Deviare Api Hook Windows

Changes on v2.7.5

Released in August  21, 2015

• Fixed compatibility issue with Windows 10
• Removed call to SetThreadName because causing issues when Deviare is used while debugging a C#/Xaml application

Changes on v2.7.4

Released in April 7, 2015

• Deviare is now open source under dual license GPL or Commercial.
• Fixed an api not found bug in CallCustomApi when the call succeeded.
• Fixed NktProcessMemory read when reading quad words.

Changes on v2.7.3

Released in October 16, 2014

• More documentation added.
• Fixed some api hook code generation.
• Checked Deviare against Windows 10 preview with success.
• Stack walk stops when the instruction pointer becomes invalid.
• Removed SendCustomMessage from INktHookCallInfoPlugin. Plugins should use the one from INktHookInfo.
• Removed CoInitialize(Ex) calls from all threads and switched to the implicit MTA apartment type.

Changes on v2.7.2

Released in early October 2014

• More documentation added.
• Now Deviare fully supports IE8 with or without custom plugins.

Changes on v2.7.1

Released in July 2014

• Fixed hooked process unloading hang when using C# plugins.

Known Issues

• C# plugins may not work if RegisterClass is hooked because CoInitialize(Ex) calls RegisterClass on STA and, at this
  point, COM initialization in not complete yet.
• Plugins may not work in IE8 unless executed with elevated privileges because of COM security model used by the app.

Changes on v2.7

Released in June 2014

• Added ApiMapSet v4 handling.
• Changed api’s in hooking engine’s threads suspender with ntdll counterparts.
• Fixed issue with x64 version of Microsoft Office products and installer.
• Added ntdll stubs creation from original code in order to bypass some third party hooks.
• Added ‘DisableStackWalk’ hook flag to disable stack info retrieval when a hooked function is called.
• Changed some opcode generator in jmp/call code relocator.
• Added CreateProcessWithToken.

Changes on v2.6.9

Released in February 2014

• Fixed some x64 opcode generator in code relocator.
• Fixed an infinite loop when agent is unloading.
• Added more compatibility patches when hooking ThinApp’ed applications.
• Added INktSpyMgr::UnloadAgent to force agent unloading in a hooked application.
• Fixed plugin detaching when unhooking a hook being in use.
• Added exception check to stack unwinding.

Changes on v2.6.7

Released in November 2013

• BREAKING CHANGE: INktSpyMgr::CreateProcess(WithLogon) will set continueEvent to NULL instead of 0 if ‘suspended’ parameter is FALSE or an error occurs.
• BREAKING CHANGE: OnLoadLibraryCall/OnFreeLibraryCall/OnCustomMessage events sends the direct VARIANT value instead of sending a ByRef/Variant that points to another variant. (Should not affect C# project because its ‘object’ handling).
• Fixed memory & handle leaks in some functions using the internal process handles manager.
• Fixed messages being sent between server/client before connection tasks were completed.
• Updated to latest SQLite version.
• Added configurable agent load timeout (default is 10 seconds).

Changes on v2.6.6

Released in September 2013

• Fixed batch hooking being splitted if a dll was loaded in the middle of the hooking process.
• Fixed loading of minimal databases with no modules associations included on them.
• Added OnCustomMessage event for handling custom messages.
• Fixed race hang when hooked process exits and a C# plugin was used.
• Fixed PDB scanning memory leak due to a mistake in DIA SDK documentation.
• Fixed custom handler loading in case function is not available in database.
• Fixed COM interface method retrieval.
• Fixed debug output reporting deadlock.
• When hooked process calls ExitProcess, agent tries to shutdown gracefully.
• Fixed module cache update when a library is loaded a datafile.
• Added more opcodes to the code relocator.
• Fixed handling when exception functions are hooked and some exception is raised inside another hooked function.
• Fixed race condition bigpacket handling and dispatch based on source thread id.
• Fixed LoadLibrary/FreeLibrary event raise that can cause deadlocks if loader lock was active.
• Added manual module/exports cache invalidation.
• Plugin threads can be ignored from global hooks.
• Added methods to INktHookCallInfo and INktHookCallInfoPlugin to store/retrieve custom data between Pre & Post calls.
• Fixed and updated trampoline’s opcodes generation.
• Fixed sign-extension issue when passing pointers from 32-bit applications to 64-bit manager.

Changes on v2.6.5

Released in March 2013

• Now hooks can target only 32 or 64-bit processes if the corresponding hook flags are specified.
• Added a new interface INktPdbFunctionSymbol to retrieve function address from pdb’s symbols.
• Changed INktSpyMgr::CreateHookForAddress method to mantain concistency with other hook creation methods.
• Now plugins can send a custom message to the server when processing a function call.
• Added optional GetFunctionCallbackName method to plugins in order to reroute OnFunctionCall callback to different methods.
• Fixed big packet message handling that caused overflows on certain situations.
• Fixed memory leak on COM objects not being fully released when internal counterpart object is released.
• INktParamsEnum now returns dummy params on invalid index.
• Fixed: INktParam returns TRUE in IsNullPointer if dummy param.
• Agent loader code fixed when needed api’s cannot be found on target process.
• Fixed race condition in modules and exported functions enumeration from multiple threads.
• Fixed deadlock in INktSpyMgr final release while processing an event.
• Fixed agent attach into ThinApp virtualized applications.
• Fixed attached COM event handler retrieval after another handler is removed.

Changes on v2.6.4

Released in January 2013

• Minor changes in internal data when child processes are created from a hooked one.
• Added code to better handling of hooks of terminated processes.
• Added free threading marshaller to all objects to minimize thread context switches and speedup calls.
• Changed interface pointer marshalling system to avoid unusual deadlocks.
• Fixed a deadlock while adding custom parameters inside a plugin.
• Fixed a bug that causes the same C# plugin to be instatiated more than once in some situations.

Changes on v2.6.3

Released in December 2012

• Changed COM event firing implementation replacing ATL::IConnectionPointImpl to avoid rare deadlocks from appearing in STA threads.
• Fixed deadlock on connection being shutdown because of an error.
• Major change: stErrorNotEnoughMemory and stErrorNotFound redefined.
• DeviareCOM & DeviareCOM64 manifest files are now embedded into dlls.
• If LoadLibrary/FreeLibrary ared called while hooking is in progress, notifications will be sent asynchronously to avoid deadlocks.
• Fixed an issue when a library is loaded/unloaded into the hooked process while a connection is being established.
• Fixed CreateProcess injection code to allow .NET processes to be hooked upon startup.

Changes on v2.6.2

Released in November 2012

• Fixed issue while unhooking when the hooked function is being called from another thread.
• Fixed parameter value read/write in agent side.
• Added module enumerator cache to improve performance.
• Fixed hook removal state change being informed more than once in some situation.
• Improved module export cache handling and memory consumption.
• Fixed activation context not being activated in OnLoad custom plugin event.
• COM interface code redesigned to avoid circular references in internal objects.
• Fixed issue in which event callbacks attached to INktHook and INktProcess were not being fired.
• Added more functionallity INktHookCallInfoPlugin events.
• Fixed issues with INktParam’s inside plugin execution.
• Plugin system redesigned to provide more information to the user.
• Added activation context management to agent module to enable RegFree COM usage in plugins.
• Fixed 32-bit -> 64-bit createprocess autohook bugs.
• Fixed other autohook bugs.
• Fixed INktHookEnum not adding/removing the AutoHook flag to each hook.
• Fixed minor issue in native custom plugins.
• Applied free thread marshalling to custom plugins to avoid invocations problems while inside
  a SendMessage (RPC_E_CANTCALLOUT_ININPUTSYNCCALL).
• Fixed integer parsing in C sample.
• Added GetFileNameFromHandle to the INktTools interface. Remember INktTools may throw exceptions.
• Now, in custom handlers, the “64” suffix is added/removed from the dll filename if hooks are
  propagated from x64 processes to x86 and viceversa.
• Also, if a relative path is specified in custom handler dll, it will use agent dll path as the base.

Changes on v2.5.0

Released in October 2012

• Improved message dispatcher (beta). Event delivery should be faster mainly in async ones.
• New hook flags. Now you can specify if a hook/custom handler is called when the loader lock is active.
• Fixed a race condition caused by GetModuleFileName returning ERROR_INVALID_HANDLE if the module is being unloaded.
• Fixed a bug on exported function enumerator causing a later access fault.
• IEnumVARIANT code rewritten.
• Code that links com objects and internal ones was rewritten to avoid some race conditions and circular references.
• INktSpy.ProcessHandle and INktProcess.Handle both returns duplicated handles that must be closed in order to mantain consistency between the two functions.
• Fixed an issue with target process’ modules enumeration while the process is still initializing.
• Fixed an issue when agent is loaded while target process is initializing.
• Fixed a deadlock when SpyMgr process is shutting down.
• Added more checks in api unhooking to prevent crashes when agent is about to be unloaded.
• Added support for Windows 2000.
• Fixed other minor bugs.

Changes on v2.1.0

Released in August 2012

• Fixed process handle manager auto-referencing.
• Module enumerator now lists dll’s loaded as datafile too.
• Changed product license manager.
• Fixed some param-checking bugs in Read/Write methods of ProcessMemory interface.
• Added interfaces that gives more process information.
• Added full api namespace support (BETA).
• Added multi-database merger application.
• Batch hooking and unhooking can be done with INktHooksEnumerator. This should be faster than individual hook/unhook.
• Dynamic link libraries loaded as datafile now are listed in the modules enumerator.
• Minor fixes applied.

Changes on v2.0.7

Released in August 2012

• Fixed issue when process handle is requested with a desired access of zero.
• Fixed fpu crash when a hooked function is called and fpu stack is not empty.
• Added initial namespace support to database.
• Changed internal “insertion point” algorithm.
• Added initial multi-hook-at-once support.
• Added registry key entry to optionally display debug output [HKLM\\Software\\Nektra\\Deviare2 => DebugLevelMask (REG_DWORD)].

Changes on v2.0.6

Released in June 2012

• VB demo which demonstrates Deviare events handling.
• VB and Python demo which demonstrates how to deny a process access to files through Deviare.
• Fixed COM event firing when the current thread is inside a STA apartment model.
• Fixed an issue when a function call is skipped by calling SkipCall method.
• Added “For Each” enumeration for languages like C#, VB and VBScript.

Changes on v2.0.5

Released in June 2012

• Feature: C# Console: Improved modules display method. Now UI keeps responsive while loading process modules.
• Fixed: C# Console: Selected process no longer changes when moved from one category to another after applying a hook.
• Fixed: C# Console: unhandled exception would occur when selecting a process after applying a hook.
• Fixed: C# Console: Other small fixes.

Changes on v2.0.4

Released in June 2012

• Feature: VBA and VBScript support.
• Feature: HookByAddress can now be associate to a function.
• Feature: Documentation added to the project (still beta).
• Feature: Database management code completely rewritten. Now it will load faster and consumes less memory.
• Feature: Database contains almost all functions of the Platform SDK.
• Fixed: Issues related to COM STA apartments used in vbscript.
• Fixed: an issue in routine that checks that no code is running inside agent while agent is being unloaded.
• Feature: Process’ modules and threads scanning completely rewritten to avoid using the unstable toolhelp library.
• Fixed: Issue when a function is hooked more than once.
• Fixed: Message ordering transmitted between the engine and the agent.
• Feature: Added more special cases when building x64 hook trampoline.
• Fixed: Miscellaneous deadlock related issues.
• Feature: Added full support for hooking x32 processes using the x64 engine.

Changes on v2.0

Released in May 2012

• Feature: Complete new version of the Agent. It was re-coded to work on 64 bits environments.
• Feature: IPC changed to improve performance and to be able to intercept services, processes owned by other users and Internet Explorer running in Protected Mode.
• Feature: Complete x64 support.
• Feature: Use of Free COM to run without installation (and Administrative privileges).
• Feature: x32 interception from a x64 process.
• Feature: Interception of functions that are not in the database. You can intercept them but you cannot get / set parameter values.
• Feature: Return Value is in the database now.
• Feature: Deferred hook: If you want to intercept a module that is not loaded it will be hooked when it loads.

Changes on v1.1

Released in October 2011

• Fixed: Runs in W7 64 bits.
• Fixed: It doesn’t require administrative privileges.
• Fixed: Lots of performance improvements.
• Fixed: DeviareCSharpExample performance improvement.
• Fixed: Lots of functions and types added to the database.

Changes on v1.0.1

Released in August 24th 2010

• Feature: ReportProcessCreation has a new option _create_process_hook_calling_process that report processes created from the calling process. Useful to debug application where you can set up the hooks and then execute a process to apply them.
• Feature: New console written in CSharp similar to C++ Console.
• Fix: When a typelib wasn’t find in the registry, the DeviareDB was generating a exception.
• Fix: IStackTrace was dead-locking when a module from the attached modules was unloaded.
• Fix: When shutting down with lock attached, an assertion was triggered if the application didn’t wait until all the hooks were removed.
• Fix: more basic types added to the variant map, some types like short unsigned int were treated as SAFEARRAY.
• Fix: on shutdown a dead-lock could occur when an event was in process when calling Shutdown.
• Fix: Array types were not working at all.
• Fix: Enumeration types didn’t work, now they are treated as UINT.
• Fix: IMemory VirtualQueryEx size parameter was wrong and could generate a exception in the last VirtualProtectEx when restoring privileges.
• Feature: type’s cache to make important speed improvements.

Changes on v0.9.4b

Released in May 2009

• Fix: Database Editor: fix improper offset set in parameters
• Fix: error handling calling convention in API Hooks
• CreateSpyMgr API no longer calls CoCreateInstance. This allows use of Deviare.dll w/o registration

Changes on v0.9.3b

Released in February 2009

• Fix: duplicated IIDs
• Fix: deadlock on process creation
• Added Python example and wrappers

Changes on v0.9.2b

Released in December 2008

• Fix: error handling WORD parameters that caused crash in functions like InternetConect, HttpOpenRequest, and others form wininet.dll.

Changes on v0.9.1b

Released in December 2008

• Added the source code of the Deviare COM Console.
• Added a sample add-in (with code) for hooking Outlook objects.
• Added a property to try & install hooks immediately.
• Deviare COM Objects are now registered as Free Apartment

Changes on 0.9.0b

Released in November 2008

• Deviare is now a proper COM Library. It must be registered, and Classes can be created by traditional Component instantiation methods such as CreateObject & CocreateInstance.
• Removed TLBs and .NET bindings. Languages like C#, VB and Python can use automated wrappers for COM Objects.
• Hooks may now be installed immediately during the call of a function, allowing the use of contextual values.
• Added method to list attached processes from any hook.
• Fix: missing reports from process creations.
• Fix: .NET deadlock due to garbage collection.
• Minor fixes and performance improved in multithreaded environments.
• IStackTrace interface lets you inspect the stack trace in a call.
• New COM support:
  • Added experimental COM support. Intercept and monitor COM Components (see DeviareComConsole).
  • Added Interface and Events to monitor certain process activities (IMonitor).

Changes on 0.8.3b

Released in June 2008

• New IStackTrace interface lets you inspect the stack trace in a call.
• New function IParam.CastTo lets you modify the way a parameter is interpreted.
• Fix: leaks in the GetLogonSID and other functions.
• Corrected the C++ Deviare Console project which had wrong import paths.
• The C++ Deviare Console now shows the parameters’ names in the output.
• The C++ Deviare Console now identifies GUIDs from COM objects (IIDs, CLSIDs, etc.) on parameters and adds their name in the output.

Changes on 0.8.2b

Released in February 2008

• General fixes and overall performance improved.
• New IProcess->RawMemory function: Lets you read and write the memory of any process.
• New modules in database: inet functions and some ntdll functions.
• Editor included in the package: You can now add DLLs and functions to the type database, and hook any function.

Changes on 0.8.1b

Released in December 2007

• Many general and stability fixes.
• Performance greatly improved.
• Fixed: callInfo.ReturnValue function.

v0.7.0b

Released in July 2007

• Code Interception Library released.
• Deviare API allows to hook many processes from your application without having to use Inter-process communication (IPC) code.
• It can be used in COM, C++, VB and .NET.