A new version of Nektra Deviare API Hook is now released. This version has lots of fixes to bugs that I found along the last year working with the library in Application Virtualization Solutions and Reverse Engineer.

I found some stability issues, generating dead-locks, stack trace wasn’t working as defined and it has important performance improvements. Also, there are more functions in the database and some data types were not working at all: arrays and enumerations.

New C# hooking console

Highlights

• Process / Module / Function panels
• Functions that are included in the database are displayed with full parameter information.
• Execution hooks (aka: ‘Add Exec Hook’) allow the user to add hooks when an application starts. It’s useful to debug an application that crashes at startup.
• Parameter information could be displayed before and after the function is called.
• Full Stack trace information.
• Function calls can be displayed grouped by thread.
• CLSID and IID are displayed in {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format and with registration information:

• Structures parameters are expanded to show all their fields. This picture shows a call to Kernel32.FindFirstFileW with parameter _WIN32_FIND_DATAW expanded.

• Lots of Windows Messages are supported. LPARAM and WPARAM parameters of user32.dll functions DispatchMessage, PostMessage, SendMessage, PeekMessage and GetMessage are interpreted as the real data type that they are. Here a LVM_INSERTCOLUMNW (ListView_InsertColumnW macro for C++) is sent and the lParam is displayed as a tagLVCOLUMNW*:

In file $INSTDIR\Bin\Database\FunctionTypes.xml you can find all the definitions. They are of the style:

<message value="442">

  <name>TB_SETBUTTONINFOA</name>

  <return value="">

    <returninfo>returns LRESULT in lResult</returninfo>

  </return>

  <wparam value="INT">

    <wname>iID</wname>

  </wparam>

  <lparam value="LPTBBUTTONINFO">

    <lname>

    </lname>

  </lparam>

</message>

This definition means that when a message 0×442 is called TB_SETBUTTONINFOA. Parameter WPARAM is a INT and LPARAM is a LPTBUTTONINFO. The code to convert one parameter to another type is very easy using Deviare:

pm = pm.CastTo("LPTBBUTTONINFO");

if(pm == null)

{

    // data type is not in the database

}

Adding other message definitions in that xml will change the C# message handling functions. This method can be used for any other function that has any variable parameter such as DeviceIoControl.

COM Interception

Now Deviare COM Spy is part of Deviare Package, so you can get it downloading Deviare. I’m not very happy with the application and I would like to make big changes in this area.

Deviare Services

Deviare is a very specific tool and it can take a special effort to get acquainted with its mechanism. We have a team of professionals that can help so Just ask.

• Examples of interception code
• Parameter retrieve and change
• Ad-hoc interception techniques for complex problems
• COM Interception (with or without the interface)
• Interception of undocumented API
• 64 bits interception
• Debug server with interception techniques
• Server monitoring
• Sever performance boost

More information in Deviare Services

Download

Request the package in Deviare download section.

Nektra has released the new WLMailApi v1.0.2

Nektra has released the new WLMailApi v1.0.2, which has many more features & functions, this allows developers to create custom Windows Live Mail plug-ins.

Nektra Advanced Computing is glad to announce the release of the new WLMailApi version 1.0.2 which you can request a download by clicking here. This new version is an update of the official WLMailApi RTM version which has been released over 6 months ago.

Creating addons or plugins for Windows Live Mail Desktop® demands a deep knowledge of its internal behavior, it does not have any public Application Programming Interface.

Windows Live Mail is the desktop email client promoted by Microsoft for Windows XP®, Windows Vista® and Windows 7® as part of the Windows Live Essentials free software.

Contact us to ask any commercial question or use our forum for technical inquiries. For information about pricing or special demos please call 1-(310)237-6506.

The changes for this version are:

* Fixed: Memory leak when moving or deleting many messages left wlmail.exe process running after closing it
* Fixed: WLMail crashed when having an IMAP account
* Fixed: Getting a Toolbar object during the WLMailApiEvents::OnFolderSelectionChange event freezed WLMail
* Fixed the way WLMailApiAgent hooks the WLMail.exe process to avoid WLMailApiLoader.dll to be loaded in every process
* Implemented WLMailApiEvents::OnNewMessageInOutbox event that allows to modify and commit outgoing messages
* Implemented IWLMailApiEvents::OnSendButtonMsgWndClicked which is triggered when a new message window is set to be sent
* Implemented MsgWnd::GetTo(), GetCc(), GetBcc(), GetSubject(), SetTo(), SetCc(), SetBcc() and SetSubject()
* Added IMailAccountManager and IMailAccount interfaces to get the Default Account
* Implemented FolderManager::GetInboxFolder(), GetDraftFolder(), GetSentFolder(), GetJunkFolder(), GetDeletedFolder() for the Default Account
* Implemented Folder::IsInbox(), IsDraft(), IsSent(), IsJunk(), IsDeleted() functions for Default Account special folders
* Implemented FolderManager::GetOutboxFolder() and Folder::IsOutbox functions
* Added Unicode support to main API functions:
IFolderManager::CreateFolder() and RenameFolder()
IFolder::GetName(), Rename(), CreateFolder() and CreateMessage()
IMessage::GetSubject(), GetAllBody(), GetBody(), GetBodyText(), GetBodyDisplayName(), GetFilename() and SaveAsFile()
IMessage: For GetBodyProp() and SetBodyProp() functions, the message must be already encoded in Unicode

How to migrate NK2 Recipient AutoComplete cache lists “suggested contacts” from Microsoft Outlook 2003 or 2007 to Microsoft Outlook 2010

Note You must exit Outlook 2003, 2007, 2010 before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.

1. On the computer (Office 2003 or 2007) with the saved AutoComplete names, go to “drive: \Documents and Settings\user name\Application Data\Microsoft\Outlook”.
Note Depending on your operating system (Windows 7, Windows Vista, Windows XP, and Windows 2000) or the folder options, the folder might be hidden. To view the files in this folder, do one of the following:
Windows 7
1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.
4. Uncheck hide extensions for known file types.
Windows Vista
5. Click Start, and then click My Computer.
6. On the Tools menu, click Folder Options.
7. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.
8. Uncheck hide extensions for known file types.
Microsoft Windows XP
9. Click Start, and then click My Computer.
10. On the Tools menu, click Folder Options.
11. Click the View tab, and then, under Advanced settings, under Hidden files and folders, click Show hidden files and folders.
Microsoft Windows 2000
12. Double-click My Computer on your desktop.
13. On the Tools menu, click Folder Options.
14. Click the View tab, and then click Show hidden files and folders.
2. Right-click profile name.nk2, and then click Copy.
Tip You can copy the file to removable media, such as a USB key (Pen drive) or a CD (DVD), and then copy the file to the correct location on the other computer. Or you can attach the file to an e-mail message and send the message to yourself. On the new computer, open the attachment, and then save it to the correct location.
Note You must exit Outlook before starting the following procedure. The names will be included in AutoComplete when you restart Outlook.
3. On the Office 2010 where you want to migrate the AutoComplete feature too, Paste the NK2 file to drive:\%user name%\%appdata%\Microsoft\Outlook
4. If prompted about replacing the existing file, click “yes”.

1. Note that the .nk2 file must have the same name as your current Outlook 2010 profile. By default, the profile name is “Outlook.” To check the profile name, follow these steps:

2. Click Start, and then click Control Panel.
3. Double-click Mail.
4. In the Mail Setup dialog box, click Show Profiles.
5. Click Start, and then click Run.
6. In the Open box, type outlook.exe /importnk2, and then click OK. This will import the .nk2 file into the Outlook 2010 profile.

Nektra Advanced Computing is developing a tool that will auto create an .NK2 file from Outlook Express (using OEAPI), Windows Mail (using OEAPI), Windows Live Mail (Using WLMAPI), an the export to Outlook 2003, Outlook 2007 & Outlook 2010. We also offer a solution service from any legacy environment/platform to any new environment/platform. For information about pricing or demos please call 1-(310)237-6506.

Nektra Advanced Computing is glad to announce that we are always working on Windows Live Mail API improvements from all your feedback. Now in our Windows Live Mail API Trial you are able to access the storage folders with read, write, delete, move, rename and clone capabilities. We are also able to append text and or HTML code inside each cloned message. Here is a screen shot of the Message Bodies in our WLMailApi C# Demo and below a video showing more capabilities of our product.

Contact us to ask any commercial question or use our forum for technical inquiries.

Nektra has released the new WLMailApi v1.0.1, which allows developers to create custom Windows Live Mail plug-ins.

Nektra Advanced Computing is glad to announce the release of the new WLMailApi version 1.0.1 which you can request a download by clicking here. This new version of WLMailApi left the Beta stage and is now an official RTM version.

Creating addons or plugins for Windows Live Mail Desktop® demands a deep knowledge of its internal behavior. Its Application Programming Interface (API) is undocumented and there is not a SDK available. Even the public interfaces IStoreNamespace and IStoreFolder supported in both Outlook Express® and Windows Mail® are not present in this new email client.

Windows 7® will not include Outlook Express or Windows Mail; its users will be forced to move to Windows Live Mail. Your product can be one of the first that plugs in!!!

Contact us to ask any commercial question or use our forum for technical inquiries.

This is the change log from previous version:

* Exiting from the system tray icon’s context menu crashed WLMail
* A stack overflow was produced when many database notifications were triggered
* There was a memory leak when handling database events
* C# DLL Demo solution made WLMail freeze after the evaluation expiration message when it was executed in Debug mode
* First events could get lost at startup before the first folder/message selection change event
* WLMailApi::GetCurrentMessageID() always returned -1 at startup until message selection was changed
* WLMailApi::GetCurrentMessageID() and NktWLMailApi::GetFirstSelectedMessageID() responses were not updated after current/selected message was deleted
* The WLMailApiEvents::OnDatabaseChange NKT_TR_INSERT_MESSAGE case was not triggered when messages were inserted in the Deleted Items folder
* Message.Delete(0) did not work when the message was in the Deleted Items folder
* WLMailApiEvents::OnCurrentMessageChanged event was not triggered if the current message was changed by selecting another message using “Ctrl + Click”
* When an unread message was selected in WLMail and was automatically marked as read, two WLMailApiEvents::OnDatabaseChange events (first NKT_TR_UNREAD_MESSAGE and then NKT_TR_READ_MESSAGE) were triggered instead of just one (NKT_TR_READ_MESSAGE)
* ToolbarButton::SetName and SetTooltip did not work if were called after the button was created
* Message::SaveAsFile() output file was corrupt if Message::GetHeader() was previously called
* Improved and corrected C++ and C# DLL Demos
* The solutions of the package now require Visual Studio 2008

The Nektra staff wishes you all a happy new year!

Best regards,

Nektra’s WLMailApi Team

Microsoft ^tm decided some time ago to include their free email client inside Live technologies ^tm. Many customers asked us to develop a library for Microsoft Live Mail ^tm with the same features the our product OEAPI has.

We have done important research in this area and we are now offering Windows Live Mail Plugin API to develop plug-ins for this email client. The add-ins are able to create toolbars, interact with the storage, get the selected message and folder, etc. Most of the features that are present in OEAPI can be done in Windows Live Mail ^tm.

We are now offering WLMailApi, a library implementing a similar functionality that OEAPI has for Outlook Express and Windows Mail. WLMail lacks of any public interface, even the public interfaces IStoreNamespace and IStoreFolder were removed.

You can also contract Nektra to develop your plug-in in our service page Windows Live Mail Plugin Development.

Customize Windows Live Mail GUI Your product can: Create a toolbar Create buttons Access to the storage This screenshot shows a sample anti-spam software that has a toolbar that is able to get message list information.

Download Deviare Download Sourcecode Download PDF

Contents

• Introduction
• Research
  • Direct Sound Capturing
  • Monitoring Skype Conversations
• Implementation
  • Deviare Python Wrappers
  • Wave Tools
  • COM Type Libraries
  • Virtual Table Finder
  • Hooking Direct Sound
• Running Sound Capture
  • Easy Steps
  • Registration
• What’s next
  • Optimizations
  • Wave API Hooking
  • Hook DirectSoundCapture And Listen To Full Conversations
  • Inspect More COM Interfaces

Introduction

Today we are going to see how easy it can be to capture audio with Deviare. From players like Windows Media Player, instant messaging applications like Skype & Windows Live Messenger, to any application using DirectSound. The wave output will get captured by us. Deviare is indeed a powerful framework. Built to resolve most complex tasks in the simplest way. With a few lines of python, all our hooking is done and running. Today performance is extremely important, yet Deviare proves itself as the best. It allows you to also take advantage of the full power of Python

Research

Direct Sound Capturing

I must be honest, I’ve never used the DirectX API in my life, so I was a bit uncertain of how difficult this could be. I started by looking at MSDN documentation onIDirectSound and IDirectSoundBuffer. The first goal was to find a safe place to read its sound buffers. I found out that IDirectSoundBuffer::Unlock could serve my intentions well. At this point, the user is telling DirectSound that he has finished writing his wave output and the locks may be released. So, if we step in between, we can safely read the buffer. The user is no longer writing to it, and DirectSound has not yet taken control of it. I tested it on many applications and it turned to be the right choice. It works perfectly for WMP, Windows Live Messenger, and many others. No problems showed up until I stepped with Skype…

Monitoring Skype Conversations

This might be the way many applications handle their sound output, but it was the first application I have seen and I named the case after it. Later, I found a few articles describing it in detail. So, to my surprise, I was not seeing any data being written to the sound buffers after the unlock was called. How the hell is it writing its wave, and how am I supposed to read it?!. It kept me thinking for a while, until I noticed an interesting and constant call to IDirectSoundBuffer::GetCurrentPosition. Then I realized that this writing method depends on constant reading of the play and write buffer pointers. That’s because DirectSound, as most stream based implementations, works with a Circular buffer. Capturing its wave output requires that we keep track of changes in the write pointer. Once we know it has moved forward in the buffer, we can read its steps. Since here we don’t know how much the user has actually written to it, we must know the full size and location of the buffer. Unless we want to read garbage, but I’m sure that’s not the case .

Implementation

Deviare Python wrappers

Before we get our hands dirty, let me introduce you to something new in Deviare: Python Wrappers. As you already know Deviare is exposed through a series of COM interfaces. To save ourselves from the work of writing a whole new set of bindings, we used the well known project PyWin32. It’s very friendly to be used directly, as you may see in py_deviare_objects.py, just not enough to me. So I built these wrappers on top of it and made them as transparent as possible. You’ll find the use of the interface very similar to the way it’s done in our C# examples and in compliance with the python way of life, of course.

Wave Tools

I wrote these tools to help me write down the captured wave data. This may be obvious to people working in audio projects, but for me I cannot believe there is no native support in Windows to read-write Wav files! Yes, there is native support to write RICH content but come on! Luckily for me, I found a small sample C++ class inside the DirectX SDK. This was good enough for me to write my own in Python. As you may see, my WaveFile class only supports the write operation. Though, adding a read member should be easy enough for you . I have also added a lock to it, to ensure our data does not get corrupted by multiple thread operations. You may use it safely. The structures used were defined exactly as found in DirectSound and WinMM headers. Some of them are used by DirectX to specify the format of the wave content.

COM Type Libraries

By default, DirectX installations do not register their library types. Since we need that information, so Deviare can hook them, I created my own definitions with the interfaces we are interested in. To prevent any collision with previous installations, I used a different GUID. There is a python script that takes care of its registration and it’s automatically ran on demand by our example. Again, definitions are exactly as found on DirectX SDK.

Virtual Table Finder

To obtain the virtual tables for the interfaces, we basically have two options. Either we wait for its instantiation by the target process, or we find them ourselves on our own. Our first option is known to work for sure, yet we delay our installations until these events rise. This may also place us in a race and we may not capture all the output. The second one allows us to hook our targets immediately. Yet, in this case, we depend on the library (dsound.dll) being loaded in the same address space of our target. I have placed the two options in our example. If the current one is not working for you, uncomment the other at py_deviare_directsound.py

.

Hooking Direct Sound

The first thing we need, is to know every time a sound buffer is created. For that we are going to intercept calls to IDirectSound::CreateSoundBuffer. If the calls succeed, we look-up the table location inside the returned instance. From there we are going to hook four members of IDirectSoundBuffer:Initialize, SetFormat, Unlock and GetCurrentPosition. The first two, are used to obtain the wave format that the user is writing to the buffer. We also need to watch details from the call that creates the sound buffer, in case it is specified there. The Unlock member, as our research told us, is used in most applications to notify DirectX that the buffer is written and ready to be played. So we read the buffer pointers and size, to use Deviare’s memory interface to copy all content. We need to be careful, and see if the call actually succeeded. Only then can we save the wave data, else we must discard our buffers. With applications that keep track of the play and write cursors, we are going to monitor their calls to GetCurrentPosition. As explained earlier, with this method, I need to know the full size of the buffer and its location. So I save it from the first call to Unlock. Then I virtually divided my buffer in N segments, and filled it with the wave data as the write cursor moves forward in the buffer. Once my buffer contains enough data, I write it down to the wave file. To prevent false positives, in the creation of sound buffers, I delay the creation of my file until I have real data stored. In case we are monitoring the creation of IDirectSound in the target process, we also need to hook DirectSoundCreate and DirectSoundCreate8 from dsound.dll. There we can obtain the virtual table for IDirectSound, and follow our quest.

Running Sound Capture

Easy Steps

Execute the run_me.py located among the deployed files, and you’ll be prompted with a window to type the complete name of the process you want to start monitoring. For example: Skype.exe. Once the program starts capturing, the wave files will be written in the same folder. Once you are done, click OK on the dialog box to stop recording. Now you can open the .wav files generated, and listen the capture. Do not open them before closing the example as the data may not be readable by then.

Registration

The first execution of our example, will automatically register its interfaces and data types. It will also generate a file labeled .deviare_types_registered to prevent registration on the following executions. You can safely remove the file at any time you want the registration to be run again.

What’s Next

Optimizations

At any point of our handling, performance is essential. Any delay is highly punished by the sound output. So we must be careful about any operation we do inside the function call. This example tries to cache enough data before doing a write operation to disk. In case you need to improve its performance, you should read the data and release the call as soon as possible. Then in a different thread, or in a non punitive call, flush our data to the wave file.

Wave API hooking

This example could be very easily adapted to capture wave data from applications using WinMM API. Most browsers, Flash, and Google Talk use it to throw their sound output.

Hook DirectSoundCapture And Listen To Full Conversations

You should have noticed, when capturing from Skype, that your own voice is not heard. That’s because the application is not echoing its capture from the microphone. To get that too, it is necessary to hook IDirectSoundCaptureBuffer and proceed the same way to read its buffer.

Inspect More COM Interfaces

If you want to discover a lot more about the internals of DirectSound, then Deviare will be very valuable for you. Inspecting COM object is very easy indeed. Simply define one of its interfaces (if its not already registered in the system) and hook them the simpler way. If you are wondering what other interfaces may be useful for you, try our Deviare COM Console to discover them. It comes with source code, and you are free to adapt it to your needs! And That’s All Folks, hope you find it useful, enjoy!

Deviare Services

Deviare is a very specific tool and it can take a special effort to get acquainted with its mechanism. We have a team of professionals that can help so Just ask.

• Examples of interception code
• Parameter retrieve and change
• Ad-hoc interception techniques for complex problems
• COM Interception (with or without the interface)
• Interception of undocumented API
• 64 bits interception
• Debug server with interception techniques
• Server monitoring
• Sever performance boost

More information in Deviare Services

We all remember when Ole Automation came out. We were all impressed how simple it was to implement a few COM Interfaces, place a toolbar and interact with the office package. Soon the competition began to show who could create the best and most creative Add-on. How many times did you wonder how that other plug-ins “did that”? What if now you can even know how Outlook, or any Office application operates? Well, my friend, take a closer a look…

This Deviare example is implemented as an Outlook Add-on. We have used C# .Net, but you can use any language that supports Component Object Model.

We are using 2 threads to avoid freezing the application. The first one is the standard thread where Outlook report its events to us. The second is our worker thread where we create an output window to print our messages and a Deviare Event Proxy to process functions’ calls.

From the events Outlook provides us to work with we are only interested in OnStartupComplete. Here we know that Outlook is done with all its initialization and we can start hooking its interfaces. As a regular plug-in we ask for the Outlook Application, Active Explorer, CommandBars and create a CommandBarButton. We are going to intercept all of them and see how their members are used.

Notice that to obtain the interface we don’t use the class implementation, but the underlying interface definition. That’s why, when calling HookInterface, we send the Type of Outlook._Application and not Outlook.Application. The second one, is the .Net wrapper, and the first one is the Ole Interface.

To intercept these objects, Deviare needs some information. The necessary elements are the COM Object Interface (that would be its virtual table), which members we are interested in (specified by index), and the name of the Interface. Identifying the interface by name, will let Deviare find all the information it needs during the call, so you can handle its parameters the same way we did with any function hook. To gather all this the .Net Framework provides us with marshaling facilities (System.Runtime.InteropServices.Marshal), this makes our lives pretty easy .

And that’s all. We print our calls, and see our results:

Cheers, and happy coding!

Today we are releasing Trappola, our hook engine, under LPGL license. It has been a part of Deviare since its early beginning. And we think it reached a maturity level that any developer can appreciate.

There are several libraries that provide some of the functionality we give here. But most of them are theoretical examples, or very custom, that do not adjust well to every situation. In contrast, we designed it to suit to most situations and solve most common mistakes, as the ones seen on multithreading environments.

Inside the library, you’ll find a small yet powerful example. Let’s take a look at it:

The example’s goal is to deny access to a complete folder tree (My Documents) and hide any executable file from the dialog. Two kernel’s functions will be intercepted:

For our first task, we hook FindFirstFileW. From here we block any access attempt to our folder or any child in it.

This hook is handled before the actual call is made. So, when we set the last error to access denied and ask our hook to skip the call, the kernel function is never reached, and the caller is prevented from enumerating it. Also, we are returning an invalid handle, as defined by the documentation.

To hide executable extensions from the user, we will hook FindNextFileW. A program call this function to navigate files in a folder. What we do here is intercept calls just before they return to the caller. There we see if the file found is of any interest to us.

As shown, if we need to skip this call, we simply call the function again. This way, the result goes unknown from the caller. To cleanly return the next item, we make sure that the return value and last error get to the caller.

Please remember that this an open source project. Feel free to add any changes you see fit. We’ll keep on using it on our products, so don’t hesitate in sending us any bug report of feature request. We’ll try our best to add them.

Now go download the library and try it your self . Or take a mayor step and get Deviare.

Using our API hooker SpyStudio I wrote a script to intercept http requests done using wininet.dll API coming from a specific module of a process. The script keeps request information (server and url) to display in next calls and let filter requests to a specific server. Its name is httpReport.py and can found in SpyStudio v1.0.1 distribution.

httpReport navigates the stack in each call to wininet.dll functions to see what module called the hooked function, filtering all modules except the specified. This feature and server name filtering, allow a fine interception.

To use the script keep only one instance of iexplore.exe (the script will only hook the first instance if there are more than one) and type these lines in SpyStudio python console:

import httpReport
httpReport.startIe(‘toolbarqueries’, ['googletoolbar2.dll'])

The script will display queries done to a server that contains the string ‘toolbarqueries’ coming from module ‘googletoolbar2.dll’.

For example, if TechCrunch page is inserted in the address bar we get a wininet.dll!InternetConnectA call to ‘toolbarqueries.google.co.uk’ server and then a GET request to this url:

/search?client=navclient-auto&googleip=O;64.233.169.147;266&iqrn=ZjbD&orig=0PnmJ&ie=UTF-8&oe=UTF-8&features=Rank:&q=info:http%3a%2f%2fwww%2etechcrunch%2ecom%2f&ch=751153802320

There are some parameters that need more research to be understood but there are some others we can tell something:

googleip: indicates Google server used for the query

ie: iexplore encoding?

oe: maybe Outlook Express encoding?, only a bad guess

features: what we are asking to the server (here ‘Rank’)

q: encoded url (http%3a%2f%2fwww%2etechcrunch%2ecom%2f = http://www.techcrunch.com/)

ch: it looks as a function to the url to prevent other client to do the same requests

Then, wininet.dll!InternetReadFile return the http response (to see it enable the option ‘Show Params on Return’ in Preferences):

‘Rank_1:1:8\n’

that indicates that the page visiting has PageRank 8.

This process is repeated for every page you visit so Google can collect all the pages browsed by all the users using GoogleToolbar. That’s why it may be considered as a spyware.