Skip links

Deviare Api Hook Windows

Deviare is a powerful Code Interception Library, with a very simple interface that lets you hook many processes on your own application without any IPC coding. It can be used in any COM supporting languages as C++, VB and .NET.

Contact Us Github Download

Deviare Api Hook Overview

Deviare is a professional open source hooking engine for instrumenting arbitrary Win32 functions, COM objects, and functions which symbols are located in program databases (PDBs). It can intercept unmanaged code in 32-bit and 64-bit applications. It is implemented as a COM component, so it can be integrated with all the programming languages which support COM, such as C/C++, VB, C#, Delphi, and Python.

Several Fortune 500 companies are using Deviare technology for application virtualization, packaging, and troubleshooting, and for computer security. Computer science researchers are also using Deviare to conduct malware and reverse engineering studies. Our blog articles contain a vast quantity of code samples to get you started easily.

Deviare offers a unique “programmer friendly API” which resolves the complexities associated with binary instrumentation so that even software engineers without expertise in the field can use it. Deviare takes care of code injection, parameter marshalling, and inter-process communication. We created Deviare API in 2007 and continually improve it. Intercepting applications is a complex task. We test multiple application environments to ensure that the end user has a trouble-free experience. Deviare also has a focus on performance handling thousands of hooks with little footprint.

Code instrumentation is used in several other areas like: tracing and debugging, sandboxing and browser security, malware analysis, video conference recording, and gaming.

Download Deviare now!   Deviare Source Code Deviare Docs Deviare Blog Articles


Deviare is licensed under a commercial and open source license (GNU General Public License version 3). 

Commercial licensing

The commercial License is the correct license to use for the development of proprietary and/or commercial software with Deviare, where you do not want to release your product’s source code.

Featured Deviare Articles

  1. SQL Server Interception and SQL Injection Attack Prevention
  2. Instrumenting Direct3D Applications to Capture Video and Calculate FPS
  3. How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin
  4. Benchmarking ThinApp Vs. SWV
  5. Benchmarking App-V Vs. SWV
  6. Application Virtualization Troubleshooting with SpyStudio and Deviare
  7. Improving Deviare Hooking Performance with Custom Hooks

Additional Resources

  1. Quick start guide
  2. Visit Nektra’s new Reddit
  3. Deviare Wiki
  4. Deviare design overview

If you are interested in Deviare, you might also be interested in:

  1. SpyStudio 2.0
  2. Interception and Filter Drivers services
  3. Audio Recorder API
  4. Deviare In-Process (ala Microsoft Detours but much cheaper)

Case Studies

  1. How Nektra Improved Desktop Virtualization for Symantec Corporation
  2. Nektra and VMware are Collaborating to Simplify Application Virtualization Packaging


    1. BlackHat 2013: HookME by Manuel Fernandez
    2. Academic Papers mentioning Deviare

Deviare’s Features

Currently supported operating systems are:

  • Microsoft Windows XP
  • Microsoft Windows Vista
  • Microsoft Windows 7
  • Microsoft Windows 8
  • Microsoft Windows 10
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 R2
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2016

Both 32-bit and 64-bit platforms are supported.

With Deviare you can:

  • List processes and modules.
  • List exported functions of modules.
  • Keep process and module lists updated.
  • Hook applications by just writing handlers in your own application space, using any programming language that supports COM (e.g.: C++, VB, VBA, VBScript, C#, VB.NET, Python, etc.).
  • Hook applications on startup.
  • Hook all user applications.
  • Hook any Win32 / Win64 documented and most of undocumented functions
  • Hook any arbitrary function exported by a dll or knowing the address. To get the parameters value you should add it to the function database.
  • Hook x64 and x32 applications.
  • Hook .NET functions.
  • Defer a hook: If you want to intercept a module that is not loaded it will be hooked when it loads.
  • Read and modify parameters both before and after the hooked function is called.
  • Expand structure and array types and navigate all their fields.
  • Skip the call of a previous function and set the return value.
  • Use C# Hook Console which covers most of the features.

Deviare Design

With Deviare you can program a hook handler in your own process to get called when any API function is called in the remote process in this way:

Deviare API Hook Design

Deviare supports COM technology to let you write hook handlers in any high-level language like VB, VB.NET, C#, Python, Delphi, etc.

If you need many hooks and you need extreme performance you can implement your hooks inside the remote process in this way:

Deviare API Hook with Custom Hooks Design

Deviare API Hook Design

Changes on v2.7.5

Released in August  21, 2015

  • Fixed compatibility issue with Windows 10
  • Removed call to SetThreadName because causing issues when Deviare is used while debugging a C#/Xaml application

Changes on v2.7.4

Released in April 7, 2015

Changes on v2.7.3

Released in October 16, 2014

  • More documentation added.
  • Fixed some api hook code generation.
  • Checked Deviare against Windows 10 preview with success.
  • Stack walk stops when the instruction pointer becomes invalid.
  • Removed SendCustomMessage from INktHookCallInfoPlugin. Plugins should use the one from INktHookInfo.
  • Removed CoInitialize(Ex) calls from all threads and switched to the implicit MTA apartment type.

Changes on v2.7.2

Released in early October 2014

  • More documentation added.
  • Now Deviare fully supports IE8 with or without custom plugins.

Changes on v2.7.1

Released in July 2014

  • Fixed hooked process unloading hang when using C# plugins.

Known Issues

  • C# plugins may not work if RegisterClass is hooked because CoInitialize(Ex) calls RegisterClass on STA and, at this
    point, COM initialization in not complete yet.
  • Plugins may not work in IE8 unless executed with elevated privileges because of COM security model used by the app.

Changes on v2.7

Released in June 2014

  • Added ApiMapSet v4 handling.
  • Changed api’s in hooking engine’s threads suspender with ntdll counterparts.
  • Fixed issue with x64 version of Microsoft Office products and installer.
  • Added ntdll stubs creation from original code in order to bypass some third party hooks.
  • Added ‘DisableStackWalk’ hook flag to disable stack info retrieval when a hooked function is called.
  • Changed some opcode generator in jmp/call code relocator.
  • Added CreateProcessWithToken.

Changes on v2.6.9

Released in February 2014

  • Fixed some x64 opcode generator in code relocator.
  • Fixed an infinite loop when agent is unloading.
  • Added more compatibility patches when hooking ThinApp’ed applications.
  • Added INktSpyMgr::UnloadAgent to force agent unloading in a hooked application.
  • Fixed plugin detaching when unhooking a hook being in use.
  • Added exception check to stack unwinding.

Changes on v2.6.7

Released in November 2013

  • BREAKING CHANGE: INktSpyMgr::CreateProcess(WithLogon) will set continueEvent to NULL instead of 0 if ‘suspended’ parameter is FALSE or an error occurs.
  • BREAKING CHANGE: OnLoadLibraryCall/OnFreeLibraryCall/OnCustomMessage events sends the direct VARIANT value instead of sending a ByRef/Variant that points to another variant. (Should not affect C# project because its ‘object’ handling).
  • Fixed memory & handle leaks in some functions using the internal process handles manager.
  • Fixed messages being sent between server/client before connection tasks were completed.
  • Updated to latest SQLite version.
  • Added configurable agent load timeout (default is 10 seconds).

Changes on v2.6.6

Released in September 2013

  • Fixed batch hooking being splitted if a dll was loaded in the middle of the hooking process.
  • Fixed loading of minimal databases with no modules associations included on them.
  • Added OnCustomMessage event for handling custom messages.
  • Fixed race hang when hooked process exits and a C# plugin was used.
  • Fixed PDB scanning memory leak due to a mistake in DIA SDK documentation.
  • Fixed custom handler loading in case function is not available in database.
  • Fixed COM interface method retrieval.
  • Fixed debug output reporting deadlock.
  • When hooked process calls ExitProcess, agent tries to shutdown gracefully.
  • Fixed module cache update when a library is loaded a datafile.
  • Added more opcodes to the code relocator.
  • Fixed handling when exception functions are hooked and some exception is raised inside another hooked function.
  • Fixed race condition bigpacket handling and dispatch based on source thread id.
  • Fixed LoadLibrary/FreeLibrary event raise that can cause deadlocks if loader lock was active.
  • Added manual module/exports cache invalidation.
  • Plugin threads can be ignored from global hooks.
  • Added methods to INktHookCallInfo and INktHookCallInfoPlugin to store/retrieve custom data between Pre & Post calls.
  • Fixed and updated trampoline’s opcodes generation.
  • Fixed sign-extension issue when passing pointers from 32-bit applications to 64-bit manager.

Changes on v2.6.5

Released in March 2013

  • Now hooks can target only 32 or 64-bit processes if the corresponding hook flags are specified.
  • Added a new interface INktPdbFunctionSymbol to retrieve function address from pdb’s symbols.
  • Changed INktSpyMgr::CreateHookForAddress method to mantain concistency with other hook creation methods.
  • Now plugins can send a custom message to the server when processing a function call.
  • Added optional GetFunctionCallbackName method to plugins in order to reroute OnFunctionCall callback to different methods.
  • Fixed big packet message handling that caused overflows on certain situations.
  • Fixed memory leak on COM objects not being fully released when internal counterpart object is released.
  • INktParamsEnum now returns dummy params on invalid index.
  • Fixed: INktParam returns TRUE in IsNullPointer if dummy param.
  • Agent loader code fixed when needed api’s cannot be found on target process.
  • Fixed race condition in modules and exported functions enumeration from multiple threads.
  • Fixed deadlock in INktSpyMgr final release while processing an event.
  • Fixed agent attach into ThinApp virtualized applications.
  • Fixed attached COM event handler retrieval after another handler is removed.

Changes on v2.6.4

Released in January 2013

  • Minor changes in internal data when child processes are created from a hooked one.
  • Added code to better handling of hooks of terminated processes.
  • Added free threading marshaller to all objects to minimize thread context switches and speedup calls.
  • Changed interface pointer marshalling system to avoid unusual deadlocks.
  • Fixed a deadlock while adding custom parameters inside a plugin.
  • Fixed a bug that causes the same C# plugin to be instatiated more than once in some situations.

Changes on v2.6.3

Released in December 2012

  • Changed COM event firing implementation replacing ATL::IConnectionPointImpl to avoid rare deadlocks from appearing in STA threads.
  • Fixed deadlock on connection being shutdown because of an error.
  • Major change: stErrorNotEnoughMemory and stErrorNotFound redefined.
  • DeviareCOM & DeviareCOM64 manifest files are now embedded into dlls.
  • If LoadLibrary/FreeLibrary ared called while hooking is in progress, notifications will be sent asynchronously to avoid deadlocks.
  • Fixed an issue when a library is loaded/unloaded into the hooked process while a connection is being established.
  • Fixed CreateProcess injection code to allow .NET processes to be hooked upon startup.

Changes on v2.6.2

Released in November 2012

  • Fixed issue while unhooking when the hooked function is being called from another thread.
  • Fixed parameter value read/write in agent side.
  • Added module enumerator cache to improve performance.
  • Fixed hook removal state change being informed more than once in some situation.
  • Improved module export cache handling and memory consumption.
  • Fixed activation context not being activated in OnLoad custom plugin event.
  • COM interface code redesigned to avoid circular references in internal objects.
  • Fixed issue in which event callbacks attached to INktHook and INktProcess were not being fired.
  • Added more functionallity INktHookCallInfoPlugin events.
  • Fixed issues with INktParam’s inside plugin execution.
  • Plugin system redesigned to provide more information to the user.
  • Added activation context management to agent module to enable RegFree COM usage in plugins.
  • Fixed 32-bit -> 64-bit createprocess autohook bugs.
  • Fixed other autohook bugs.
  • Fixed INktHookEnum not adding/removing the AutoHook flag to each hook.
  • Fixed minor issue in native custom plugins.
  • Applied free thread marshalling to custom plugins to avoid invocations problems while inside
  • Fixed integer parsing in C sample.
  • Added GetFileNameFromHandle to the INktTools interface. Remember INktTools may throw exceptions.
  • Now, in custom handlers, the “64” suffix is added/removed from the dll filename if hooks are
    propagated from x64 processes to x86 and viceversa.
  • Also, if a relative path is specified in custom handler dll, it will use agent dll path as the base.

Changes on v2.5.0

Released in October 2012

  • Improved message dispatcher (beta). Event delivery should be faster mainly in async ones.
  • New hook flags. Now you can specify if a hook/custom handler is called when the loader lock is active.
  • Fixed a race condition caused by GetModuleFileName returning ERROR_INVALID_HANDLE if the module is being unloaded.
  • Fixed a bug on exported function enumerator causing a later access fault.
  • IEnumVARIANT code rewritten.
  • Code that links com objects and internal ones was rewritten to avoid some race conditions and circular references.
  • INktSpy.ProcessHandle and INktProcess.Handle both returns duplicated handles that must be closed in order to mantain consistency between the two functions.
  • Fixed an issue with target process’ modules enumeration while the process is still initializing.
  • Fixed an issue when agent is loaded while target process is initializing.
  • Fixed a deadlock when SpyMgr process is shutting down.
  • Added more checks in api unhooking to prevent crashes when agent is about to be unloaded.
  • Added support for Windows 2000.
  • Fixed other minor bugs.

Changes on v2.1.0

Released in August 2012

  • Fixed process handle manager auto-referencing.
  • Module enumerator now lists dll’s loaded as datafile too.
  • Changed product license manager.
  • Fixed some param-checking bugs in Read/Write methods of ProcessMemory interface.
  • Added interfaces that gives more process information.
  • Added full api namespace support (BETA).
  • Added multi-database merger application.
  • Batch hooking and unhooking can be done with INktHooksEnumerator. This should be faster than individual hook/unhook.
  • Dynamic link libraries loaded as datafile now are listed in the modules enumerator.
  • Minor fixes applied.

Changes on v2.0.7

Released in August 2012

  • Fixed issue when process handle is requested with a desired access of zero.
  • Fixed fpu crash when a hooked function is called and fpu stack is not empty.
  • Added initial namespace support to database.
  • Changed internal “insertion point” algorithm.
  • Added initial multi-hook-at-once support.
  • Added registry key entry to optionally display debug output [HKLM\\Software\\Nektra\\Deviare2 => DebugLevelMask (REG_DWORD)].

Changes on v2.0.6

Released in June 2012

  • VB demo which demonstrates Deviare events handling.
  • VB and Python demo which demonstrates how to deny a process access to files through Deviare.
  • Fixed COM event firing when the current thread is inside a STA apartment model.
  • Fixed an issue when a function call is skipped by calling SkipCall method.
  • Added “For Each” enumeration for languages like C#, VB and VBScript.

Changes on v2.0.5

Released in June 2012

  • Feature: C# Console: Improved modules display method. Now UI keeps responsive while loading process modules.
  • Fixed: C# Console: Selected process no longer changes when moved from one category to another after applying a hook.
  • Fixed: C# Console: unhandled exception would occur when selecting a process after applying a hook.
  • Fixed: C# Console: Other small fixes.

Changes on v2.0.4

Released in June 2012

  • Feature: VBA and VBScript support.
  • Feature: HookByAddress can now be associate to a function.
  • Feature: Documentation added to the project (still beta).
  • Feature: Database management code completely rewritten. Now it will load faster and consumes less memory.
  • Feature: Database contains almost all functions of the Platform SDK.
  • Fixed: Issues related to COM STA apartments used in vbscript.
  • Fixed: an issue in routine that checks that no code is running inside agent while agent is being unloaded.
  • Feature: Process’ modules and threads scanning completely rewritten to avoid using the unstable toolhelp library.
  • Fixed: Issue when a function is hooked more than once.
  • Fixed: Message ordering transmitted between the engine and the agent.
  • Feature: Added more special cases when building x64 hook trampoline.
  • Fixed: Miscellaneous deadlock related issues.
  • Feature: Added full support for hooking x32 processes using the x64 engine.

Changes on v2.0

Released in May 2012

  • Feature: Complete new version of the Agent. It was re-coded to work on 64 bits environments.
  • Feature: IPC changed to improve performance and to be able to intercept services, processes owned by other users and Internet Explorer running in Protected Mode.
  • Feature: Complete x64 support.
  • Feature: Use of Free COM to run without installation (and Administrative privileges).
  • Feature: x32 interception from a x64 process.
  • Feature: Interception of functions that are not in the database. You can intercept them but you cannot get / set parameter values.
  • Feature: Return Value is in the database now.
  • Feature: Deferred hook: If you want to intercept a module that is not loaded it will be hooked when it loads.

Changes on v1.1

Released in October 2011

  • Fixed: Runs in W7 64 bits.
  • Fixed: It doesn’t require administrative privileges.
  • Fixed: Lots of performance improvements.
  • Fixed: DeviareCSharpExample performance improvement.
  • Fixed: Lots of functions and types added to the database.

Changes on v1.0.1

Released in August 24th 2010

  • Feature: ReportProcessCreation has a new option _create_process_hook_calling_process that report processes created from the calling process. Useful to debug application where you can set up the hooks and then execute a process to apply them.
  • Feature: New console written in CSharp similar to C++ Console.
  • Fix: When a typelib wasn’t find in the registry, the DeviareDB was generating a exception.
  • Fix: IStackTrace was dead-locking when a module from the attached modules was unloaded.
  • Fix: When shutting down with lock attached, an assertion was triggered if the application didn’t wait until all the hooks were removed.
  • Fix: more basic types added to the variant map, some types like short unsigned int were treated as SAFEARRAY.
  • Fix: on shutdown a dead-lock could occur when an event was in process when calling Shutdown.
  • Fix: Array types were not working at all.
  • Fix: Enumeration types didn’t work, now they are treated as UINT.
  • Fix: IMemory VirtualQueryEx size parameter was wrong and could generate a exception in the last VirtualProtectEx when restoring privileges.
  • Feature: type’s cache to make important speed improvements.

Changes on v0.9.4b

Released in May 2009

  • Fix: Database Editor: fix improper offset set in parameters
  • Fix: error handling calling convention in API Hooks
  • CreateSpyMgr API no longer calls CoCreateInstance. This allows use of Deviare.dll w/o registration

Changes on v0.9.3b

Released in February 2009

  • Fix: duplicated IIDs
  • Fix: deadlock on process creation
  • Added Python example and wrappers

Changes on v0.9.2b

Released in December 2008

  • Fix: error handling WORD parameters that caused crash in functions like InternetConect, HttpOpenRequest, and others form wininet.dll.

Changes on v0.9.1b

Released in December 2008

  • Added the source code of the Deviare COM Console.
  • Added a sample add-in (with code) for hooking Outlook objects.
  • Added a property to try & install hooks immediately.
  • Deviare COM Objects are now registered as Free Apartment

Changes on 0.9.0b

Released in November 2008

  • Deviare is now a proper COM Library. It must be registered, and Classes can be created by traditional Component instantiation methods such as CreateObject & CocreateInstance.
  • Removed TLBs and .NET bindings. Languages like C#, VB and Python can use automated wrappers for COM Objects.
  • Hooks may now be installed immediately during the call of a function, allowing the use of contextual values.
  • Added method to list attached processes from any hook.
  • Fix: missing reports from process creations.
  • Fix: .NET deadlock due to garbage collection.
  • Minor fixes and performance improved in multithreaded environments.
  • IStackTrace interface lets you inspect the stack trace in a call.
  • New COM support:
    • Added experimental COM support. Intercept and monitor COM Components (see DeviareComConsole).
    • Added Interface and Events to monitor certain process activities (IMonitor).

Changes on 0.8.3b

Released in June 2008

  • New IStackTrace interface lets you inspect the stack trace in a call.
  • New function IParam.CastTo lets you modify the way a parameter is interpreted.
  • Fix: leaks in the GetLogonSID and other functions.
  • Corrected the C++ Deviare Console project which had wrong import paths.
  • The C++ Deviare Console now shows the parameters’ names in the output.
  • The C++ Deviare Console now identifies GUIDs from COM objects (IIDs, CLSIDs, etc.) on parameters and adds their name in the output.

Changes on 0.8.2b

Released in February 2008

  • General fixes and overall performance improved.
  • New IProcess->RawMemory function: Lets you read and write the memory of any process.
  • New modules in database: inet functions and some ntdll functions.
  • Editor included in the package: You can now add DLLs and functions to the type database, and hook any function.

Changes on 0.8.1b

Released in December 2007

  • Many general and stability fixes.
  • Performance greatly improved.
  • Fixed: callInfo.ReturnValue function.


Released in July 2007

  • Code Interception Library released.
  • Deviare API allows to hook many processes from your application without having to use Inter-process communication (IPC) code.
  • It can be used in COM, C++, VB and .NET.

Download Deviare API Hook

Deviare API Hook Support

Basic support is given through Nektra’s Support forum, where you can:

You can get Premium Support to if you need a more dedicated support. Read this table for more details.


Deviare Hooking Engine Pricing and Deviare In-Process (Microsoft Detours Replacement) *

  Free Commercial Commercial with Premium Support
Forum Support      
License GPL v3 You can use Deviare and Deviare In-Process, and modify its source code and keep your product code closed
Updates   1 Year
Response Time Depends on the demand 48 hours less than 24 hours (workdays)
Preventing anti-virus false positives      
Help your team with email support and limited chat      
Help your team with requests that aren’t related strictly to the API      
Registry and File System Async Handlers Example      
Professional Services
Price (per developer per product) Free Ask Ask

* Buying a Deviare Commercial license let you use Deviare and Deviare In-Process in one product and keep your code closed.

Deviare Applications

Deviare is useful for:

  • Application virtualization
  • Legacy integration
  • Antivirus systems
  • Antiphishing systems
  • Administrative tools
  • Reverse engineering
  • Auditing software
  • Real time monitoring
  • Security software
  • Parental Control software
  • Employee monitoring
  • Data Loss Prevention Solutions
  • Sandbox software
  • Audio Recording for VoIP (e.g: Skype) and Podcasts

Business Critical Support

Senior-Level Engineers working with your team

  • Extend your Engineer team with Nektra support experts who know the best solution for each API interception task
  • Analize the impact of your hook handlers or filter driver in the performance of your customer’s system.
  • Let us test your software for you. We can also help you to write test cases and identify common conflicts with you software.
  • Reach our Dev Team faster – your support requests bypass Level One Support and are assigned directly to a senior level engineer.
  • Incorporate our Dev team in your release cycle – our engineers can be inserted in your release workflow.
  • Influence our product plans – you can work with us to decide next features of our product.


The Deviare Business Critical Support Option is offered as a supplement to forum basic support. For each supported customer, this service provides personalized reactive and proactive support services with software development teams.

The Business Critical Support Option provides you with the personalized, proactive customer support you require to improve your software quality and reduce development time.

We can write the whole software or the complex parts for you. Please, read our Interception and Filter Drivers services for more information

Join the 300+ companies trusting Nektra

us air force
cornell university
apache milagro
trend micro

Latest Articles

This website uses cookies to improve your web experience.