Tag Archives: com

How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin

VTBL is an IDA script which identifies all the virtual tables found in any module of a native process. The virtual tables can be related to a COM or a C++ class. Unlike other tools, ours does not depend on a specific compiler to obtain a virtual table. This makes it an essential tool for reverse engineers.

The script works on all IDA versions. To use it, you must:

  1. Use IDA to disassembly the module you want to analyze.
  2. Load the “VTBL.IDC” script from File -> Script File or by using the ALT F7 shortcut.
  3. VTBL.EXE will be executed.
  4. Select the process you want to analyze.
  5. Enable the suspension of the process if you want to intercept the process from the beginning.
  6. Select the module you want to analyze. It must be the same module you disassemble in step one.
  7. Once the analysis is over, select the virtual table to obtain its cross reference. The tool displays the number of functions the virtual table contains.
  8. Hook the selected virtual table
  9. Close the VTBL.EXE dialog
  10. Both, the disassembled code and the IDA output window will display all processed cross references.

We tried the tool out on Notepad++.exe. See video below. We used open source software so we could compare the results with the original source code.

We ran Notepad++.exe, selected the Notepad++.exe module and waited until all the virtual tables had been analyzed. The tool displays a list of virtual tables with the following format: VTBL_X1_X2_X3, where X1 is the index, X2 the start address, and X3 the function count. We hooked the virtual table with “CD” in the index field.

After the process we closed VTDL.EXE and analyzed the results with IDA Pro.

Prerequisites

  1. Deviare Hooking Engine
  2. Compile the VTBL_Code\Helper\Helperhelper.vcproj
  3. Open the Visual Studio 2010 project
  4. Change the Form1.cs DLL imports to point to the helper.dll and DeviareCOM.dll
  5. Compile the project
  6. Open VLTB.idc and modify the full paths of DeviareTest.exe and CrossRef.dat

Source Code

VTBL is available as vtbl-ida-pro-plugin.

Related Services

  1. Reverse Engineering
  2. Interception and Filter Drivers Services

If you like this article, you might also like:

  1. Instrumenting Direct3D Applications to Capture Video and Calculate FPS
  2. Injecting a DLL in a Modern UI Metro Application
  3. SQL Server Interception and SQL Injection Attack Prevention
  4. Reverse Engineering and The Cloud

WLMailAPI Works With Windows Live Mail 2012 and Windows 8 Released on September of 2012

Nektra announces the release of the new version of WLMailApi, the most used SDK designed to develop plugins in Windows Live Mail 2009 2011 and 2012

What’s new

WLMailAPI Works With Windows Live Mail 2012 and Windows 8
Released on September of 2012

  •     Works with all versions that Microsoft Supports
  •     Works with Windows Live Mail 2012
  •     Works with Windows 8 (all builds)
  •     Improved Performance

Request trial version here!  License: Some changes were introduced to the license for WLMailApi. Now, it is necessary to purchase a license for each developer that will use the library or by each product that will be developed using the library, taking into account whichever number is greater. Contact us to ask any commercial question or use the technical inquiries.

Thanks,
Leo Pasut
Business Development

Windows Live Mail API Version 3.0.1 *(with Windows 8 support & Contacts Support)

Nektra announces the release of the new version of WLMailApi, the most used SDK designed to develop plugins in Windows Live Mail Desktop email client.

  • Windows 8 Support
  • Full Contacts Support
  • Online (IMAP) Folder support

blog.nektra.com wlamailapi 3.0.1 fianl

 

Request trial version here! http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/request-trial License: Some changes were introduced to the license for WLMailApi. Now, it is necessary to purchase a license for each developer that will use the library or by each product that will be developed using the library, taking into account whichever number is greater. For more details visit license page. http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/license Contact us to ask any commercial question or use the technical inquiries. http://www.nektra.com/contact

Change Log:

Fixes

  • Fixed issue in which the function IToolbarButton::IsEnabled would always return true.
  • Fixed issue in which account information would be lost when commiting a message.
  • Fixed issue in which WLM would sometimes crash on startup.
  • Fixed issue in which WLM would hang or crash when the main window or the Find dialog were closed during a search process.
  • Fixed issue in which WLM would hang if the last window closed was a compose window and a draft was saved.
  • Fixed issue in which WLM would crash if the last window closed was a compose window and a draft was saved.
  • Fixed issue in which emails moved automatically by WLM did not trigger OnNewMessageInFolder events.
  • Fixed issue in which the split button’s OnClick event would be triggered when one of its subbuttons was clicked.
  • Fixed issue in which WLM v15.4.3508.1109 would not close if the last window closed was a compose window.
  • Fixed issue in which WLM would crash if WLMailApi was compiled using C++ optimizations in Visual Studio 2005.
  • Fixed issue in which the Find dialog would randomly fail finding messages by content.
  • Fixed issue in which WLM would crash when its main window is closed with a search in progress.
  • Fixed issue in which WLM would randomly crash while interacting with the Find dialog.
  • Fixed issue in which WLM would crash or wlmail.exe process would not end when the last WLM window closed is a compose window.
  • Fixed issue in which WLM would show an unknown error when deleting more than 7000 emails from the Deleted items folder.
  • Fixed issue in which WLM would hang when trying to delete a message in the Outbox folder during an OnNewMessageInOutbox event.
  • Fixed issue in which FolderManager::OnNewMessage event would not be triggered when a message is moved by a WLM rule to a folder created by the user.
  • Fixed issue in which the Send and Receive window would get unresponsive when receiving messages.
  • Fixed issue in which WLM would crash if closed while receiving more than 5000 emails at once.
  • Fixed issue in which a deadlock would occur when ALL plugins listed in the registry fail to load.
  • Fixed issue in which IMessage::Send() function would send emails from an invalid account.
  • Fixed NktWLMailStore::IMessage::DeleteBody and NktWLMailStore::IMessage::InsertBody functions.
  • Fixed issue in which undesired characters would appear in plain text emails after sending, receiving and moving operations.
  • Fixed issue in which the UI would be unresponsive when moving big amounts of emails between folders.
  • Fixed issue in which WLM 2009 would freeze after using the “Find” function.
  • Fixed issue in which ribbons would randomly appear as a black bar when launching WLM 2011.
  • Fixed issue in which WLM 2009 would crash when a “Compose” window is opened.
  • Fixed issue in which WLMApi would not work if WLM was closed and quickly reopened.
  • Fixed issue in which emails were received twice if WLM was closed quickly after the receiving procedure.
  • Fixed issue in which duplicated “new message in outbox” notifications were fired to client plugins.
  • Fixed issue where WLM crashed after removing an API object instance (e.g: TMAS Disable toolbar crashing).
  • Fixed issue in which WLM showed emails that were not accessible.
  • Fixed issue in which UI showed inconsistent data (unread email counts).
  • Fixed issue in which WLM would receive an unexpected OnNewMessage event on startup.
  • Fixed issue in which having an outer process would freeze the UI.
  • Fixed issue in which OnNewMessage event would not be received in “Sent Items” folder.
  • Fixed GetState and SetState malfunction concerning UNREAD flag.
  • Fixed SaveBodyToFile function.
  • Fixed bug in which the Send/Receive button would not work if the Outbox folder is not empty.
  • Fixed TMessage::GetState, TMessage::SetState for states NKT_MSG_UNREAD, NKT_MSG_SUBMITTED, NKT_MSG_UNSENT, NKT_MSG_RECEIVED, NKT_MSG_REPLIED, NKT_MSG_FORWARDED, NKT_MSG_FLAGGED
  • Fixed issue in which WLM would crash when using the “Reply to Sender” function in Inbox
  • Fixed issue in which the Outbox folder would be inaccessible after using the “Reply To Sender” function.
  • Fixed issue in which UI would sometimes hang when calling Commit() on a message.
  • Fixed issue in which UI would lockup when receiving emails and processing them on new message event.
  • Fixed issue in which FolderSelectionChange event would not be fired in some contexts.
  • Fixed issue in which UI would hang when using Search function or opening other folders (e.g: RSS).
  • Fixed issue in which WLM would sometimes crash when opening folders.
  • Fixed object cleanup at WLM window close.
  • Fixed issue in which WLM would crash on close.

Added API functions

  • TMsgWnd
    • Close
    • SendDraft
  • IMessage
    • SetAccount
    • SaveToStream
    • LoadFromStream
    • AddAttachmentFromStream
    • SetSubject
    • SaveDraft
    • GetFirstBodyHeader
    • GetNextBodyHeader
    • GetAccount
    • SendAs
    • GetFilename
  • IMsgWnd
    • SetTo
    • SetCc
    • SetBcc
    • SetSubject
      IWLMailApi
      *GetLastSelectedMailFolderID
  • IToolbarButton
    • SetName
    • GetName
    • SetName
    • SetImageNormal

Added API events

  • IFolderManagerEvents
    • OnFolderCreated
  • IFolderManager
    • OnFolderDeleted
    • OnFolderMoved
  • IWLMailApi
    • OnMessageDownloadStarted
    • OnMessageDownloadFinished

Added features

  • Contacts API.
  • ComposeMail ribbon customization.
  • Support for Toggle buttons.
  • Contact support (except contact removal)
  • Builds on VS2005.

Demos

  • New demo button icons.
  • Fixed, reorganized and improved C# demo buttons.

Performance

  • Improved ribbon buttons response time.
  • Improved “Send & Receive” procedure speed.
  • Improved performance when receiving and processing emails.

Request trial version here! http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/request-trial License: Some changes were introduced to the license for WLMailApi. Now, it is necessary to purchase a license for each developer that will use the library or by each product that will be developed using the library, taking into account whichever number is greater. For more details visit license page. http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/license Contact us to ask any commercial question or use the technical inquiries. http://www.nektra.com/contact

Windows Live Mail 2011 API

With our API you will be able to do amazing things and now we offer the opportunity of
purchasing the Source Code at a fraction of the cost. This guaranties that we are the owners of this source code and have years in this industry. We offer integration to Windows Live Mail 2011, including ribbon customization, adding new tabs and individual buttons, button groups. Access to Windows Live Mail 2011 message store, as well as account data, folders and email messages. Interaction with user, including change notifications on folder selection, folder creation and removing, new message selection. Integration to compose email window, sophisticated ribbon customization, access to text fields and body editor. You can use all of these features and many more via the outer process feature or by coding DLL plug-ins.

See more

Best Regards,

Business Development

Windows Live Mail API Version 2.0 *(with Windows Live Mail 2011 and 2009 Support)

Nektra announces the release of the new version of WLMailApi, the most used SDK designed to develop plugins in Windows Live Mail Desktop email client.

New Windows Live Mail 2011 Toolbar WLMAILAPI small

Main features included in this version:

  • Create toolbars and buttons.
  • Create toolbars and buttons in message windows (Compose / Reply / Forward / Message detail).
  • Access and modify folders and messages.
  • Event notifying selected folder and message/s.
  • Event notifying changes in local folders.
  • Demo application and dll plugin developed in C# with source code.

Request trial version here! http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/request-trial License: Some changes were introduced to the license for WLMailApi. Now, it is necessary to purchase a license for each developer that will use the library or by each product that will be developed using the library, taking into account whichever number is greater. For more details visit license page. http://www.nektra.com/products/wlmailapi-windows-live-mail-api-plugin/license Contact us to ask any commercial question or use the technical inquiries. http://www.nektra.com/contact

Best Regards,

Business Development

Monitoring Outlook COM Objects with Deviare

We all remember when Ole Automation came out. We were all impressed how simple it was to implement a few COM Interfaces, place a toolbar and interact with the office package. Soon the competition began to show who could create the best and most creative Add-on. How many times did you wonder how that other plug-ins “did that”? What if now you can even know how Outlook, or any Office application operates? Well, my friend, take a closer a look…

This Deviare example is implemented as an Outlook Add-on. We have used C# .Net, but you can use any language that supports Component Object Model.

We are using 2 threads to avoid freezing the application. The first one is the standard thread where Outlook report its events to us. The second is our worker thread where we create an output window to print our messages and a Deviare Event Proxy to process functions’ calls.

sc1

From the events Outlook provides us to work with we are only interested in OnStartupComplete. Here we know that Outlook is done with all its initialization and we can start hooking its interfaces. As a regular plug-in we ask for the Outlook Application, Active Explorer, CommandBars and create a CommandBarButton. We are going to intercept all of them and see how their members are used.

sc2

Notice that to obtain the interface we don’t use the class implementation, but the underlying interface definition. That’s why, when calling HookInterface, we send the Type of Outlook._Application and not Outlook.Application. The second one, is the .Net wrapper, and the first one is the Ole Interface.

To intercept these objects, Deviare needs some information. The necessary elements are the COM Object Interface (that would be its virtual table), which members we are interested in (specified by index), and the name of the Interface. Identifying the interface by name, will let Deviare find all the information it needs during the call, so you can handle its parameters the same way we did with any function hook. To gather all this the .Net Framework provides us with marshaling facilities (System.Runtime.InteropServices.Marshal), this makes our lives pretty easy ;).

sc3

And that’s all. We print our calls, and see our results:

sc4

Cheers, and happy coding!

Deviare COM Spy Console is out!

Today we have released a console for monitoring and spying on applications using Microsoft’s Component Object Model. This technology is used in many professional applications and now you are able to watch them in action too!

Deviare’s last integration is the ability to intercept COM interfaces. Using this technology and heuristics to discover this interfaces, the console lets you see which interfaces are being used by an application, and how they made their calls.

Here is an example monitoring the Windows Live Messenger:

As you have seen, we found the instantiation of IwebBrowser2. Since we don’t know what we want to see yet, we hooked every member except IDispatch (not necessary here). Then, the console printed calls for Navigate2 (among others), and we could see where the little browser at the bottom of messenger was getting its Adverts from.

The console is open source, so feel free to contribute on it. In this first release, it contains only one method to discover the creation of interfaces, but many others may be added. Go chase them ;).

Download Deviare COM Spy Console

Deviare hook component released

We have released the first version of Deviare. A free trial is available for download.Deviare is a component for ‘easy hooking’ of Windows DLLs. Now you don’t need to be an expert to incercept operating system functions because you use a COM object abstracting many of the complexities.To show the power look at the following code snippet in CSharp (.NET):

DeviareTools.IProcesses procs = _mgr.get_Processes(0);
DeviareTools.IProcess proc = procs.get_Item("msnmsgr.exe");
DeviareTools.IPEModuleInfo mod = proc.Modules.get_ModuleByName("ws2_32.dll");
DeviareTools.IExportedFunction fnc = mod.Functions.get_ItemByName("send");
hook = mgr.CreateHook(fnc);
hook.Attach(proc);
hook.OnFunctionCalled += new Deviare.DHookEvents_OnFunctionCalledEventHandler(hook_OnFunctionCalled);
hook.Properties = (int)DeviareCommonLib.HookFlags._call_before;
hook.Hook();
void hook_OnFunctionCalled(DeviareTools.Process proc,DeviareParams.ICallInfo callInfo, Deviare.IRemoteCall rCall)
{
    DeviareParams.IParams pms = callInfo.Params;
    DeviareParams.IEnumParams enm = pms.Enumerator;
    DeviareParams.IParam pm = enm.First;
    pm = enm.Next;
    object[] args = new object[1];
    string msg = "Transmition -> ";
    msg += pm.Value;
    msg += "rn";
    args[0] = msg;
    txtOutput.Invoke(new AppendHandler(Append), args);
}

With this simple code you hook the send function in the WinSock dll for the Messenger process and our own function hook_OnFunctionCalled is called before the ‘real send’The code can be written in any COM friendly programming language like: C++, C#, VB, Java, Python, Perl, Ruby and many others. API Hook examples in C++, C#, VB.Many applications can now be built on Deviare Technology like Spy Studio a tool to monitor Windows API and available for free.