nektra / deviare2 Goto Github PK
View Code? Open in Web Editor NEWDeviare API Hook
Home Page: http://www.nektra.com/products/deviare-api-hook-windows/
License: Other
Deviare API Hook
Home Page: http://www.nektra.com/products/deviare-api-hook-windows/
License: Other
I'd like to hook all calls to some API function independent from what program makes them. Getting the information about calling program would be nice too.
Can Deviare be used for that? It looks like it is possible but I cannot find an example of such usage. Are there any?
It's a new sphere for me, I'd like to ask a question before I dive in.
Hello.
I have a small request: whether somebody can show or explain as it is correct to collect completely an example from Quickstart, and that there pieces of a code with explanations, but it not to be told where and what to add.
I thank for the help in advance.
Deviare documentation does not work.
https://www.nektra.com/products/deviare-api-hook-windows/doc-v2/index.html
Left panel is always empty.
Main panel only has links for QuickStart and for nothing else
Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.
A document describing the purpose of each sample and the components each one uses from Deviare2 is missing.
This should partially address issues and non-issues found in the samples like in #26.
I new to hooking and I am looking to start with Deviare but the API page is down.
https://www.nektra.com/products/deviare-api-hook-windows/doc-v2/
Have the docs being moved in another page?
Thanks
I'm trying to run a sample but the Nektra.Deviare2.dll is not included. How can I archive this?
I'm playing around with CSharpConsole from precompiled Deviare 2.8.0 release under a Windows 10 64 bit VM and while CSharpConsole64.exe
can hook 64 bit process like notepad.exe
no problem, CSharpConsole.exe
crashes target 32 bit process like notepad++.exe
, devenv.exe
, etc. Is 32 bit hooking supported under Windows 10?
Faulting application name: notepad++.exe, version: 6.9.2.0, time stamp: 0x573b9c9e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00d90030
Faulting process id: 0x10fc
Faulting application start time: 0x01d21359b0a69664
Faulting application path: C:\Program Files (x86)\Notepad++\notepad++.exe
Faulting module path: unknown
Report Id: c34e8c31-c38b-402c-834c-3df70f833943
Faulting package full name:
Faulting package-relative application ID:
appcrash in after hooked, remove the hook again.
The program has crashed.
After I tried to track it, I found that
HookEngine.cpp#L806
CNktAutoFastMutex cLock(this) // crash point
Deviare2\Source\Engine\SpyMgr\Asm\Injector_x86.inl
is absent until x86 version is built and thus x64 build fails (because it includes it unconditionally).
Hello everyone!
I'm trying to hook some functions of the spoolsv.exe process, for instance the YSetJob and YGetJob functions (both undocumented). So far I'm abble to get the calls, but when I try to get the params through:
INktParamsEnum paramsEnum = hookCallInfo.Params();
nothing is returned.
I believe that I have to insert these functions into the nektras database, still, I don't even know where to begin with and actually I'm not entirely sure if this is the real problem here
Please, help!
Using C# and Visual Studio 2013 in this one.
hRes = lpIntObj->GetObj()->GetFunctions(&cDbObjsEnum);
"lpIntObj" was overridden by the local variable definition(#L87), but was not reassigned, resulting in always being null.
I use spystudio
hook sublime
,
find a function CreaeteFile
is I need.
Now , I change this example https://github.com/nektra/Deviare2/tree/master/Samples/Python/DenyAccessToTXT ,
(replace notepad.exe
to sublime_text.exe
, and StartNotepadAndHook
)
But OnFunctionCalled
not be call ,
how do I solve it ?
Thanks.
Always possible I'm doing something wrong, but I'm getting fatal errors when trying to rebuild the DB.
I wanted access to the d3d9.dll!SetRenderState function. As near as I can tell, that function is missing from the DB that ships with 2.8.3. If I use the DbFunctions call, I do not find that function in the returned list.
NktDbObjectsEnum funcs = spyMgr.DbFunctions(theball.PlatformBits);
for (int i = 0; i < funcs.Count; i++)
{
NktDbObject funcObj = funcs.GetAt(i);
Console.WriteLine(i + ": " + funcObj.Name);
...
Trying to limit the function list to just the d3d9.dll module, I get an AccessViolation exception when I try to fetch the functions for that module. Not sure if this is related, but it seemed odd.
INktDbModulesEnum modules = spyMgr.DbModules(theball.PlatformBits);
NktDbModule d3d9 = modules.GetByName("d3d9.dll"); <<< works
NktDbObjectsEnum functions = d3d9.DbFunctions(); <<< crash
for (int i = 0; i < functions.Count; i++)
{
NktDbObject funcObj = functions.GetAt(i);
Console.WriteLine(i + ": " + funcObj.Name + " " + funcObj.Declaration);
}
Searching the entire function list for a partial name match of "SetRender" did not show any results, which makes me think it is missing.
Then took a look at rebuilding the DB with current header files. As near as I can tell, this is not currently possible.
The documentation suggests using a zip file that is not available, but seems to be clearly related to the other tools in the Database folder. Running the build32.bat full and build64.bat full generated the expected preprocessed*.h files.
However, running the DbBuilder/build_32.bat against those files gives 60 or so errors.
c:\Users\bo3b\Documents\Code\Deviare2\Database\HeaderBuilder\Full\output\preprocessed32W.h:148788: error: wrong number of arguments specified for 'deprecated' attribute
This error appears to happen because the gcc compiler used for building the DB is old, and does not support parameters for the 'deprecated' attribute. For example:
typedef struct __declspec(deprecated("Use ""ADDRINFOEX2W"" instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings")) addrinfoex2A
It's not the double quotes, it's the entire string parameter it does not like.
There are a handful of other errors as well.
Not sure this is helpful, but thought I'd report it as not working with Visual Studio 2013, and SDK 8.1 headers. As noted, I cannot be certain I setup or built this all correctly.
Hello, excuse for troubling, but I am a beginner in programming and I only began to study hook.
Question: it was succeeded to compile libraries and examples, but in case of start of an example of "CSharp\COMHookingBasis" nothing occurs - the console appears and at once finishes operation though "Console.WriteLine ("Press ESCAPE key to quit...");" shall occur in case of any outcome.
Help to understand, please.
I would like to point out that identifiers like "_NKT_DV_ENGINEDATABASE_H
" and "_DBGENERATOR_H
" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?
This has killed me at least twice now, and I really am expecting LoadCustomDLL to return an error. I check and handle all errors, but LoadCustomDLL will report success, even if the dll path name is invalid.
In particular, if the pathname is invalid, LoadCustomDLL will return the int/hresult=0. And I'll crash later at NktHook.Hook.
If my pathname is valid, then LoadCustomDLL will return int/hresult=1, which is a little weird, but still matches the SUCCESS style macros. Still, it really ought to be 0, this is not a 'test for functionality' type call. The documentation does not indicate it would ever return '1'.
This is a fairly serious problem, because debugging this took me a couple of days. This crash because of a bad path is quite obscure, and would be dramatically better if LoadCustomDLL would return an error.
Here is the stack crawl when it crashes.
> 00000001() Unknown
[Frames below may be incorrect and/or missing]
DvAgent.dll!TNktArrayList<CNktDvParam *,128,TNktArrayListItemRemove_Release<CNktDvParam *> >::RemoveAllElements() Line 330 C++
DvAgent.dll!CNktDvHookEngine::Hook(CNktDvHookEngine::tagHOOKINFO * aHookInfo=0x8007007e, unsigned long nCount=1, int bIsInternal=0) Line 494 C++
DvAgent.dll!CDvAgentMgr::OnEngMsg_AddHook(tagNKT_DV_TMSG_ADDHOOK * lpMsg=0xffe16054, CNktDvTransportBigData * lpConnBigData=0xffe300e0) Line 2522 C++
DvAgent.dll!CDvAgentMgr::TAC_OnEngineMessage(CNktDvTransportAgent * lpTransport=0x77ad4060, tagNKT_DV_TMSG_COMMON * lpMsg=0xffe16054, unsigned long nMsgSize=1084, CNktDvTransportBigData * lpConnBigData=0xffe300e0) Line 699 C++
DvAgent.dll!CNktDvTransportAgent::WorkerThreadProc(unsigned long nIndex=5) Line 564 C++
DvAgent.dll!TNktClassWorkerThread<CNktDvTransportAgent>::ThreadProc() Line 169 C++
DvAgent.dll!thread_start<unsigned int (__stdcall*)(void *)>(void * const parameter=0xffe0418c) Line 115 C++
kernel32.dll!@BaseThreadInitThunk@12�() Unknown
ntdll.dll!___RtlUserThreadStart@8�() Unknown
ntdll.dll!__RtlUserThreadStart@8�() Unknown
Here is my simplified C# code that demonstrates the problem:
_spyMgr = new NktSpyMgr();
hresult = _spyMgr.Initialize();
if (hresult != 0)
throw new Exception("Deviare initialization error.");
#if DEBUG
_spyMgr.SettingOverride("SpyMgrDebugLevelMask", 0xCF8);
#endif
{
// Launch the game, but suspended, so we can hook our first call and be certain to catch it.
_gameProcess = _spyMgr.CreateProcess(game, true, out continueevent);
if (_gameProcess == null)
throw new Exception("Game launch failed.");
// Load the NativePlugin for the C++ side. The NativePlugin must be in this app folder.
// The Agent supports the use of Deviare in the CustomDLL, but does not respond to hooks.
_spyMgr.LoadAgent(_gameProcess);
int result = _spyMgr.LoadCustomDll(_gameProcess, _nativeDLLName, true, true); // *** trouble
if (result < 0)
throw new Exception("Could not load NativePlugin DLL.");
// Hook the primary DX9 creation call of Direct3DCreate9, which is a direct export of
// the d3d9 DLL. All DX9 games must call this interface, or the Direct3DCreate9Ex.
// We set this to flgOnlyPreCall, because we want to always create the IDirect3D9Ex object.
NktHook d3dHook = _spyMgr.CreateHook("D3D9.DLL!Direct3DCreate9", (int)eNktHookFlags.flgOnlyPreCall);
if (d3dHook == null)
throw new Exception("Failed to hook D3D9.DLL!Direct3DCreate9");
// Make sure the CustomHandler in the NativePlugin at OnFunctionCall gets called when this
// object is created. At that point, the native code will take over.
d3dHook.AddCustomHandler(_nativeDLLName, 0, "");
// Finally attach and activate the hook in the still suspended game process.
d3dHook.Attach(_gameProcess, true);
d3dHook.Hook(true); // *** Will crash here.
// Ready to go. Let the game startup. When it calls Direct3DCreate9, we'll be
// called in the NativePlugin::OnFunctionCall
_spyMgr.ResumeProcess(_gameProcess, continueevent);
}
Hi,
I have found this source
http://whiteboard.nektra.com/deviare-v-2-0/quickstart_v-2-0
but seem not work probably becouse I have missing something.
I need to monior each file access of a specific process and this source seem do it in theory.
Do you known where I can download the complete project source code of this ?
thank you !
Hello all,
Is there a C sample?
Regards,
hi
NktHook hook = _spyMgr.CreateHook("Fastprox.dll!CWbemObject::Get", (int)( eNktHookFlags.flgOnlyPreCall));
not working
NktHook hook = _spyMgr.CreateHook("Fastprox.dll!?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z", (int)( eNktHookFlags.flgOnlyPreCall));
not work
how else can???
thanks
Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.
Hello,
i just needed to know that i want to print all the api calls(e.g cretaefilew, queryinformation, closefile,readfile etc) (not only dll) of a hooked process, can i do that? and what method/function should i use. I am working In C# in deviare2.
Thanks.
Hello Mauro,
Do you know of any Deviare-InProc example code that also writes the "NktProcessMemory" parameters?
I am trying to intercept process calls and then redirect file and registry requests to another drive location (on a network).
Is this possible to do with Deviare-InProc?
Hi all!
I have met the problem while using Deviare2 and looking for someone who could explain the observed behavior.
Let's consider following scheme of a project:
The problem I met is after several calls to the hooks handlers inside .net library(2) some of the hooks in this library(2) (sometimes all of them) will not trigger anymore, despite the corresponding winapi is called.
I have inspected the case a bit and found that the part of Deviare2 code that injected into the application(3) is working OK and trigger transport sending message to the client (CDvAgentMgr::OnUserHook code works well).
The client successfully received that message and trying to call the handler inside spymgr.cpp CNktSpyMgrEngineImpl::OnHookCalled
In the successfull case the call to handler will be inside lpHookImpl->Fire_OnFunctionCalled(cIHook, cIProc, cIHookCallInfo);
Next the hookevents.h Fire_OnFunctionCalled is triggered, and it tries to enumerate connections, but it seems that all connections are dead in the case of the error.
I have prepared the sample project based on COM sample to demonstrate the problem, it could be downloaded here
It works much similiar to the COM sample: it runs notepad.exe, the one should click File->Save first time, the hooks from dll will be triggered (a lot of times maybe), then close the dialog and click File->Save second time, and some of the hooks from dll will not be triggered (winapi calls to the hooked functions will go normally).
Am I do something completely wrong by design, or is this a bug? What could cause such a strange behavior?
UPD: Save dialog (not Open) should be used to reproduce the issue with sample.
In CSharpConsole64 under Windows 10 64 bit VM after hooking sqlservr.exe
(SQL Server 2016) with multiple kernel32
functions (specifically GetLocalTime
and GetSystemTimeAsFileTime
, latter being frequently called) it crashes the SQL Server after about 10 seconds of logging the events with few GetLocalTime
and few dozen GetSystemTimeAsFileTime
. Is it related to #16? The exception code seems different.
Faulting application name: sqlservr.exe, version: 2015.130.1601.5, time stamp: 0x5724ae45
Faulting module name: ntdll.dll, version: 10.0.14393.103, time stamp: 0x57b7e207
Exception code: 0xc00000fd
Fault offset: 0x0000000000039633
Faulting process id: 0xb3c
Faulting application start time: 0x01d213f220cda4c6
Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 18c975dd-9023-44c4-a4f8-ce7858986dd7
Faulting package full name:
Faulting package-relative application ID:
I experienced random exceptions "Collection was modified; enumeration operation may not execute" thrown in RefreshJobsExecutionOrderForNextUpdate(). It happens because the the execution decrement is not protected by a _jobsLock. Adding the _jobsLock fixes it.
lock (_jobsLock)
{
_jobs.Where(j => j.ExecutionOrder > 1).ForEach(j => j.ExecutionOrder--);
}
hi,
Today I observed winword.exe hangs at the startup (after showing splash screen, Not responding) while opening file.
OS: windows 10 64-bit v1709 (Build 16299.309)
Office version: office 2016
I was able to take the hang dump. please find the link below.
https://drive.google.com/open?id=1Ng1omYZcRowatnPCNcVZhgCJviYZUFgz
Please let me know, if you need additional information.
When I want to hook WrtieFile using a C# dummy writer ,I found it hooked WriteFile twice for a StreamWriter WriteLine call.I try to sue API Monitor to Hook dummy writer,I found API Monitor just hook one for every write call.
http://stackoverflow.com/questions/40634008/deviare2-hook-writefile-api-twice-for-only-one-write
I corrected.
../Deviare2-master/Database/HeaderBuilder/build32.bat Line:20
rem CALL "%VS140COMNTOOLS%....\VC\vcvarsall.bat" x86
CALL "%VS140COMNTOOLS%....\VC\vcvarsall.bat" x86 8.1
can get it right
preprocessed32W.h
compile32.log
preprocessed64W.h
compile64.log
but, i used "../Deviare2-master/Database/DbBuilder/build_db32.bat", error occurred.
DbGenerator32.log
I hope I can get help.
Hi,
OS version : windows 7/windows 8.1
Office version : Office 2013
when testing latest deviare 2.8.3 with Microsoft Word application, Sophos Endpoint Security and Control (v10.6), detecting Buffer overflow and stopping word document from opening (word application just hangs at splash screen) .
I used CSharpConsole64.exe to hook to winword.exe
Please let me know if you need more information.
hi here,
I am new to windows programming. I finally got all the source code compiled. When I ran CSharpConsole(64) on ../Deviar2/bin, it crashed. I could run it be VS2015. And then, i tried to run it with COM samples by "regsvr32 XXX". They failed either. I tried to run CSharpConsole(64) again with VS2015. It crashed either. I found RunningProcesses() return NULL. What I can do to detour this error? Many thanks!
I got a message about updrading the runtime: after the upgrade, when i hit the compile button many errors popup like "cmd.exe failed" and so on.
I tried running the "build.bat" but it says it didn't find visual studio 2012.
Could you update this project for use with visual studio 2015 or at least update the build script or add a 2015-specific one?
Thanks
Sorry to bug you here again. This is probably answered on the old forums, but I'm stuck.
I'm getting a crash at launch while using Deviare2:
First-chance exception at 0x004F2B75 in limbo.exe: 0xC0000005: Access violation reading location 0x00000000.
win32u.dll!_NtUserCallOneParam@8�() Unknown
limbo.exe!0044fd9a() Unknown
[Frames below may be incorrect and/or missing, no symbols loaded for limbo.exe]
limbo.exe!004457ac() Unknown
uxtheme.dll!ClassicSystemParametersInfoA() Unknown
uxtheme.dll!_InternalSystemParametersInfo() Unknown
uxtheme.dll!ThemeSystemParametersInfoA() Unknown
user32.dll!__EndUserApiHook@0�() Unknown
limbo.exe!00478878() Unknown
limbo.exe!00739980() Unknown
ntdll.dll!_NtClose@4�() Unknown
KernelBase.dll!CloseHandle() Unknown
kernel32.dll!@BaseThreadInitThunk@12�() Unknown
ntdll.dll!__RtlUserThreadStart() Unknown
ntdll.dll!__RtlUserThreadStart@8�() Unknown
The game is Limbo, running from the GoG version, which means there is no DRM or other foolishness.
I trimmed the C# code down to a minimal example, which is just the launch itself, no DLL load, and it still crashes. This also crashes when run as Admin. All Deviare 2.8.3 DLLs are in the app launch folder, and the DLLs are regsvr32 active.
_spyMgr = new NktSpyMgr();
hresult = _spyMgr.Initialize();
if (hresult != 0)
throw new Exception("Deviare initialization error.");
// Launch the game, but suspended, so we can hook our first call and be certain to catch it.
_gameProcess = _spyMgr.CreateProcess(@"G:\Games\limbo\limbo.exe", true, out continueevent);
if (_gameProcess == null)
throw new Exception("Game launch failed.");
_spyMgr.ResumeProcess(_gameProcess, continueevent);
Bit of a loss here, any suggestions?
I have downloaded and compiled Deviare from source.
Windows 7 x64 SP1
Python 2.7.9 Stackless 32bit
pywin32 220
when running the following code not all process creation/destruction notifications show. There are specific process that i am looking for that happen very quickly and some of them are getting passed by. I have tested this in many different ways. but in this example I am using threading.Event() to stall the process creation. but it seems to be the "sweet spot" 0.728 seconds. with 4 creation and 4 destruction notifications out of 10 processes created and destroyed.
please excuse the code this is for testing purposes and wasn't meant to be pretty
import os
import win32com.client
import ctypes
import sys
import threading
dllPath = os.path.join(os.path.split(__file__)[0], 'DeviareCOM.dll')
dll = ctypes.windll[dllPath]
dll.DllRegisterServer()
class ProcessEvents:
def OnProcessStarted(self, pyPID):
process = win32com.client.Dispatch(pyPID)
name = process.Name.split('.')[0]
pid = process.Id
user = process.UserName
print 'OnProcessStarted:', name, pid, user
def OnProcessTerminated(self, pyPID):
process = win32com.client.Dispatch(pyPID)
name = process.Name.split('.')[0]
pid = process.Id
user = process.UserName
print 'OnProcessTerminated:', name, pid, user
win32com.client.pythoncom.CoInitialize()
processManager = win32com.client.DispatchWithEvents("DeviareCOM.NktSpyMgr", ProcessEvents)
processManager.Initialize()
hook = processManager.CreateHook("kernel32.dll!CreateProcess", 0)
hook.Hook(True)
event = threading.Event()
event.set()
def run():
while event.isSet():
pass
for i in range(10):
os.system("cmd /c echo Test")
event.wait(0.0728)
threading.Thread(target=run).start()
MessageBox = ctypes.windll.user32.MessageBoxW
event.clear()
MessageBox(None, "", "", 0)
I am not sure if this is normal behavior please advise
When I build and run the COMHookingBasis C# sample in Visual Studio 2013, I never hit the breakpoint on OnDllGetClassObjectCalled.
I hit other breakpoints, so the connection to debugger is correct.
This along with other tests makes me think that the
hookDllGetClassObj.OnFunctionCalled += OnDllGetClassObjectCalled;
is not functional. I tested on both Win7 and Win10, neither work. No errors are reported.
Adding a handler to the SpyMgr itself seems to work, but hook specific call handlers do not get called.
I have an application that consists of a windows service that is hooking the windows print spooler process.
I'm having a problem, sometimes, for some reason, the spooler restarts, and the hook is lost.
What is the best way of monitoring if the hook is active in the hooked process and to hook this process as soon as it starts?
Hi,
When I tried to open the word document from network drive, two word processes are being opened with one window (UI), where document is opened in "Protected View". If I don't click on "Enable Editing" button, still two processes will be opened.
Now If I use CSharpConsole64.exe to hook to winword.exe, it is not able to hook and returns some error. Please find the attached screenshot.
It is able to hook only one winword.exe (hook is active) and not other winword.exe (in inactive list and has stError)
OS : windows 10 1703 (15063.483) [Anniversary Update also has the same issue).
deviare version : 2.8.3
Office versoin : Office 2016 64-bit
Hi, I can build the Samples\C\Test.sln, but the result seems not correct.
To understand deviare, I use the CTest
to test. My command paramters are:
CTest.exe exec notepad -log=CTest.log
. And logging contains:
..
CNktDvEngine::CreateHook (user32.dll!GetWindowTextW) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!NtRaiseException) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!NtRaiseHardError) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!RtlUnhandledExceptionFilter2) => 00000000
CNktDvProcess::Create => 00000000
CNktDvHooksEnumerator::AddProcess => 00000000
1112011859: Hook state change [18624]: comdlg32.dll!ChooseColorA -> Activating
1112011859: Agent load [18624]: hRes=0x8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorA -> Error: 8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorW -> Activating
1112011875: Agent load [18624]: hRes=0x8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorW -> Error: 8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseFontA -> Activating
1112011875: Agent load [18624]: hRes=0x8A320003
1112011875: New process [18624]: C:\Windows\SysWOW64\notepad.exe
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontA -> Error: 8A320003
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontW -> Activating
1112011890: Agent load [18624]: hRes=0x8A320003
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontW -> Error: 8A320003
1112011890: Hook state change [18624]: comdlg32.dll!FindTextA -> Activating
1112011890: Agent load [18624]: hRes=0x8A320003
...
1112028203: Hook state change [18624]: shell32.dll!ExtractIconExA -> Removing
1112028203: Hook state change [18624]: wininet.dll!SetUrlCacheGroupAttributeA -> Removing
1112028203: Hook state change [18624]: shell32.dll!SHCreateDirectoryExW -> Removing
...
Initialization/Parsing HookAPI/Hook all these seem well, but logging file only contains
Other SypMgr Events don't be hit? Like OnFunctionCalled
/OnLoadLibraryCall
. And how can I get the meaning of these errcode? My ultimate purpose is tracing internet traffic so I need to inspect network-related APIs', and recording payloads sent/recieved.
Please tell me what's wrong with it. Thx!
I saw from the headers that #include <NCryptprotect.h>
is missing, while #include <ncrypt.h>
is present. I would like to hook all the functions of NCrypt.dll. Is it possible to add them? Can I easily do that by generating a custom db?
Downloaded Deviare2-master, updated C++ tools, tried to compile DvEngine.sln.
Error: .text section not found File:CUSTOMBUILD Project:SpyMgrLib
A quick check of the file reveals no obvious deficiencies.
Any ideas?
When trying to send comments on Deviare at https://www.nektra.com/contact.html
405 Not Allowed
nginx/1.14.0 (Ubuntu)
Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.
Currently I am trying run the code sample named "COMHookingBasis" under CSharp environment but I got this error as mentioned below:
Error CS0246: The type or namespace name 'Nektra' could not be found (are you missing a using directive or an assembly reference?)
Could you please help me solving this matter.
Thank you in advance.
Team,
I followed all the steps in this page http://whiteboard.nektra.com/deviare-v-2-0/quickstart_v-2-0.
And when I run the sample applications,
NktProcessesEnum enumProcess = spyMgr.Processes();
the above statement is returning the NULL value for enumProcess. Please suggest the right solution to proceed further. Let me know if you need any other information.
Thanks.
I have windows 10 version 1607 (Build 14393) and using deviare 2.7.6 and recompiled with commenting "BuildOriginalNtCalls" function due to issue #16.
Now when testing in autocad application, it is giving Stack over flow exception in TlsSetValue inside Initialize().
I have upload crash dump to dropbox.
Please let me if you need more information.
The latest commit as of right now (802333b) references an external which doesn't exist (https://github.com/nektra/Deviare-InProc/tree/cda4718ef04a0bd009c5d6d41d82cf7a307d3186)
Need: Identify all the applications that are opened, and kill some if needed.
While i am trying to hook explorer.exe, BitDefender(Advanced threat defense) blocks it.
Is there a way to skip this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.