Nektra Advanced Computing Blog - Archive

Deviare COM Spy Console is out!

Today we have released a console for monitoring and spying on applications using Microsoft’s Component Object Model. This technology is used in many professional applications and now you are able to watch them in action too!

Deviare’s last integration is the ability to intercept COM interfaces. Using this technology and heuristics to discover this interfaces, the console lets you see which interfaces are being used by an application, and how they made their calls.

Here is an example monitoring the Windows Live Messenger:

As you have seen, we found the instantiation of IwebBrowser2. Since we don’t know what we want to see yet, we hooked every member except IDispatch (not necessary here). Then, the console printed calls for Navigate2 (among others), and we could see where the little browser at the bottom of messenger was getting its Adverts from.

The console is open source, so feel free to contribute on it. In this first release, it contains only one method to discover the creation of interfaces, but many others may be added. Go chase them .

Download Deviare COM Spy Console

com, comconsole, console, deviare, release, spy

Nektra’s hook engine for Windows.

Today we are releasing Trappola, our hook engine, under LPGL license. It has been a part of Deviare since its early beginning. And we think it reached a maturity level that any developer can appreciate.

There are several libraries that provide some of the functionality we give here. But most of them are theoretical examples, or very custom, that do not adjust well to every situation. In contrast, we designed it to suit to most situations and solve most common mistakes, as the ones seen on multithreading environments.

Inside the library, you’ll find a small yet powerful example. Let’s take a look at it:

The example’s goal is to deny access to a complete folder tree (My Documents) and hide any executable file from the dialog. Two kernel’s functions will be intercepted:

For our first task, we hook FindFirstFileW. From here we block any access attempt to our folder or any child in it.

This hook is handled before the actual call is made. So, when we set the last error to access denied and ask our hook to skip the call, the kernel function is never reached, and the caller is prevented from enumerating it. Also, we are returning an invalid handle, as defined by the documentation.

To hide executable extensions from the user, we will hook FindNextFileW. A program call this function to navigate files in a folder. What we do here is intercept calls just before they return to the caller. There we see if the file found is of any interest to us.

As shown, if we need to skip this call, we simply call the function again. This way, the result goes unknown from the caller. To cleanly return the next item, we make sure that the return value and last error get to the caller.

Please remember that this an open source project. Feel free to add any changes you see fit. We’ll keep on using it on our products, so don’t hesitate in sending us any bug report of feature request. We’ll try our best to add them.

Now go download the library and try it your self . Or take a mayor step and get Deviare.

api hook, code interception

How to customize the WebBrowser context menu in C#

It is hard to find on the internet a detailed and complete solution for modifying the contextual menu due to several reasons.

One of these reasons is that many of the implementations found use the System.Windows.Forms.ContextMenu; you can see one of them here:

Component-Based Development with Visual C#

In these kinds of examples the system menu is not invoked from the ShowContextMenu, instead a user customized menu is. This menu does not allow modifying it as we need.

Another reason is due to the programming language. In the MSDN website a C++ implementation of the ShowContextMenu can be found:

WebBrowser Customization (Part 2)

The problem is that when we want to implement it in C# difficulties such as not being able to call system functions, use the same data types, and many others arise.

Maybe the biggest difficulty can be found when trying to marshall the CComVariant class. A huge variety of solutions can be found on the internet, but they usually do not work (at least in the case mentioned above). Here are some examples of them:

VB Variant Equivalent in C#

Object To Variant

What is the equivalent of Variant data type in C#.NET?

Using the int[] type with size 3 or bigger is one of the ways of solving this.

   1:  int[] variantVar = new int[3];

The VARIANT type can be seen in this MSDN webpage:

VARIANT and VARIANTARG

Once we solved this problem, we can use the IOleCommandTarget function Exec:

   1:  [PreserveSig]

   2:  int Exec(

   3:      ref Guid pguidCmdGroup,

   4:      int nCmdID,

   5:      int nCmdExecOpt,

   6:      // we need to have this an array because callers

   7:      // need to be able to specify NULL or VT_NULL

   8:      [In, MarshalAs(UnmanagedType.LPArray)] int[] pvaIn,

   9:      [Out, MarshalAs(UnmanagedType.LPArray)] int[] pvaOut

  10:      );

When calling Exec for the first time, we get the handle for the language submenu. We obtain it in variantVar variable:

   1:  int[] nullVariantVar = null;

   2:  int[] variantVar = new int[3];

3:

   4:  spCT.Exec(

   5:              ref CGID_ShellDocView,

   6:              SHDVID_GETMIMECSETMENU,

   7:              0,

   8:              nullVariantVar,

   9:              variantVar

  10:              );

Now we must parse variantVar in order to get the result (the handle for the language submenu). The first value that we get is a VARTYPE type, which indicates the kind of variable that we will find next. Then there is a reserved spot of three WORD long, followed by the value we are looking for. So the handle for the submenu is on the second place of the array:

   1:  IntPtr handleSubMenu = new IntPtr(variantVar[2]);

We can replace passing the CComVariant argument to the function by creating a new variable shown in the code below and then call again Exec:

   1:  variantVarIn[0] = VT_INT_PTR;

   2:  // Remember that variantVarIn[1] is reserved

   3:  variantVarIn[2] = handleMenu.ToInt32();

4:

   5:  variantVarOut[0] = VT_I4;

   6:  // Remember that variantVarOut[1] is reserved

   7:  variantVarOut[2] = dwID;

8:

   9:  // Insert Shortcut Menu Extensions from registry.

  10:  spCT.Exec(

  11:              ref CGID_ShellDocView,

  12:              SHDVID_ADDMENUEXTENSIONS,

  13:              0,

  14:              variantVarIn,

  15:              variantVarOut

  16:              );

We obtain the complete context menu as a result of the instructions shown above. This menu can be modified as much as we desire. Using this, you can add or remove menu items and also their functionality. For example you can call methods implemented in your project from the desired menu item.

Now you can build a customized browser using C# !

Custom Outlook Development

We have a team of experts developing plug-ins for Outlook. We can go beyond Outlook API and develop modifications to those functions that lacks of some features that your product may need. Our team leaders are experts running projects and our customers can feel confident that their product will be released in time. Our sales team can be contacted any time in our office in California (310) 237-6506.
For more information visit Outlook plugin development

Deviare hook component released

We have released the first version of Deviare. A free trial is available for download.Deviare is a component for ‘easy hooking’ of Windows DLLs. Now you don’t need to be an expert to incercept operating system functions because you use a COM object abstracting many of the complexities.To show the power look at the following code snippet in CSharp (.NET):

DeviareTools.IProcesses procs = _mgr.get_Processes(0);
DeviareTools.IProcess proc = procs.get_Item("msnmsgr.exe");
DeviareTools.IPEModuleInfo mod = proc.Modules.get_ModuleByName("ws2_32.dll");
DeviareTools.IExportedFunction fnc = mod.Functions.get_ItemByName("send");
hook = mgr.CreateHook(fnc);
hook.Attach(proc);
hook.OnFunctionCalled += new Deviare.DHookEvents_OnFunctionCalledEventHandler(hook_OnFunctionCalled);
hook.Properties = (int)DeviareCommonLib.HookFlags._call_before;
hook.Hook();
void hook_OnFunctionCalled(DeviareTools.Process proc,DeviareParams.ICallInfo callInfo, Deviare.IRemoteCall rCall)
{
    DeviareParams.IParams pms = callInfo.Params;
    DeviareParams.IEnumParams enm = pms.Enumerator;
    DeviareParams.IParam pm = enm.First;
    pm = enm.Next;
    object[] args = new object[1];
    string msg = "Transmition -> ";
    msg += pm.Value;
    msg += "rn";
    args[0] = msg;
    txtOutput.Invoke(new AppendHandler(Append), args);
}

With this simple code you hook the send function in the WinSock dll for the Messenger process and our own function hook_OnFunctionCalled is called before the ‘real send’The code can be written in any COM friendly programming language like: C++, C#, VB, Java, Python, Perl, Ruby and many others. API Hook examples in C++, C#, VB.Many applications can now be built on Deviare Technology like Spy Studio a tool to monitor Windows API and available for free.

.net, activex, api, c#, com, csharp, detours, deviare, hook, hooks, instrumentation, library, object, perl, python, vb, vb.net, win32, windows, xp

outlook express plugin windows live mail plugin windows live mail api application virtualization microsoft app-v shim outlook plugin development outlook development audio recorder capture sdk skype g-talk msn messenger IDirectSound / IAudioClient / MCI Wave API / Direct buffer writes capture recorder sdk apple mail plugin
windows system internals API Hook api intercept api hook api monitor api spy windows7 migration Track dll error Track COM error Ajax web scraping javascript web scraping Internet Explorer Knowledge Base

Deviare COM Spy Console is out!

Nektra’s hook engine for Windows.

How to customize the WebBrowser context menu in C#

Custom Outlook Development

Deviare hook component released

Categories