64-bit Microsoft Office Applications Do Not Like Stack Walking

Our Office plugin development team was researching some problems with Office and they found this problem.

Our SpyStudio tool intercepts application system calls and retrieves the called functions by inspecting the call-stack.

We were unable to access stack information in the last few 64-bit releases of Microsoft Office products. When we use SpyStudio to intercept an Office installation or most Office applications like Word or Excel, they start normally, but eventually exit silently.

Our initial research showed the culprit to be the Office Software Protection Platform, which would make sense, as it is supposed to hide an application’s safety mechanisms.

However, the Office Software Protection Platform did not keep us from intercepting the 32-bit version of Microsoft Office, so we decided to investigate further.

The .pdata Section

How does the 64-bit operating system do a stack walk when an exception occurs, and how can a debugger know who called a function?

Microsoft added new metadata information  which is stored on a special section named “.pdata” in the PE file format specification. When an application is compiled, the compiler stores information related to the prolog of each function. If a function handles exceptions, the compiler also stores data about actions that must happen when the unwind operation is executed.

The operating system and the debugger use a series of RUNTIME_FUNCTION structures to retrieve a variety of information about each function, like how much stack space is reserved for each function usage, which callbacks must be called in an unwind operation, and where assembly registers are stored.

If you want to do your own stack walking, you can start from the current program counter (the RIP register in x64) and look for the RUNTIME_FUNCTION that belongs to it. Then process the UNWIND_INFO items to determine stack usage, and lastly, retrieve the location of the return address of the parent function.

Fortunately, there are some new APIs which makes the job easier. They are RtlLookupFunctionEntry and RtlVirtualUnwind. A stack walking code sample:

VOID StackTrace64(VOID)
    CONTEXT Context;
    UNWIND_HISTORY_TABLE UnwindHistoryTable;
    PRUNTIME_FUNCTION RuntimeFunction;
    PVOID HandlerData;
    ULONG64 EstablisherFrame, ImageBase;

    DbgPrint("StackTrace64: Executing stack trace...\n");
    // First, we'll get the caller's context.
    // Initialize the (optional) unwind history table.
    RtlZeroMemory(&UnwindHistoryTable, sizeof(UNWIND_HISTORY_TABLE));
    UnwindHistoryTable.Unwind = TRUE;
    // This unwind loop intentionally skips the first call frame, as it shall
    // correspond to the call to StackTrace64, which we aren't interested in.
    for (ULONG Frame = 0; ; Frame++)
        // Try to look up unwind metadata for the current function.
        RuntimeFunction = RtlLookupFunctionEntry(Context.Rip, &ImageBase,
        RtlZeroMemory(&NvContext, sizeof(KNONVOLATILE_CONTEXT_POINTERS));
        if (!RuntimeFunction)
            // If we don't have a RUNTIME_FUNCTION, then we've encountered
            // a leaf function.  Adjust the stack approprately.
            Context.Rip  = (ULONG64)(*(PULONG64)Context.Rsp);
            Context.Rsp += 8;
            // Otherwise, we call upon RtlVirtualUnwind to execute the unwind
            // for us.
            RtlVirtualUnwind(UNW_FLAG_NHANDLER, ImageBase, Context.Rip,
                             RuntimeFunction, &Context, &HandlerData,
                             &EstablisherFrame, &NvContext);

        // If we reach an RIP of zero, this means that we've walked off the
        // end of the call stack and are done.

        if (!Context.Rip)
        // Display the context
        DbgPrint("FRAME %02x: Rip=%p Rsp=%p Rbp=%p\n", Frame, Context.Rip,
                 Context.Rsp, Context.Rsp);

Source: Programming against the x64 exception handling support, part 7

Because the .pdata section is created when the application is compiled, if the program generates dynamic code, like the .NET JIT profiler does, it should also create the corresponding RUNTIME_FUNCTION metadata and inform the operating system of the new dynamic code.

The RtlInstallFunctionTableCallback API adds an entry in an internal processes table maintained by NtDll.dll that helps RtlLookupFunctionEntry and RtlVirtualUnwind find information on how to walk the stack when your dynamically generated code is in the middle of the function calls chain.

Microsoft Office Installer and Applications

So what explains the silent exit of an Office application like Word?

At first we thought that some kind of intentional data corruption was happening in the internal table. It seemed like some kind of anti-debugging technique to keep reverse engineers from seeing the product activation mechanism.

After some trial and error we noticed that RtlInstallFunctionTableCallback was installing a callback to a suspicious routine. Surprisingly, that routine calls TerminateProcess API! When our stack walker function wanted to know the chain of calls, RtlLookupFunctionEntry indirectly called that routine and the program terminated silently.

Could the guys at Microsoft have decided to use this strange method to protect their code? The annoying callback function was added and removed frequently during many operations.

The solution was to add a simple hook to the RtlInstallFunctionTableCallback API to keep it from being added. Now the issue is resolved and the fixed versions of Deviare “Hooking for the Masses” and SpyStudio will be available soon.


The support of our Outlook plugin development team, custom development software programmers and data loss prevention development was essential for this article. Thank you!

If you liked this article, you might also like:

Case Study: How Nektra Improved Desktop Virtualization for Symantec Corporation


Large companies are continually faced with new technologies and shorter technology cycles which render their trusted applications obsolete. Migrating an application from one technology to another is expensive and the timeframe required to carry it out is prohibitive for most companies. In 2010, Nektra developed software which allows old technologies such as Internet Explorer 6 to run on Windows 7. Symantec uses it in their Endpoint Virtualization Suite, but it can be used to virtualize many other applications as well.

The Challenges

Symantec Vision 2010 conference was approaching and Symantec was eager to implement IE6 virtualization in Windows 7, a feature already offered by some competitors. Symantec workspace virtualization also has to support many other technologies that are part of the IE6’s ecosystem: Java, Adobe Flash, and Acrobat Reader, and their updates.

Desktop virtualization products work successfully with the majority of applications but some applications require above-average application packaging skills and a few require tailored solutions.


Nektra’s Application Packaging Services Team used its SpyStudio and Deviare Interception technologies to virtualize IE6. SpyStudio pinpointed the gaps left by Symantec Workspace Virtualization, while Deviare filled in these gaps enabling IE6 to run in Windows 7. Brian Madden celebrates this new functionality in his blog and includes a video demo.

Nektra also provided third level escalation support, support for updated browser plugins, and fixes for the IE6 virtualization.

More recently, Nektra successfully tackled the issues related to virtualizing Microsoft Office with volume licensing for all versions of Windows up to 8.1.


  1. Adding a key feature to a product that leveraged Symantec’s position in the virtualization market
  2. Delivery in time for Symantec Vision 2010 conference
  3. The 3rd level escalation support service was able to handle all requests successfully

If you liked this article, you might also like:

  1. Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging

Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging

Nektra’s SpyStudio provides tools allowing for application harvesting and simplified packaging for the VMware ThinApp offering

Nektra’s Application Packaging Services and VMware, Inc. have been collaborating to significantly improve the process of creating and troubleshooting VMware ThinApp application virtualization packages with the SpyStudio application. The video below shows the SpyStudio new ability to harvest applications directly from the operating system to create VMware ThinApp packages even for applications where customers no longer have the installer media. The new SpyStudio release can be downloaded free from http://www.nektra.com/products/spystudio-api-monitor/download/. A fully featured version requires a license.

As companies embrace application virtualization, packaging and troubleshooting in some cases has proven difficult and resource intensive. SpyStudio offers a means to quickly compare application operations to help pinpoint and solve challenging packaging tasks.

The application virtualization market will continue to grow in the next years. Hence, it is critical to be able to make the virtualization process less error prone. Leveraging SpyStudio, a unique and advanced tool will prove to be an essential part of the growth of application virtualization and successful customer implementations.

If you liked this article, you might also like:

  1. Case Study: Nektra Escalation Support for Symantec Workspace Virtualization (SWV)


Abort Microsoft SQL Server Dangerous Queries

A customer asked to develop a solution to prevent data leaks of their databases.

Hernan has added a new feature to the code offered in our article SQL Server Interception and SQL Injection Attack Prevention. Now it is possible to cancel queries as well as watch them. The code sample uses the Deviare Interception Engine’s call-skipping feature to abort the execution of the CSQLSource::Execute function. The code distribution includes a customized Deviare database for adding the definition of CSQLSource::Execute function parameters. To use this feature you must invoke the application with the “-a” switch in the command line.

We also improved console debugging output and fixed errors that came up when exiting sqlservr.exe. If the developer has a Deviare license, it can be added as a license.txt file in the application directory to disable the splash window.

If you liked this article, you might also like:

  1. Capturing Unencrypted HTTPS Requests and Responses (As Seen at BlackHat USA 2013)
  2. Recording Direct3D Video Games and Calculating Frames per Second
  3. Controlling the Speed of YouTube Videos


  1. Open Web Application Security Project


This article was researched and developed by our Data Loss Prevention Solution Development team and custom development software engineers.

Outlook Plugin to Send Large Files via Google Drive

You can download our free Outlook Add-In for Google Drive to sample our Outlook managed file transfer services. Several issues arise when sending large files with Outlook: there is a data overhead for each binary attachments sent via SMTP, Microsoft Exchange limits the size of attachments, and servers often have e-mail quotas. In Integrating Dropbox with Microsoft Outlook we provide a free Outlook add-in to send large files via DropBox. Google Drive is cheaper than DropBox: to send virtual machine images or large media files you need 200gb of storage. On DropBox this costs $ 19.99 per month while on Google Drive it costs $ 9.99. Microsoft SkyDrive is in the same price range as Google Drive.

[nggallery id=4]


  • Persist your Google Drive credentials in Outlook
  • Browse your Google Drive files
  • Share files from Google Drive with email recipients
  • Automatically send links to the files you want to share and the corresponding invitations if the files are not public


  1. Install Outlook Drive
  2. Open Outlook
  3. Open a Compose Window
  4. In the “Insert” tab, you will find a new button named “Google Drive Link”. Click it.
  5. A window with two lists will be displayed. The left list is the root directory of your Google Drive account. Select the files you want to share with the email’s recipients and add them to the list on the right either by double clicking files or by using the right mouse button. The files shown in the list on the right will be persisted until the email is sent or the compose window is closed.
  6. Send the email. The recipients will receive links to the files and an invitation email from Google Drive to share any files that were not public.


The add-on was developed by Guillermo Ares, part of Outlook Plugin Development. Also, he was helped by Windows Software Development and Data Loss Prevention Solution Development team.

If you liked this article, you might also like:

Using Deviare to Create a Temporary Zero Day Patch

Zero day vulnerabilities put organizations at the mercy of vendors. These vulnerabilities are like a ticking bomb: you do not know when someone will exploit them. Writing your own patch for closed source applications is, in most cases, a complex mission that can take even longer than the vendor solution. When you use legacy software which has outlived vendor support you must write your own patch or set up preventive measures. Even if you are using supported software, you can use Deviare to protect yourself from some known 0-day vulnerabilities to 0-day attacks until the vendor patch is available. Below is a code sample which uses Deviare to address CVE-2010-3971. Deviare makes hooking extremely easy, requiring only the most rudimentary programming skills. Deviare is binary instrumentation for the masses!

CVE-2010-3971 is a vulnerability in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. It uses memory after it is freed. We use Deviare to intercept the exploit before the attack is made effective and can achieve a denial of service or execution of arbitrary code.

The CSharedStyleSheet::Notify function manipulates an array of CStyleSheet objects. The function receives a flag as a parameter. If this flag passed is one, it calls CStyleSheet::Notify. The exploit must embed the value of the flag to call this particular function.

Our code hooks the CStyleSheet::Notify function, which is not normally called by Internet Explorer, in all iexplorer.exe processes, to detect the presence of an exploit. We use Metasploit to simulate the attack with the ms11_003_ie_css_import exploit and check our detection method. If an exploit is detected, a message box appears and IE is suspended to prevent damage.
Below is a video showing the attack and defense in action:


The code is available on github.


  1. Download Deviare and register it for 32-bit or 64-bit
  2. To enable the Deviare engine to use debugging symbols, the following library files are required: symsrv.dll which can be obtained in the Debugging Tools for Windows package and msdiaXX.dll which is part of the DIA SDK, available in Microsoft Visual Studio installation folder, under DIA SDK/bin directory. The Recommended Debugging Tools for Windows version is 6.12.2633 or higher. Tested DIA SDK versions are 9.0 (msdia90.dll), 10.0 (msdia100.dll) and 11.0 (msdia110.dll).
  3. You must copy those 32 and/or 64-bit DLLs to the dllx86 and dllx64 folders in the “bin” directory of the project, depending on which platforms you want to target.
  4. The project platform should match the Internet Explorer platform for the interception to succeed.
  5. Compile the solution
  6. The project will load and cache the symbols in the directory D:\PDB


Douglas from Nektra researched and developed the code. He was helped by Data Loss Prevention Solution DevelopmentWindows driver development and Windows Software Development teams.

Further Reading

  1. When A DoS Isn’t A DoS
  2. Windows XP SP3 and Office 2003 support ends April 8, 2014

If you liked this article, you might also like:

Capturing Unencrypted HTTPS Requests and Responses (As Seen at BlackHat Arsenal)

Today Manuel Fernandez is presenting HookME at Black Hat USA Arsenal 2013. HookME is software designed for intercepting communications which uses the Nektra Deviare Engine for binary instrumentation. HookME can intercept unencrypted HTTPS web traffic.

Many different proxy servers are used to intercept HTTP traffic. Fiddler is the most popular one for generic purposes. Burp Proxy is the leader for security testing. The issue with intercepting HTTPS traffic is that the proxy application acts as the man in the middle for HTTPS requests and the certificates being presented to the client are not the real ones. For example, intercepting network traffic to Amazon leads to a warning in the browser because the certificate being presented is unsigned. Another issue is that it is time consuming to set up the keys and certificates needed to configure the proxy.

Instead of using a proxy developing a windows driver, you can intercept the EncryptMessage function in the Secure32.dll before it is encrypted as HookME does:

[singlepic id=14 w=320 h=240 float=]

You can also intercept the WinINet.dll before data is encrypted in the HTTPS request, and after data is decrypted in the HTTPS response. This way, no change is made to any certificate and no man in the middle attack is simulated. These concepts are a starting point for more sophisticated web security, debugging tools, and support for Firefox and Chrome browsers. You can start by intercepting synchronous functions in WinINet.DLL such as InternetOpen, HttpOpenRequest, HttpSendRequest, HttpAddRequestHeaders, InternetReadFile, InternetWriteFile, and their “Ex” functions counterpart.

We also used this technique to monitor network traffic developing Data Loss Prevention Solutions.

If you liked this article, you might also like:

Related Nektra Products


These article and code would not have been possible without the support of our Windows driver development team and custom development software engineers.

Related Third Party Products

Further Reading

  1. Sniffing the Unsniffable

Instrumenting Direct3D Applications to Capture Video and Calculate FPS

What is your computer’s maximum render quality, resolution, and frames per second for Battlefield 3? Hard core gamers are eager to show off their expensive, tuned setup at its full potential. Overclocked processors and computers cooled with liquid hydrogen are lovely parts of the gaming folklore. The source code below instruments Direct3D 9 applications to calculate frames per second and capture video. It produces an AVI container using the video codec of your choice. It is also possible to capture game screenshots in the 32-bit BMP format by pressing “delete”. The shortcuts for starting and stopping video recording are “F11” and “F12”.

[nggallery id=2]

The code we have provided starts the target process in suspended mode, and hooks the Direct3DCreate9 entry point in the d3d9.dll.

Once we catch a Direct3DCreate9 call, we can use the returned IDirect3D9 pointer to index the VTable. Since the call occurred in the target process address space, we cannot use the pointer directly in our host application; however, we can use Deviare’s functions to read the hooked process memory (starting with the IDirect3D9 pointer) to get the method addresses. This is a very interesting and useful technique which avoids sending address data from the intercepted process to the host processes [1].

We use the object’s VTable address to get the address of the CreateDevice method and hook the device creation with INktSpyMgr::CreateHookForAddress and INktSpyMgr::AddCustomHandler. Note that the resulting events INktSpyMgr will trigger both local hook handlers in the SpyMgr host process, and remote hook handlers in the intercepted process. The local handler creates hooks for IDirect3DDevice9::EndScene, IDirect3DDevice9::Reset, IDirect3DDevice9::Present, and IDirect3DDevice9::Release using the remote VTable indexing technique. The remote handler initializes the FPS display, keyboard hook, font, and sprite resources for the console.

All hooking is done from the Deviare host executable. The plugin that resides in the target process address space does not create additional Deviare hooks. Once all needed IDirect3DDevice9 methods are successfully hooked, we can focus on implementing video capture and FPS display.

In order to implement video capture and FPS display we must define the behavior of the pre-call and post-call handlers for the Present, EndScene, and Reset methods.

In the pre-call to Present, we peek at the first item in the keyboard command queue to check for user actions. If it is the “take screenshot” command, we read the current display device backbuffer and save it to disk. If the first item is the “start recording” command, we create and setup the AVI Video file and it’s streams. If it is the “stop recording” command, we simply close the AVI file if it was recording frames. If video recording has been enabled, we add a frame to the current AVI file and update the frame per second statistics. The number of frames recorded depends on the specified frame rate (the default is 15).

In the pre-call to EndScene, if the device is not currently in a reset state, we update the console and frame counter text in the display. If it was not changed, it is simply redrawn with the current string buffer.

Pre-call handling of device Reset occurs when windows are resized, video mode changes, or fullscreen mode is entered or exited. If video is being recorded we stop recording since we do not handle multiple resolution streams in our code. Next, we release our font and sprite resources, and our backing display surface. During post-call Reset function handling, we also check for video recording. Additionally, we recreate the surface, sprite and font resources that we released in the Reset pre-call stage.

Possible Improvements

This code can be improved to include instrumentation of DirectX 11 as well as OpenGL applications and games. The technique would be similar. DirectX 10/11 applications use DXGI low-level interfaces to swap back and front buffers and there are no “lost devices”, so instead of hooking EndScene, Present, and Reset, we would hook DXGI library function calls. This approach would be easier than instrumenting DirectX9, since display device handling is simplified.

Audio Capture: Windows Vista and later systems direct all DirectX audio streams through the native AudioSession APIs. The easiest way to capture audio is through the documented loopback audio device. The limitation is that all system audio is captured, not only audio from our desired application.

If audio isolation is required, hooking the IAudioRenderClient interface should copy audio buffer data into user application memory. Audio data could then be transferred to the audio stream in the AVI file.

The key problem of audio capturing is resampling. If the sample rate and bit depth of the AVI stream and audio buffer do not match, the audio must be resampled. Writing a good resampler is not trivial task. Our Audio Recorder SDK provides a basic and fast resampling code.

Some Data Loss Prevention Solutions customers asked us to implement text recognition inside the videos. This could be a new article in the future.


The AVRecorderTool code is available on github.


  1. Deviare Instrumentation Engine
  2. Copy Deviare32.db, Deviare64.db, DeviareCOM.dll, DeviareCom64.dll, DvAgent.dll, and DvAgent64.dll to AVRecorderTool\dll


Sebastian Wain contributed with the writing of the introduction.

The support of our Windows driver development team, custom development software programmers and data loss prevention development was very important to write the article. Thank you!


  1. The Intercepting Direct3D COM Objects and Making Game Walls Invisible article used IPC to send the remote IDirect3D interface address to the host application’s SpyMgr.

Related Products

  1. Deviare Hooking Engine
  2. Deviare In-Process
  3. SpyStudio
  4. Audio Recorder API

If you liked this article, you might also like:

  1. Injecting a DLL in a Modern UI Metro Application
  2. Intercepting Direct3D COM Objects and Making Game Walls Invisible
  3. How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin
  4. Controlling the Speed of YouTube, Flash, HTML5, and Desktop Videos with Deviare Hooks
  5. Logging Printer Activity

Intercepting Direct3D COM Objects and Making Game Walls Invisible

Using Deviare to Cheat on Games

This simple Deviare code allows you to to see through game walls. We intercept Direct3D objects and select wireframe mode so the walls are transparent. This code injects a DLL to create an object based on the IDirect3D9 interface and hook the address of the CreateDevice COM method from the virtual table. The hooked CreateDevice COM method receives an object with IDirect3DDevice9 interface, which is used to set the wireframe mode by calling pDeviceInterface->SetRenderState(D3DRS_FILLMODE, D3DFILL_WIREFRAME). The pDeviceInterface->SetRenderState(D3DRS_FILLMODE, D3DFILL_SOLID) call reverts to the solid mode. You can switch between the wireframe and the solid modes by using the INSERT and DELETE keys.

Deviare can be used to develop a lot of other game tools. Some ideas to try yourself are:

  • Hooking the random function in the Minesweeper to return zero and solve the game with just one click
  • Retrieving the 3D models from games which encrypt them
  • Implementing an Aimbot

It would be a dangerous thing for the gamer community if streamed online games such as OnLive succeeded. You cannot reverse engineer the cloud. Game cheating has a long early history, it would be bad to cut it. Gamers have been cheating on video games since their invention. It would be a shame to stop the fun.


  1. Deviare interception engine


Code sample written by Douglas from Nektra Windows driver development. He was helped by Data Loss Prevention Solution Development and Windows Software Development teams.

If you like this article, you might also like:

  1. Instrumenting Direct3D Applications to Capture Video and Calculate FPS
  2. Controlling the Speed of YouTube, Flash, HTML5, and Desktop Videos with Deviare Hooks
  3. Automating Google’s Doodles: 4.9 Second Record on Hurdles
  4. SQL Server Interception and SQL Injection Attack Prevention

SQL Server Interception and SQL Injection Attack Prevention

Note: we updated the code on August 23, 2013. The new code includes an “abort” feature, discussed in the article Instrumenting Microsoft SQL Server to Abort Dangerous Queries.

Our Deviare hooking engine can be used to hook into Microsoft SQL Server 2012 RTM (11.00.2100.60) and 2014 CTP1 queries at the application level. Tools like WireShark use a different approach since they intercept SQL Server traffic at the network level. The key benefits of intercepting queries at the application level are:

  • Since the query is a string you do not need to understand a protocol to retrieve it
  • As the query is received on a single point, you do not have to handle a variety of communication channels between the client and the server
  • It is possible to change the flow of the application and modify or cancel a query

The sample code below dynamically loads SQL Server public debugging symbols and hooks the CSQLSource::Execute function.

In 2013, the most critical security risk is injection. Our code can be used to develop your own monitoring and mitigation tool. With a lot of zero day bugs around it is not possible to depend only on vendors and their hotfixes. The problem is even worse for closed source applications. For example, Microsoft is ending support for Windows XP on April 8, 2014. How can your organization deal with that? The three main options are:

  1. Migrating to a newer operating system
  2. Paying for extra support
  3. Using tools like Deviare to quickly implement custom security sandboxes and security mitigation tools.


The code is available on github.


  1. Download Deviare and register it for 32-bit or 64-bit
  2. To enable the Deviare engine to use debugging symbols, the following library files are required: symsrv.dll which can be obtained in the Debugging Tools for Windows package and msdiaXX.dll which is part of the DIA SDK, available in Microsoft Visual Studio installation folder, under DIA SDK/bin directory. The Recommended Debugging Tools for Windows version is 6.12.2633 or higher. Tested DIA SDK versions are 9.0 (msdia90.dll), 10.0 (msdia100.dll) and 11.0 (msdia110.dll).
  3. You must copy those 32 and/or 64-bit DLLs to the dllx86 and dllx64 folders in the root directory of the project, depending on which platforms you want to target.
  4. SQL Server SQLSERVR.EXE service platform should match the project architecture for the interception to succeed.


  1. Compile the solution
  2. Make sure sqlservr.exe service is running
  3. Copy all database files from the project’s DB folder into the binary output folder. See below for information about user-defined databases.
  4. Run SQLSvrIntercept.exe from the commandline with Administrator rights. It will load and cache the symbols under c:\symbols and then displays “Ready.”.

Development Notes

If the application will be deployed to a Microsoft Windows environment which does not have Visual Studio 2012, make sure that the runtime C++ dependencies are available. If they are missing:

  1. To deploy the Debug compilation you can copy the library from %ProgramFiles%\Microsoft Visual Studio 11.0\VC\redist\Debug_NonRedist\x64\Microsoft.VC110.DebugCRT to the System32 directory in the destination computer.
  2. To deploy the Release compilation you can copy the %ProgramFiles%\Microsoft Visual Studio 11.0\VC\redist\x64\Microsoft.VC110.CRT to the System32 directory in the destination computer, or install the Visual Studio 2012 Redistributables from http://www.microsoft.com/en-us/download/details.aspx?id=30679

Generating User Defined Databases

Deviare offers many advanced features such as counting, inspecting and dereferencing function parameters, getting parameter types, and intercepted function skip. A database containing the function signature is required for those features to work with a specific function.

The default Deviare databases are enough for most standard operating system libraries.
However, in case you need to intercept a function that is not present in the default databases, Deviare provides a tool to generate user defined databases. This tool is located in the Deviare-DbGenerator distribution. It should be fed with a C header file containing the function and type definitions to add.

A simple example (along with our own CSQLSource::Execute signature definition) is included in the DB folder for this project. The database files were generated from the sample BASE.H file.

Note that databases are not required for basic interception: you can intercept an anonymous function by specifying its address. However databases are required for query blocking, which uses the Deviare’s call-skipping feature.


Nektra’s Hernan Di Pietro wrote the SQL Server interception tool. After researching a bit without finding the correct function to hook he asked on Reverse Engineering Q&A where Brendan Dolan-Gavitt kindly pointed him to the correct function, allowing him to complete the project.

He was helped by Windows driver developmentData Loss Prevention Solution Development and Windows Software Development teams.


  1. Some of Microsoft’s product versions do not have public debugging symbols, which are required in order to use the SQL Server interception tool
  2. Not tested on SQL Server 2005 or SQL Server 2008

See Also

  1. Injecting a DLL in a Modern UI Metro Application
  2. Logging Printer Activity
  3. How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin

Further Reading

  1. SQLProb: A Proxy-based Architecture towards Preventing SQL Injection Attacks