How Apple could have avoided fraud in iTunes with our Secure Code Generator

April 28th, 2009 | Posted by Pablo Yabo in opinion | Secure Code Generator | security - (0 Comments)

Now everybody has heard about the Chinese hackers who cracked the codes used for the iTunes Store vouchers. Using key-generators they have created millions of voucher codes and they are now selling $200 vouchers for as little as $2.60 online.

Following a report on the blog of Chinese music industry consultancy Outdustry.

It occurred to us that this is one of the main reasons many different companies approach us for advice.

Our secure code generator software is used by many large companies, throughout the world, such as British American Tobacco. It has been used in  a wide range of  applications such as database marketing, phone card pin generating and scratch card games.  It allows you to minimise the liability and exposure your company faces with problems associated in secure code generation,  and most importantly reducing your costs.

Generating secure codes creates a huge wealth of problems that many companies don’t realise,  it is a complex conundrum.

In most cases developers decide, knowing time is constrained, that using a standard pseudo random generator that is included in a standard library is the way to go.

This may work for Monte Carlo Simulations but when money is involved it is not the correct way to solve the problem.

A straightforward solution is to use a strong pseudo random generator or… a real random source.  This is a convenient way but it is necessary to store all the numbers generated and then verify each one to see if they are duplicates of a previously generated number.

The most desirable solution is to have a function f(<index>) and to change the index so it generates non-repeatable pseudo random numbers.  It would be even more desirable to customize the function with a secret key <key> so that you can change the function easily.

For business campaigns it would be better to add some configuration so that you can customise the alphabet and the length of the codes used.  With this solution you only need to remember the key and the upmost index to check if the codes were indeed generated by you.

Remember that the chance of guessing a correct code depends of the number of codes generated, the length of the code and the alphabet used by the code.

Function f must not just be any function, it must also obied by some strong security properties.

This is exactly what we deliver with our secure code generator software. A very simple library to generate custom codes in the most popular programming languages and different operating systems.

It’s time for Apple and other companies to take coupon, codes and  pin generation seriously otherwise i suspect we shall see similar stories of people hacking vouchers in the future.

You can use Secure Code Generator in many applications…

  • M-Coupons for consumer focused marketing campaigns.
  • E-Coupons for product discounts.
  • Event tickets with verifiable security.
  • Authentication codes for service/prepaid cards.
  • Special businesses offerings.
  • PIN & TAN (Transaction Authentication Number) generation.
  • Obfuscation of internal codes.
  • Mobile Phone 1D & 2D Barcodes campaigns.
  • E-banking token authentication.
  • Firmware for devices like Digipass®.

Secure Code Generator is also indispensable for scratchcard (e.g: a scratch off, scratch ticket, scratcher, scratchie, scratch-it, scratch game, scratch-and-win or instant game) games.

Secure Code Generator also provides these essential features.

  • Non-predictable and Non-deducible codes.
  • Codes with variable lengths.
  • Numeric & Alphanumeric code generation.
  • Codes can be verified in real time without requiring the massive storage of generated data.
  • Secure Code Generator can be integrated with almost all programming languages (i.e. C/C++, .NET, Java, PHP, Python, Ruby & Perl).

More information about our secure code generator is available at:

http://www.nektra.com/products/secure-code-generator/index.php

, , , , , , , , ,

Export messages and folders from Thunderbird to Outlook / Outlook Express / Windows Mail

April 14th, 2009 | Posted by Pablo Yabo in Microsoft | Microsoft Exchange | Migration | OEAPI | Office 2003 | Office 2007 | Office 2010 | Outlook 2003 | Outlook 2007 | Outlook 2010 | products | programming | services | thunderbird - (108 Comments)

I was tired of some problems I experienced with the Thunderbird database and the lack of support of Windows Desktop Search.  So I decided to migrate from Thunderbird to Outlook.

I found several tutorials explaining how to do it using the free tool IMAPSize.

The problem with this procedure is that email conversion using this tool requires you to manually select each Thunderbird directory that contains the messages of each folder. It is fine for a few directories but a very long task if you have more than a hundred.

In addition to this issue, I found some export problems using the tool: it works with most of the messages but there are some problems with certain messages that are created with a wrong structure or with problems in the header (e.g.: empty subject and wrong received timestamp) when importing into Outlook Express / Windows Mail.

Looking for another method, I found a free tool Tbird2OE from PractiSoft. It is rudimentary but it does the first job: it exports all the messages to eml format keeping folder structure and no errors.

To import messages into Outlook Express / Windows Mail, the tutorial suggests to drag them in each exported folder. Again, this is simple for small amount of folders but it could take considerable amount of time if you have lots of folders.

For that reason I wrote a tool to import the exported messages using our product OEAPI to store messages in Outlook Express / Windows Mail.

Here is the step-by-step tutorial:

  1. Compact messages (recommended but optional)
  2. Make sure you have lots of disk space free to store the messages (from Chuck).
  3. Use Tbird2OE to export messages from your Thunderbird profile:
    • Top edit box your mail root in the top edit box, usually something like this: C:Documents and SettingsUserNameApplication DataThunderbirdProfilesawfiwoeu.defaultMailLocal Folders
    • Bottom edit box: any path where the emails will be stored in eml format keeping folder structure
  4. Install OEImportEml:
    • Set the same directory that you specified in Tbird2OE as export path (the bottom edit box)
    • Set Thunderbird ‘Sent’ folder if your installation is not English (the folder specified here is forwarded to ‘Sent Items’ in Outlook Express / Windows Mail)
  5. If you want to use Outlook, run Outlook and select to import messages from Outlook Express / Windows Mail

Windows 7

User Edgar reported that the process works using Outlook 2007 and Windows Live Mail but no account set up.

Another option reported by Johnny Y.: To Migrate messages from an XP to Windows 7 PC, use Outlook on the original XP PC to import from Outlook Express. Then Export to a PST and transfer PST files to the new Windows 7 PC and import, since Windows 7 does not come with Outlook Express.

Outlook Plugin Development

We have a team of experts developing plugins for Outlook. We have a wide experience using Outlook API and we are able to go beyond Outlook API when you need something that cannot be developed using the startdard API.
Our team works in US time, that’s what makes Nektra the best decision for US companies.
Our sales team can be contacted any time in our office in Callifornia (310) 237-6506.
For more information visit Outlook plugin development

Migration and Reverse Engineer Services

Nektra has a wide experience building ad-hoc migrations for applications that doesn’t provide importing and exporting mechanism. We have researched a large number of applications looking for undocumented interfaces to use for this purpose. A prove of these skills are our products and a big amount of articles researching different technologies.
We have a team of professionals that can help so Just ask.

Top Areas:

Complete list of Nektra High Tech Services

, , , , , , , ,

DirectSound Capture Using Deviare.

February 24th, 2009 | Posted by Pablo Yabo in Deviare | examples | opinion | products | programming | Python | reverse engineer | services - (4 Comments)

Download Deviare Download Sourcecode Download PDF

Contents

Introduction

Today we are going to see how easy it can be to capture audio with Deviare. From players like Windows Media Player, instant messaging applications like Skype & Windows Live Messenger, to any application using DirectSound. The wave output will get captured by us. Deviare is indeed a powerful framework. Built to resolve most complex tasks in the simplest way. With a few lines of python, all our hooking is done and running. Today performance is extremely important, yet Deviare proves itself as the best. It allows you to also take advantage of the full power of Python Python

Research

Direct Sound Capturing

I must be honest, I’ve never used the DirectX API in my life, so I was a bit uncertain of how difficult this could be. I started by looking at MSDN documentation onIDirectSound and IDirectSoundBuffer. The first goal was to find a safe place to read its sound buffers. I found out that IDirectSoundBuffer::Unlock could serve my intentions well. At this point, the user is telling DirectSound that he has finished writing his wave output and the locks may be released. So, if we step in between, we can safely read the buffer. The user is no longer writing to it, and DirectSound has not yet taken control of it. I tested it on many applications and it turned to be the right choice. It works perfectly for WMP, Windows Live Messenger, and many others. No problems showed up until I stepped with Skype…

Monitoring Skype Conversations

This might be the way many applications handle their sound output, but it was the first application I have seen and I named the case after it. Later, I found a few articles describing it in detail. Skype So, to my surprise, I was not seeing any data being written to the sound buffers after the unlock was called. How the hell is it writing its wave, and how am I supposed to read it?!. It kept me thinking for a while, until I noticed an interesting and constant call to IDirectSoundBuffer::GetCurrentPosition. Then I realized that this writing method depends on constant reading of the play and write buffer pointers. That’s because DirectSound, as most stream based implementations, works with a Circular buffer. Capturing its wave output requires that we keep track of changes in the write pointer. Once we know it has moved forward in the buffer, we can read its steps. Since here we don’t know how much the user has actually written to it, we must know the full size and location of the buffer. Unless we want to read garbage, but I’m sure that’s not the case ;) .

Implementation

Deviare Python wrappers

Before we get our hands dirty, let me introduce you to something new in Deviare: Python Wrappers. As you already know Deviare is exposed through a series of COM interfaces. To save ourselves from the work of writing a whole new set of bindings, we used the well known project PyWin32. It’s very friendly to be used directly, as you may see in py_deviare_objects.py, just not enough to me. So I built these wrappers on top of it and made them as transparent as possible. You’ll find the use of the interface very similar to the way it’s done in our C# examples and in compliance with the python way of life, of course.Python Code

Wave Tools

I wrote these tools to help me write down the captured wave data. This may be obvious to people working in audio projects, but for me I cannot believe there is no native support in Windows to read-write Wav files! Yes, there is native support to write RICH content but come on! Luckily for me, I found a small sample C++ class inside the DirectX SDK. This was good enough for me to write my own in Python. As you may see, my WaveFile class only supports the write operation. Though, adding a read member should be easy enough for you :) . I have also added a lock to it, to ensure our data does not get corrupted by multiple thread operations. You may use it safely. The structures used were defined exactly as found in DirectSound and WinMM headers. Some of them are used by DirectX to specify the format of the wave content.

COM Type Libraries

By default, DirectX installations do not register their library types. Since we need that information, so Deviare can hook them, I created my own definitions with the interfaces we are interested in. To prevent any collision with previous installations, I used a different GUID. There is a python script that takes care of its registration and it’s automatically ran on demand by our example. Again, definitions are exactly as found on DirectX SDK. Directsound

Virtual Table Finder

To obtain the virtual tables for the interfaces, we basically have two options. Either we wait for its instantiation by the target process, or we find them ourselves on our own. Our first option is known to work for sure, yet we delay our installations until these events rise. This may also place us in a race and we may not capture all the output. The second one allows us to hook our targets immediately. Yet, in this case, we depend on the library (dsound.dll) being loaded in the same address space of our target. I have placed the two options in our example. If the current one is not working for you, uncomment the other at py_deviare_directsound.py

.

Hooking Direct Sound

The first thing we need, is to know every time a sound buffer is created. For that we are going to intercept calls to IDirectSound::CreateSoundBuffer. If the calls succeed, we look-up the table location inside the returned instance. From there we are going to hook four members of IDirectSoundBuffer:Initialize, SetFormat, Unlock and GetCurrentPosition. The first two, are used to obtain the wave format that the user is writing to the buffer. We also need to watch details from the call that creates the sound buffer, in case it is specified there. The Unlock member, as our research told us, is used in most applications to notify DirectX that the buffer is written and ready to be played. So we read the buffer pointers and size, to use Deviare’s memory interface to copy all content. We need to be careful, and see if the call actually succeeded. Only then can we save the wave data, else we must discard our buffers. With applications that keep track of the play and write cursors, we are going to monitor their calls to GetCurrentPosition. As explained earlier, with this method, I need to know the full size of the buffer and its location. So I save it from the first call to Unlock. Then I virtually divided my buffer in N segments, and filled it with the wave data as the write cursor moves forward in the buffer. Once my buffer contains enough data, I write it down to the wave file. To prevent false positives, in the creation of sound buffers, I delay the creation of my file until I have real data stored. In case we are monitoring the creation of IDirectSound in the target process, we also need to hook DirectSoundCreate and DirectSoundCreate8 from dsound.dll. There we can obtain the virtual table for IDirectSound, and follow our quest.

Running Sound Capture

Sound Capture

Easy Steps

Execute the run_me.py located among the deployed files, and you’ll be prompted with a window to type the complete name of the process you want to start monitoring. For example: Skype.exe. Once the program starts capturing, the wave files will be written in the same folder. Once you are done, click OK on the dialog box to stop recording. Now you can open the .wav files generated, and listen the capture. Do not open them before closing the example as the data may not be readable by then.

Registration

The first execution of our example, will automatically register its interfaces and data types. It will also generate a file labeled .deviare_types_registered to prevent registration on the following executions. You can safely remove the file at any time you want the registration to be run again.

What’s Next

Optimizations

At any point of our handling, performance is essential. Any delay is highly punished by the sound output. So we must be careful about any operation we do inside the function call. This example tries to cache enough data before doing a write operation to disk. In case you need to improve its performance, you should read the data and release the call as soon as possible. Then in a different thread, or in a non punitive call, flush our data to the wave file.

Wave API hooking

This example could be very easily adapted to capture wave data from applications using WinMM API. Most browsers, Flash, and Google Talk use it to throw their sound output.

Hook DirectSoundCapture And Listen To Full Conversations

You should have noticed, when capturing from Skype, that your own voice is not heard. That’s because the application is not echoing its capture from the microphone. To get that too, it is necessary to hook IDirectSoundCaptureBuffer and proceed the same way to read its buffer.

Inspect More COM Interfaces

If you want to discover a lot more about the internals of DirectSound, then Deviare will be very valuable for you. Inspecting COM object is very easy indeed. Simply define one of its interfaces (if its not already registered in the system) and hook them the simpler way. If you are wondering what other interfaces may be useful for you, try our Deviare COM Console to discover them. It comes with source code, and you are free to adapt it to your needs! And That’s All Folks, hope you find it useful, enjoy!

Audio Recorder SDK

We did a large number of solutions around this code. We added support to other applications like GoogleTalk, latests versions of Skype and MSN Messenger.

We know how to lead with frequency conversion when mixing the microphone and the audio. Mixing inputs with different sample rate is complex. Nektra can solve this issues for you.

Using all this knowledge together we have developed a complete Audio Recorder SDK that provides a simple API to record full conversations (both microphone and audio together).

Any doubt just ask and we will provide a fast quote for your project.
More information in Nektra High Tech Services

, , , ,

Deviare Message Spy

February 18th, 2009 | Posted by Pablo Yabo in C# | Deviare | opensource | products | programming - (5 Comments)

Download messagespy_demo.zip – 250 KB

Download messagespy_src.zip – 249 KB

Deviare Message Spy

Deviare Message Spy

Contents

Introduction

This article presents you with a different perspective of how to inspect window messages, to see how applications are communicating and managing their controls. We are not going to explain what window messages are or what they are used for in this article, so we suggest that you read these excellent articles to understand them: Handling Window Messages (Part 1, Part 2, Part 3). In this article we are going to monitor the Message API from the inside by hooking the target process.

So, what’s the good news?

As a first step when developing, to inspect windows, we open the Spy++ application and start the tedious work of following messages as they are printed in their hundreds. This is helpful most of the time, as we usually want to know what our windows are seeing and receiving. Yet, what happens when we want to know exactly how an application is communicating with its controls (what calls it makes to the message API) or want to see if our messages are getting filtered by someone else? As you may know, Spy++ installs 3 global hooks to receive every Send, Post and Call to a window message handler. The information provided by these methods is not enough to know what messages are coming from our application or if any of them have been filtered by a hook installed earlier in the call chain.

Do not panic, Deviare comes to rescue. What we are going to do is intercept all the Message APIs from the process that the window belongs to and monitor its calls. From there, we can be sure of what messages are being sent from the application to its controls and if any of them are missing from the ones that Spy++ is reporting, then we will know if someone else is watching us…

What happens with the messages not known by Spy++? How are we going to see them? Look what happens with many of the messages used by the standard ListView in windows. Spy++ does not know anything about them if the window is subclassed (for example ATL:SysListView32), and cannot trace its content. Try following LVM_GETNEXTITEM in Outlook Express and you will only see unknown 0x100C messages. The same goes for custom user messages that you may know and want to follow. We need an application that can be customized to our needs!

Deviare Message Spy

To probe our theory, we have built this message spying application. We have added to it a way to lookup windows handlers, hook the process owning it, and correctly report the messages and structures.

Finding a Window: The Spy++ Style Window Finder

To pick the target window and the process we wanted an interface like the one used in Process Explorer and Spy++. Thanks to Mark Belles this was an easy task. He has a great article on how to implement a nice Window Finder, in Code Project.

Selecting a window selected window info

Hooking

In order to install a hook, first we need to identify our target process. After obtaining a window handle from our Window Finder, we can use GetWindowThreadProcessId to identify which process owns the window. From there we use the .Net API to access it and tell Deviare which process we wish to hook.

Win32.GetWindowThreadProcessId(hWnd, out _processId);
_txtProc.Text = Process.GetProcessById(_processId).MainModule.ModuleName

For our monitoring we have divided the API in 2 sets: the Dispatch group, and the Sent and Post group. Monitoring messages that arrive to the first group will provide us with a very similar view of what Spy++ sees. This is because these messages arrived to the application and have not been filtered by any hook. With our second group, we will identify direct and asynchronous calls to the Message API.

Let’s see how we install the hook for one of these functions:

procs = _mgr.get_Processes(0);
procs = _mgr.get _Processes(0)
proc = procs.get_Item(_processId)
IPEModuleInfo mod = proc.Modules.get_ModuleByName("user32.dll");
IExportedFunction fnc = mod.Functions.get_ItemByName("PostMessageW");
_hook = _mgr.CreateHook(fnc);
_hook.Attach(proc);
_hook.OnFunctionCalled += new Deviare.DHookEvents_OnFunctionCalledEventHandler(_hookPst_OnFunctionCalled);
_hook.Properties = (int)DeviareCommonLib.NktHookFlags._call_before;
_hook.Hook();

As you see, we easily pick our target process by Id and select its Module and Function by name. The module name is not important, as it is always going to be “user32.dll”. If you have doubts, you can use Spy Studio to watch the process modules and exported functions.

Once the hook gets installed, we will receive notifications on our handler. From there we parse the function parameters transparently with the interface provided. (These parameters are actually in the target process, and Deviare copies them to our process on our demand and handles all the communication).

int returnVal = callInfo.ReturnValue;
IParams pms = callInfo.Params;
IEnumParams enm = pms.Enumerator;
IParam pm = enm.First;
IParam recvMsgHndl = pms.get_Item(0);
IParam recvMsgParam = pms.get_Item(1);
IParam recvWParam = pms.get_Item(2);
IParam recvLParam = pms.get_Item(3);

After reading all the data we require from the call, we will use our generated Xml to identify the message and properly cast it to its structure and show it properly.

The XML

The XML document in this application was created specifically to link together the message names, values and parameters. As messages like WM_LBUTTONDOWN are predefined as 0×201 we can place this in a XML file containing information on the parameters WPARAM and LPARAM.

<message value="0x201">
<name>WM_LBUTTONDOWN</name>
<return value="">
<returninfo></returninfo>
<returnmisc></returnmisc>
</return>
<wparam value="">
<wname>wParam</wname>
<wmisc>wParam Indicates whether various virtual keys are down. This parameter can be one or more of the following values.
MK_CONTROL
The CTRL key is down.
MK_LBUTTON
The left mouse button is down.
MK_MBUTTON
The middle mouse button is down.
MK_RBUTTON
The right mouse button is down.
MK_SHIFT
The SHIFT key is down.
MK_XBUTTON1
Windows 2000/XP: The first X button is down.
MK_XBUTTON2
Windows 2000/XP: The second X button is down.</wmisc>
</wparam>
<lparam value="">
<lname>lParam</lname>
<lmisc>lParam
The low-order word specifies the x-coordinate of the cursor. The coordinate is relative to the upper-left corner of the client area.
The high-order word specifies the y-coordinate of the cursor. The coordinate is relative to the upper-left corner of the client area.&amp;amp;amp;amp;lt;/lmisc&amp;amp;amp;amp;gt;
</lparam>
<misc></misc>

We could not find any database with this information, so we generated an XML document with the messages that we were interested in knowing about. As you can see, it is easy to simply add any message you want. In the process of building this XML, we used a very nice tool called ApiViewer from ActiveVB.de. Just search for the message names you want and you can evaluate the message values from the names.

The Cast

Now that we can identify the structures used on messages, we need to tell Deviare. Basically we are telling it to interpret our parameter, not as a simple LPARARM or WPARAM type, but as the complex structure we know is there. This is the case for messages like WM_DRAWITEM. So, to read it’s structure contained within the LPARAM we need to cast it as follows:

IParam pm = pms.get_Item(2); //LPARAM
pm = pm.CastTo(“LPDRAWITEMSTRUCT”); //Now our IParam is read as a pointer to DRAWITEMSTRUCT
pm = pm.Evaluated; //Resolve the pointer indirection
//Ready to use IParam as the structure sent by the OS.

It is possible to do this with all of the structures you can find defined in the windows headers. So, you should be able to cast and read any of them that are used in within these messages.

Using Deviare Message Spy

Deviare Message Spy in Action

Deviare Message Spy in Action

Above we have our Deviare Message Spy in action. We selected the contacts list window from Outlook Express (at the bottom left) to spy on. You can see all the message values that were sent via Post and Send Message APIs. LVM_HITTEST has been expanded to show the full values received. As LPARAM is a pointer to the LVHITTESTINFO structure we can find all relevant information contained within.

Hope you enjoyed this article, and found it useful. Let us know what you think!

Requirements

Known Issues

Many messages have the same Hex Address, such as TB_GETITEMRECT and TTM_UPDATE. Both of these messages have the value of 0x41d but are very different messages.

The TTM_UPDATE Message Forces the current tool to be redrawn. It does not use the wParam and lParam where as TB_GETITEMRECT Message Retrieves the bounding rectangle of a button in a toolbar.

TB is a Toolbar message and TTM is a Tooltip message. As our Spy++ style window finder already finds the window class, such as SysListView32 and ToolbarWindow32, It would be easy to use the class name to tell the program with Xml message is the correct one.

Resources

 

, , , , , , , , , , ,

Monitoring Outlook COM Objects with Deviare

December 1st, 2008 | Posted by Pablo Yabo in .NET | C# | C++ | Deviare | Microsoft | Office 2003 | Office 2007 | Office 2010 | Outlook 2003 | Outlook 2007 | Outlook 2010 | programming | reverse engineer | services - (0 Comments)

We all remember when Ole Automation came out. We were all impressed how simple it was to implement a few COM Interfaces, place a toolbar and interact with the office package. Soon the competition began to show who could create the best and most creative Add-on. How many times did you wonder how that other plug-ins “did that”? What if now you can even know how Outlook, or any Office application operates? Well, my friend, take a closer a look…

This Deviare example is implemented as an Outlook Add-on. We have used C# .Net, but you can use any language that supports Component Object Model.

We are using 2 threads to avoid freezing the application. The first one is the standard thread where Outlook report its events to us. The second is our worker thread where we create an output window to print our messages and a Deviare Event Proxy to process functions’ calls.

sc1

From the events Outlook provides us to work with we are only interested in OnStartupComplete. Here we know that Outlook is done with all its initialization and we can start hooking its interfaces. As a regular plug-in we ask for the Outlook Application, Active Explorer, CommandBars and create a CommandBarButton. We are going to intercept all of them and see how their members are used.

sc2

Notice that to obtain the interface we don’t use the class implementation, but the underlying interface definition. That’s why, when calling HookInterface, we send the Type of Outlook._Application and not Outlook.Application. The second one, is the .Net wrapper, and the first one is the Ole Interface.

To intercept these objects, Deviare needs some information. The necessary elements are the COM Object Interface (that would be its virtual table), which members we are interested in (specified by index), and the name of the Interface. Identifying the interface by name, will let Deviare find all the information it needs during the call, so you can handle its parameters the same way we did with any function hook. To gather all this the .Net Framework provides us with marshaling facilities (System.Runtime.InteropServices.Marshal), this makes our lives pretty easy ;) .

sc3

And that’s all. We print our calls, and see our results:

sc4

Cheers, and happy coding!

, , ,

MSN Messenger Live Plugin Development Article Published

November 4th, 2008 | Posted by hernandp in C++ | opensource | programming | releases - (20 Comments)

We have published an extensive article about Live Messenger applied research in the field of plugin development, entitled “Windows Live Messenger Plugin Development Bible” at the CodeProject website.

The article carefully explains several reversing and  hooking techniques to extend the application functionality:

  • Proxy DLL implementation
  • API hooking through our Trappola library
  • Applied window subclassing to add ‘skinned’ window classes
  • Runtime resource addition and modification (i.e. toolbar buttons and bitmaps)
  • Contact information through Live Messenger COM Interface
  • Contact selection interception with Active Accessibility COM objects

Although focused at Windows Live Messenger, the article is useful for anyone interested on the topic of  reversing for extending applications, querying internals or implementation of interoperability solutions on the Windows platform.

The code is available in both in binary and source format and is released under the GNU General Public License.

Download binary DLLs – 123.47 Kb

Download source code (VS 2005 Solution) – 241.36 Kb

Enjoy it and tell us what you think about it.

We offer development services to build Windows Live Mail Plugins

, , , ,

Deviare COM Spy Console is out!

October 28th, 2008 | Posted by Pablo Yabo in C# | C++ | Deviare | programming | videos - (0 Comments)

Today we have released a console for monitoring and spying on applications using Microsoft’s Component Object Model. This technology is used in many professional applications and now you are able to watch them in action too!

Deviare’s last integration is the ability to intercept COM interfaces. Using this technology and heuristics to discover this interfaces, the console lets you see which interfaces are being used by an application, and how they made their calls.

Here is an example monitoring the Windows Live Messenger:

As you have seen, we found the instantiation of IwebBrowser2. Since we don’t know what we want to see yet, we hooked every member except IDispatch (not necessary here). Then, the console printed calls for Navigate2 (among others), and we could see where the little browser at the bottom of messenger was getting its Adverts from.

The console is open source, so feel free to contribute on it. In this first release, it contains only one method to discover the creation of interfaces, but many others may be added. Go chase them ;) .

Download Deviare COM Spy Console

, , , , ,

Nektra’s hook engine for Windows.

July 15th, 2008 | Posted by Pablo Yabo in C# | C++ | Deviare | examples | products | programming | reverse engineer | services - (3 Comments)

Today we are releasing Trappola, our hook engine, under LPGL license. It has been a part of Deviare since its early beginning. And we think it reached a maturity level that any developer can appreciate.

There are several libraries that provide some of the functionality we give here. But most of them are theoretical examples, or very custom, that do not adjust well to every situation. In contrast, we designed it to suit to most situations and solve most common mistakes, as the ones seen on multithreading environments.

Inside the library, you’ll find a small yet powerful example. Let’s take a look at it:

The example’s goal is to deny access to a complete folder tree (My Documents) and hide any executable file from the dialog. Two kernel’s functions will be intercepted:

fnc_desc2

For our first task, we hook FindFirstFileW. From here we block any access attempt to our folder or any child in it.

fnc_ff

This hook is handled before the actual call is made. So, when we set the last error to access denied and ask our hook to skip the call, the kernel function is never reached, and the caller is prevented from enumerating it. Also, we are returning an invalid handle, as defined by the documentation.

To hide executable extensions from the user, we will hook FindNextFileW. A program call this function to navigate files in a folder. What we do here is intercept calls just before they return to the caller. There we see if the file found is of any interest to us.

fnc_fn

As shown, if we need to skip this call, we simply call the function again. This way, the result goes unknown from the caller. To cleanly return the next item, we make sure that the return value and last error get to the caller.

Please remember that this an open source project. Feel free to add any changes you see fit. We’ll keep on using it on our products, so don’t hesitate in sending us any bug report of feature request. We’ll try our best to add them.

Now go download the library and try it your self ;) . Or take a mayor step and get Deviare.

,

GoogleToolbar PageRank requests

June 17th, 2008 | Posted by Pablo Yabo in examples | products | programming | reverse engineer | security | services | SpyStudio - (2 Comments)

Using our API hooker SpyStudio I wrote a script to intercept http requests done using wininet.dll API coming from a specific module of a process. The script keeps request information (server and url) to display in next calls and let filter requests to a specific server. Its name is httpReport.py and can found in SpyStudio v1.0.1 distribution.

httpReport navigates the stack in each call to wininet.dll functions to see what module called the hooked function, filtering all modules except the specified. This feature and server name filtering, allow a fine interception.

To use the script keep only one instance of iexplore.exe (the script will only hook the first instance if there are more than one) and type these lines in SpyStudio python console:

import httpReport
httpReport.startIe(‘toolbarqueries’, ['googletoolbar2.dll'])

The script will display queries done to a server that contains the string ‘toolbarqueries’ coming from module ‘googletoolbar2.dll’.

For example, if TechCrunch page is inserted in the address bar we get a wininet.dll!InternetConnectA call to ‘toolbarqueries.google.co.uk’ server and then a GET request to this url:

/search?client=navclient-auto&googleip=O;64.233.169.147;266&iqrn=ZjbD&orig=0PnmJ&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fwww%2etechcrunch%2ecom%2f&ch=751153802320

There are some parameters that need more research to be understood but there are some others we can tell something:

googleip: indicates Google server used for the query

ie: iexplore encoding?

oe: maybe Outlook Express encoding?, only a bad guess

features: what we are asking to the server (here ‘Rank’)

q: encoded url (http%3a%2f%2fwww%2etechcrunch%2ecom%2f = http://www.techcrunch.com/)

ch: it looks as a function to the url to prevent other client to do the same requests

Then, wininet.dll!InternetReadFile return the http response (to see it enable the option ‘Show Params on Return’ in Preferences):

‘Rank_1:1:8n’

that indicates that the page visiting has PageRank 8.

This process is repeated for every page you visit so Google can collect all the pages browsed by all the users using GoogleToolbar. That’s why it may be considered as a spyware.

Google Treasure Hunt puzzles are too easy?

May 23rd, 2008 | Posted by Pablo Yabo in Java | opinion | PHP | programming - (0 Comments)

Seems that the Google guys are getting softy. The last two questions of the Google Treasure Hunt 2008 were easily solved.

The Question #1 is about paths. We have a robot that can move down or right, in a n x m grid. So how many possible paths exists, from the top left to the top right?

It gets solved just searching in Google for “grid path right down” from there you will get the equation that you must run on any language that has Big Integer implementations, since involves the calculations factorial.

Example of our solution for the first puzzle in Java:

BigInteger dividend = factorial( (rows-1)+(columns-1) );
BigInteger divisor = factorial(rows-1).multiply(factorial(columns -1));
System.out.println(dividend.divide(divisor));

The Question #2 seems to be even easier. It involves to transverse a directory tree, filtering the files that verifies 2 conditions based on the path string and the extension string (like .txt or .xml). Then reading some specific line. All files are text files this simplifies then things even more. Nothing hard to any programmer.

Snippet of our solution for the second puzzle in PHP:

// Setting where's the Google Treasure Hunt Directory
$dirbase = 'GoogleTreasureHunt08_11336769377172459175';

// Creating and loading the directory Tree
$tree = new Mytree($dirbase);
$tree->load();

// Getting the leaf Files
$leafs = $tree->get_leafs();

// Filtering to files that satisfies the conditions
$cond1 = array_filter ($leafs, filter_bycond1);
$cond2 = array_filter ($leafs, filter_bycond2);

// Doing the sums at the right line number
$sum1 = array_reduce($cond1, create_function('$v, $node',
             '$v = ($v == null) ? 0 : $v;'.
             '$v += (int)read_line($node->data, 5);'.
            'return $v;'));
$sum2 = array_reduce($cond2, create_function('$v, $node',
            '$v = ($v == null) ? 0 : $v;'.
            '$v += (int)read_line($node->data, 5);'.
            'return $v;'));

echo $sum1, '<br>';
echo $sum2, '<br>';

// Obtaining result
echo $sum1 * $sum2;

So as you see, there’s no complication at all. I would expect some challenge when Google uses the “Puzzle” word. Maybe they aren’t what they were? I don’t know, but I will be expecting some real challenge to solve :) .

Robot solution:  GTH Q1 Java solution

File transeversing solutino: GTH Q2 PHP solution

outlook express plugin windows live mail plugin windows live mail api application virtualization microsoft app-v shim outlook plugin development outlook development audio recorder capture sdk skype g-talk msn messenger IDirectSound / IAudioClient / MCI Wave API / Direct buffer writes capture recorder sdk apple mail plugin
windows system internals API Hook api intercept api hook api monitor api spy windows7 migration Track dll error Track COM error Ajax web scraping javascript web scraping Internet Explorer Knowledge Base