFolder(), GetDeletedFolder() for the Default Account
* Implemented Folder::IsInbox(), IsDraft(), IsSent(), IsJunk(), IsDeleted() functions for Default Account special folders
* Implemented FolderManager::GetOutboxFolder() and Folder::IsOutbox functions
* Added Unicode support to main API functions:
IFolderManager::CreateFolder() and RenameFolder()
IFolder::GetName(), Rename(), CreateFolder() and CreateMessage()
IMessage::GetSubject(), GetAllBody(), GetBody(), GetBodyText(), GetBodyDisplayName(), GetFilename() and SaveAsFile()
IMessage: For GetBodyProp() and SetBodyProp() functions, the message must be already encoded in Unicode

Nektra Advanced Computing is glad to announce that we are always working on Windows Live Mail API improvements from all your feedback. Now in our Windows Live Mail API Trial you are able to access the storage folders with read, write, delete, move, rename and clone capabilities. We are also able to append text and or HTML code inside each cloned message. Here is a screen shot of the Message Bodies in our WLMailApi C# Demo and below a video showing more capabilities of our product.

Contact us to ask any commercial question or use our forum for technical inquiries.

Nektra has released the new WLMailApi v1.0.1, which allows developers to create custom Windows Live Mail plug-ins.

Nektra Advanced Computing is glad to announce the release of the new WLMailApi version 1.0.1 which you can request a download by clicking here. This new version of WLMailApi left the Beta stage and is now an official RTM version.

Creating addons or plugins for Windows Live Mail Desktop® demands a deep knowledge of its internal behavior. Its Application Programming Interface (API) is undocumented and there is not a SDK available. Even the public interfaces IStoreNamespace and IStoreFolder supported in both Outlook Express® and Windows Mail® are not present in this new email client.

Windows 7® will not include Outlook Express or Windows Mail; its users will be forced to move to Windows Live Mail. Your product can be one of the first that plugs in!!!

Contact us to ask any commercial question or use our forum for technical inquiries.

This is the change log from previous version:

* Exiting from the system tray icon’s context menu crashed WLMail
* A stack overflow was produced when many database notifications were triggered
* There was a memory leak when handling database events
* C# DLL Demo solution made WLMail freeze after the evaluation expiration message when it was executed in Debug mode
* First events could get lost at startup before the first folder/message selection change event
* WLMailApi::GetCurrentMessageID() always returned -1 at startup until message selection was changed
* WLMailApi::GetCurrentMessageID() and NktWLMailApi::GetFirstSelectedMessageID() responses were not updated after current/selected message was deleted
* The WLMailApiEvents::OnDatabaseChange NKT_TR_INSERT_MESSAGE case was not triggered when messages were inserted in the Deleted Items folder
* Message.Delete(0) did not work when the message was in the Deleted Items folder
* WLMailApiEvents::OnCurrentMessageChanged event was not triggered if the current message was changed by selecting another message using “Ctrl + Click”
* When an unread message was selected in WLMail and was automatically marked as read, two WLMailApiEvents::OnDatabaseChange events (first NKT_TR_UNREAD_MESSAGE and then NKT_TR_READ_MESSAGE) were triggered instead of just one (NKT_TR_READ_MESSAGE)
* ToolbarButton::SetName and SetTooltip did not work if were called after the button was created
* Message::SaveAsFile() output file was corrupt if Message::GetHeader() was previously called
* Improved and corrected C++ and C# DLL Demos
* The solutions of the package now require Visual Studio 2008

The Nektra staff wishes you all a happy new year!

Best regards,

Nektra’s WLMailApi Team

Download messagespy_demo.zip – 250 KB

Download messagespy_src.zip – 249 KB

Deviare Message Spy

Contents

• Introduction
• So, what’s the good news?
• Deviare Message Spy
  • Finding a Window: The Spy++ Style Window Finder
  • Hooking
  • The XML
  • The Cast
• Using Deviare Message Spy
• Requirements
• Known Issues
• Resources

Introduction

This article presents you with a different perspective of how to inspect window messages, to see how applications are communicating and managing their controls. We are not going to explain what window messages are or what they are used for in this article, so we suggest that you read these excellent articles to understand them: Handling Window Messages (Part 1, Part 2, Part 3). In this article we are going to monitor the Message API from the inside by hooking the target process.

So, what’s the good news?

As a first step when developing, to inspect windows, we open the Spy++ application and start the tedious work of following messages as they are printed in their hundreds. This is helpful most of the time, as we usually want to know what our windows are seeing and receiving. Yet, what happens when we want to know exactly how an application is communicating with its controls (what calls it makes to the message API) or want to see if our messages are getting filtered by someone else? As you may know, Spy++ installs 3 global hooks to receive every Send, Post and Call to a window message handler. The information provided by these methods is not enough to know what messages are coming from our application or if any of them have been filtered by a hook installed earlier in the call chain.

Do not panic, Deviare comes to rescue. What we are going to do is intercept all the Message APIs from the process that the window belongs to and monitor its calls. From there, we can be sure of what messages are being sent from the application to its controls and if any of them are missing from the ones that Spy++ is reporting, then we will know if someone else is watching us…

What happens with the messages not known by Spy++? How are we going to see them? Look what happens with many of the messages used by the standard ListView in windows. Spy++ does not know anything about them if the window is subclassed (for example ATL:SysListView32), and cannot trace its content. Try following LVM_GETNEXTITEM in Outlook Express and you will only see unknown 0×100C messages. The same goes for custom user messages that you may know and want to follow. We need an application that can be customized to our needs!

Deviare Message Spy

To probe our theory, we have built this message spying application. We have added to it a way to lookup windows handlers, hook the process owning it, and correctly report the messages and structures.

Finding a Window: The Spy++ Style Window Finder

To pick the target window and the process we wanted an interface like the one used in Process Explorer and Spy++. Thanks to Mark Belles this was an easy task. He has a great article on how to implement a nice Window Finder, in Code Project.

Hooking

In order to install a hook, first we need to identify our target process. After obtaining a window handle from our Window Finder, we can use GetWindowThreadProcessId to identify which process owns the window. From there we use the .Net API to access it and tell Deviare which process we wish to hook.

Win32.GetWindowThreadProcessId(hWnd, out _processId);
_txtProc.Text = Process.GetProcessById(_processId).MainModule.ModuleName

For our monitoring we have divided the API in 2 sets: the Dispatch group, and the Sent and Post group. Monitoring messages that arrive to the first group will provide us with a very similar view of what Spy++ sees. This is because these messages arrived to the application and have not been filtered by any hook. With our second group, we will identify direct and asynchronous calls to the Message API.

Let’s see how we install the hook for one of these functions:

procs = _mgr.get_Processes(0);
procs = _mgr.get _Processes(0)
proc = procs.get_Item(_processId)
IPEModuleInfo mod = proc.Modules.get_ModuleByName("user32.dll");
IExportedFunction fnc = mod.Functions.get_ItemByName("PostMessageW");
_hook = _mgr.CreateHook(fnc);
_hook.Attach(proc);
_hook.OnFunctionCalled += new Deviare.DHookEvents_OnFunctionCalledEventHandler(_hookPst_OnFunctionCalled);
_hook.Properties = (int)DeviareCommonLib.NktHookFlags._call_before;
_hook.Hook();

As you see, we easily pick our target process by Id and select its Module and Function by name. The module name is not important, as it is always going to be “user32.dll”. If you have doubts, you can use Spy Studio to watch the process modules and exported functions.

Once the hook gets installed, we will receive notifications on our handler. From there we parse the function parameters transparently with the interface provided. (These parameters are actually in the target process, and Deviare copies them to our process on our demand and handles all the communication).

int returnVal = callInfo.ReturnValue;
IParams pms = callInfo.Params;
IEnumParams enm = pms.Enumerator;
IParam pm = enm.First;
IParam recvMsgHndl = pms.get_Item(0);
IParam recvMsgParam = pms.get_Item(1);
IParam recvWParam = pms.get_Item(2);
IParam recvLParam = pms.get_Item(3);

After reading all the data we require from the call, we will use our generated Xml to identify the message and properly cast it to its structure and show it properly.

The XML

The XML document in this application was created specifically to link together the message names, values and parameters. As messages like WM_LBUTTONDOWN are predefined as 0×201 we can place this in a XML file containing information on the parameters WPARAM and LPARAM.

<message value="0x201">
<name>WM_LBUTTONDOWN</name>
<return value="">
<returninfo></returninfo>
<returnmisc></returnmisc>
</return>
<wparam value="">
<wname>wParam</wname>
<wmisc>wParam Indicates whether various virtual keys are down. This parameter can be one or more of the following values.
MK_CONTROL
The CTRL key is down.
MK_LBUTTON
The left mouse button is down.
MK_MBUTTON
The middle mouse button is down.
MK_RBUTTON
The right mouse button is down.
MK_SHIFT
The SHIFT key is down.
MK_XBUTTON1
Windows 2000/XP: The first X button is down.
MK_XBUTTON2
Windows 2000/XP: The second X button is down.</wmisc>
</wparam>
<lparam value="">
<lname>lParam</lname>
<lmisc>lParam
The low-order word specifies the x-coordinate of the cursor. The coordinate is relative to the upper-left corner of the client area.
The high-order word specifies the y-coordinate of the cursor. The coordinate is relative to the upper-left corner of the client area.&amp;amp;amp;amp;lt;/lmisc&amp;amp;amp;amp;gt;
</lparam>
<misc></misc>

We could not find any database with this information, so we generated an XML document with the messages that we were interested in knowing about. As you can see, it is easy to simply add any message you want. In the process of building this XML, we used a very nice tool called ApiViewer from ActiveVB.de. Just search for the message names you want and you can evaluate the message values from the names.

The Cast

Now that we can identify the structures used on messages, we need to tell Deviare. Basically we are telling it to interpret our parameter, not as a simple LPARARM or WPARAM type, but as the complex structure we know is there. This is the case for messages like WM_DRAWITEM. So, to read it’s structure contained within the LPARAM we need to cast it as follows:

IParam pm = pms.get_Item(2); //LPARAM
pm = pm.CastTo(“LPDRAWITEMSTRUCT”); //Now our IParam is read as a pointer to DRAWITEMSTRUCT
pm = pm.Evaluated; //Resolve the pointer indirection
//Ready to use IParam as the structure sent by the OS.

It is possible to do this with all of the structures you can find defined in the windows headers. So, you should be able to cast and read any of them that are used in within these messages.

Using Deviare Message Spy

Deviare Message Spy in Action

Above we have our Deviare Message Spy in action. We selected the contacts list window from Outlook Express (at the bottom left) to spy on. You can see all the message values that were sent via Post and Send Message APIs. LVM_HITTEST has been expanded to show the full values received. As LPARAM is a pointer to the LVHITTESTINFO structure we can find all relevant information contained within.

Hope you enjoyed this article, and found it useful. Let us know what you think!

Requirements

• Deviare API Hooking

Known Issues

Many messages have the same Hex Address, such as TB_GETITEMRECT and TTM_UPDATE. Both of these messages have the value of 0×41d but are very different messages.

The TTM_UPDATE Message Forces the current tool to be redrawn. It does not use the wParam and lParam where as TB_GETITEMRECT Message Retrieves the bounding rectangle of a button in a toolbar.

TB is a Toolbar message and TTM is a Tooltip message. As our Spy++ style window finder already finds the window class, such as SysListView32 and ToolbarWindow32, It would be easy to use the class name to tell the program with Xml message is the correct one.

Resources

• Deviare API Hooking
• Message Lookup: ApiViewer
• Spy++ from the Microsoft Windows SDK

It is hard to find on the internet a detailed and complete solution for modifying the contextual menu due to several reasons.

One of these reasons is that many of the implementations found use the System.Windows.Forms.ContextMenu; you can see one of them here:

Component-Based Development with Visual C#

In these kinds of examples the system menu is not invoked from the ShowContextMenu, instead a user customized menu is. This menu does not allow modifying it as we need.

Another reason is due to the programming language. In the MSDN website a C++ implementation of the ShowContextMenu can be found:

WebBrowser Customization (Part 2)

The problem is that when we want to implement it in C# difficulties such as not being able to call system functions, use the same data types, and many others arise.

Maybe the biggest difficulty can be found when trying to marshall the CComVariant class. A huge variety of solutions can be found on the internet, but they usually do not work (at least in the case mentioned above). Here are some examples of them:

VB Variant Equivalent in C#

Object To Variant

What is the equivalent of Variant data type in C#.NET?

Using the int[] type with size 3 or bigger is one of the ways of solving this.

   1:  int[] variantVar = new int[3];

The VARIANT type can be seen in this MSDN webpage:

VARIANT and VARIANTARG

Once we solved this problem, we can use the IOleCommandTarget function Exec:

   1:  [PreserveSig]

   2:  int Exec(

   3:      ref Guid pguidCmdGroup,

   4:      int nCmdID,

   5:      int nCmdExecOpt,

   6:      // we need to have this an array because callers 

   7:      // need to be able to specify NULL or VT_NULL

   8:      [In, MarshalAs(UnmanagedType.LPArray)] int[] pvaIn,

   9:      [Out, MarshalAs(UnmanagedType.LPArray)] int[] pvaOut

  10:      );

When calling Exec for the first time, we get the handle for the language submenu. We obtain it in variantVar variable:

   1:  int[] nullVariantVar = null;

   2:  int[] variantVar = new int[3];

   3:   

   4:  spCT.Exec(

   5:              ref CGID_ShellDocView,

   6:              SHDVID_GETMIMECSETMENU,

   7:              0,

   8:              nullVariantVar,

   9:              variantVar

  10:              );

Now we must parse variantVar in order to get the result (the handle for the language submenu). The first value that we get is a VARTYPE type, which indicates the kind of variable that we will find next. Then there is a reserved spot of three WORD long, followed by the value we are looking for. So the handle for the submenu is on the second place of the array:

   1:  IntPtr handleSubMenu = new IntPtr(variantVar[2]);

We can replace passing the CComVariant argument to the function by creating a new variable shown in the code below and then call again Exec:

   1:  variantVarIn[0] = VT_INT_PTR;

   2:  // Remember that variantVarIn[1] is reserved

   3:  variantVarIn[2] = handleMenu.ToInt32();

   4:   

   5:  variantVarOut[0] = VT_I4;

   6:  // Remember that variantVarOut[1] is reserved

   7:  variantVarOut[2] = dwID;

   8:   

   9:  // Insert Shortcut Menu Extensions from registry.

  10:  spCT.Exec(

  11:              ref CGID_ShellDocView,

  12:              SHDVID_ADDMENUEXTENSIONS,

  13:              0,

  14:              variantVarIn,

  15:              variantVarOut

  16:              );

We obtain the complete context menu as a result of the instructions shown above. This menu can be modified as much as we desire. Using this, you can add or remove menu items and also their functionality. For example you can call methods implemented in your project from the desired menu item.

Now you can build a customized browser using C# !