Deviare's Changelog

Changes on v2.7.5

Released in August  21, 2015

  • Fixed compatibility issue with Windows 10
  • Removed call to SetThreadName because causing issues when Deviare is used while debugging a C#/Xaml application

Changes on v2.7.4

Released in April 7, 2015

Changes on v2.7.3

Released in October 16, 2014

  • More documentation added.
  • Fixed some api hook code generation.
  • Checked Deviare against Windows 10 preview with success.
  • Stack walk stops when the instruction pointer becomes invalid.
  • Removed SendCustomMessage from INktHookCallInfoPlugin. Plugins should use the one from INktHookInfo.
  • Removed CoInitialize(Ex) calls from all threads and switched to the implicit MTA apartment type.

Changes on v2.7.2

Released in early October 2014

  • More documentation added.
  • Now Deviare fully supports IE8 with or without custom plugins.

Changes on v2.7.1

Released in July 2014

  • Fixed hooked process unloading hang when using C# plugins.

Known Issues

  • C# plugins may not work if RegisterClass is hooked because CoInitialize(Ex) calls RegisterClass on STA and, at this
    point, COM initialization in not complete yet.
  • Plugins may not work in IE8 unless executed with elevated privileges because of COM security model used by the app.

Changes on v2.7

Released in June 2014

  • Added ApiMapSet v4 handling.
  • Changed api's in hooking engine's threads suspender with ntdll counterparts.
  • Fixed issue with x64 version of Microsoft Office products and installer.
  • Added ntdll stubs creation from original code in order to bypass some third party hooks.
  • Added 'DisableStackWalk' hook flag to disable stack info retrieval when a hooked function is called.
  • Changed some opcode generator in jmp/call code relocator.
  • Added CreateProcessWithToken.

Changes on v2.6.9

Released in February 2014

  • Fixed some x64 opcode generator in code relocator.
  • Fixed an infinite loop when agent is unloading.
  • Added more compatibility patches when hooking ThinApp'ed applications.
  • Added INktSpyMgr::UnloadAgent to force agent unloading in a hooked application.
  • Fixed plugin detaching when unhooking a hook being in use.
  • Added exception check to stack unwinding.

Changes on v2.6.7

Released in November 2013

  • BREAKING CHANGE: INktSpyMgr::CreateProcess(WithLogon) will set continueEvent to NULL instead of 0 if 'suspended' parameter is FALSE or an error occurs.
  • BREAKING CHANGE: OnLoadLibraryCall/OnFreeLibraryCall/OnCustomMessage events sends the direct VARIANT value instead of sending a ByRef/Variant that points to another variant. (Should not affect C# project because its 'object' handling).
  • Fixed memory & handle leaks in some functions using the internal process handles manager.
  • Fixed messages being sent between server/client before connection tasks were completed.
  • Updated to latest SQLite version.
  • Added configurable agent load timeout (default is 10 seconds).

Changes on v2.6.6

Released in September 2013

  • Fixed batch hooking being splitted if a dll was loaded in the middle of the hooking process.
  • Fixed loading of minimal databases with no modules associations included on them.
  • Added OnCustomMessage event for handling custom messages.
  • Fixed race hang when hooked process exits and a C# plugin was used.
  • Fixed PDB scanning memory leak due to a mistake in DIA SDK documentation.
  • Fixed custom handler loading in case function is not available in database.
  • Fixed COM interface method retrieval.
  • Fixed debug output reporting deadlock.
  • When hooked process calls ExitProcess, agent tries to shutdown gracefully.
  • Fixed module cache update when a library is loaded a datafile.
  • Added more opcodes to the code relocator.
  • Fixed handling when exception functions are hooked and some exception is raised inside another hooked function.
  • Fixed race condition bigpacket handling and dispatch based on source thread id.
  • Fixed LoadLibrary/FreeLibrary event raise that can cause deadlocks if loader lock was active.
  • Added manual module/exports cache invalidation.
  • Plugin threads can be ignored from global hooks.
  • Added methods to INktHookCallInfo and INktHookCallInfoPlugin to store/retrieve custom data between Pre & Post calls.
  • Fixed and updated trampoline's opcodes generation.
  • Fixed sign-extension issue when passing pointers from 32-bit applications to 64-bit manager.

Changes on v2.6.5

Released in March 2013

  • Now hooks can target only 32 or 64-bit processes if the corresponding hook flags are specified.
  • Added a new interface INktPdbFunctionSymbol to retrieve function address from pdb's symbols.
  • Changed INktSpyMgr::CreateHookForAddress method to mantain concistency with other hook creation methods.
  • Now plugins can send a custom message to the server when processing a function call.
  • Added optional GetFunctionCallbackName method to plugins in order to reroute OnFunctionCall callback to different methods.
  • Fixed big packet message handling that caused overflows on certain situations.
  • Fixed memory leak on COM objects not being fully released when internal counterpart object is released.
  • INktParamsEnum now returns dummy params on invalid index.
  • Fixed: INktParam returns TRUE in IsNullPointer if dummy param.
  • Agent loader code fixed when needed api's cannot be found on target process.
  • Fixed race condition in modules and exported functions enumeration from multiple threads.
  • Fixed deadlock in INktSpyMgr final release while processing an event.
  • Fixed agent attach into ThinApp virtualized applications.
  • Fixed attached COM event handler retrieval after another handler is removed.


Changes on v2.6.4

Released in January 2013

  • Minor changes in internal data when child processes are created from a hooked one.
  • Added code to better handling of hooks of terminated processes.
  • Added free threading marshaller to all objects to minimize thread context switches and speedup calls.
  • Changed interface pointer marshalling system to avoid unusual deadlocks.
  • Fixed a deadlock while adding custom parameters inside a plugin.
  • Fixed a bug that causes the same C# plugin to be instatiated more than once in some situations.

Changes on v2.6.3

Released in December 2012

  • Changed COM event firing implementation replacing ATL::IConnectionPointImpl to avoid rare deadlocks from appearing in STA threads.
  • Fixed deadlock on connection being shutdown because of an error.
  • Major change: stErrorNotEnoughMemory and stErrorNotFound redefined.
  • DeviareCOM & DeviareCOM64 manifest files are now embedded into dlls.
  • If LoadLibrary/FreeLibrary ared called while hooking is in progress, notifications will be sent asynchronously to avoid deadlocks.
  • Fixed an issue when a library is loaded/unloaded into the hooked process while a connection is being established.
  • Fixed CreateProcess injection code to allow .NET processes to be hooked upon startup.


Changes on v2.6.2

Released in November 2012

  • Fixed issue while unhooking when the hooked function is being called from another thread.
  • Fixed parameter value read/write in agent side.
  • Added module enumerator cache to improve performance.
  • Fixed hook removal state change being informed more than once in some situation.
  • Improved module export cache handling and memory consumption.
  • Fixed activation context not being activated in OnLoad custom plugin event.
  • COM interface code redesigned to avoid circular references in internal objects.
  • Fixed issue in which event callbacks attached to INktHook and INktProcess were not being fired.
  • Added more functionallity INktHookCallInfoPlugin events.
  • Fixed issues with INktParam's inside plugin execution.
  • Plugin system redesigned to provide more information to the user.
  • Added activation context management to agent module to enable RegFree COM usage in plugins.
  • Fixed 32-bit -> 64-bit createprocess autohook bugs.
  • Fixed other autohook bugs.
  • Fixed INktHookEnum not adding/removing the AutoHook flag to each hook.
  • Fixed minor issue in native custom plugins.
  • Applied free thread marshalling to custom plugins to avoid invocations problems while inside
  • Fixed integer parsing in C sample.
  • Added GetFileNameFromHandle to the INktTools interface. Remember INktTools may throw exceptions.
  • Now, in custom handlers, the "64" suffix is added/removed from the dll filename if hooks are
    propagated from x64 processes to x86 and viceversa.
  • Also, if a relative path is specified in custom handler dll, it will use agent dll path as the base.


Changes on v2.5.0

Released in October 2012

  • Improved message dispatcher (beta). Event delivery should be faster mainly in async ones.
  • New hook flags. Now you can specify if a hook/custom handler is called when the loader lock is active.
  • Fixed a race condition caused by GetModuleFileName returning ERROR_INVALID_HANDLE if the module is being unloaded.
  • Fixed a bug on exported function enumerator causing a later access fault.
  • IEnumVARIANT code rewritten.
  • Code that links com objects and internal ones was rewritten to avoid some race conditions and circular references.
  • INktSpy.ProcessHandle and INktProcess.Handle both returns duplicated handles that must be closed in order to mantain consistency between the two functions.
  • Fixed an issue with target process' modules enumeration while the process is still initializing.
  • Fixed an issue when agent is loaded while target process is initializing.
  • Fixed a deadlock when SpyMgr process is shutting down.
  • Added more checks in api unhooking to prevent crashes when agent is about to be unloaded.
  • Added support for Windows 2000.
  • Fixed other minor bugs.

Changes on v2.1.0

Released in August 2012

  • Fixed process handle manager auto-referencing.
  • Module enumerator now lists dll's loaded as datafile too.
  • Changed product license manager.
  • Fixed some param-checking bugs in Read/Write methods of ProcessMemory interface.
  • Added interfaces that gives more process information.
  • Added full api namespace support (BETA).
  • Added multi-database merger application.
  • Batch hooking and unhooking can be done with INktHooksEnumerator. This should be faster than individual hook/unhook.
  • Dynamic link libraries loaded as datafile now are listed in the modules enumerator.
  • Minor fixes applied.

Changes on v2.0.7

Released in August 2012

  • Fixed issue when process handle is requested with a desired access of zero.
  • Fixed fpu crash when a hooked function is called and fpu stack is not empty.
  • Added initial namespace support to database.
  • Changed internal "insertion point" algorithm.
  • Added initial multi-hook-at-once support.
  • Added registry key entry to optionally display debug output [HKLM\\Software\\Nektra\\Deviare2 => DebugLevelMask (REG_DWORD)].

Changes on v2.0.6

Released in June 2012

  • VB demo which demonstrates Deviare events handling.
  • VB and Python demo which demonstrates how to deny a process access to files through Deviare.
  • Fixed COM event firing when the current thread is inside a STA apartment model.
  • Fixed an issue when a function call is skipped by calling SkipCall method.
  • Added "For Each" enumeration for languages like C#, VB and VBScript.

Changes on v2.0.5

Released in June 2012

  • Feature: C# Console: Improved modules display method. Now UI keeps responsive while loading process modules.
  • Fixed: C# Console: Selected process no longer changes when moved from one category to another after applying a hook.
  • Fixed: C# Console: unhandled exception would occur when selecting a process after applying a hook.
  • Fixed: C# Console: Other small fixes.

Changes on v2.0.4

Released in June 2012

  • Feature: VBA and VBScript support.
  • Feature: HookByAddress can now be associate to a function.
  • Feature: Documentation added to the project (still beta).
  • Feature: Database management code completely rewritten. Now it will load faster and consumes less memory.
  • Feature: Database contains almost all functions of the Platform SDK.
  • Fixed: Issues related to COM STA apartments used in vbscript.
  • Fixed: an issue in routine that checks that no code is running inside agent while agent is being unloaded.
  • Feature: Process' modules and threads scanning completely rewritten to avoid using the unstable toolhelp library.
  • Fixed: Issue when a function is hooked more than once.
  • Fixed: Message ordering transmitted between the engine and the agent.
  • Feature: Added more special cases when building x64 hook trampoline.
  • Fixed: Miscellaneous deadlock related issues.
  • Feature: Added full support for hooking x32 processes using the x64 engine.

Changes on v2.0

Released in May 2012

  • Feature: Complete new version of the Agent. It was re-coded to work on 64 bits environments.
  • Feature: IPC changed to improve performance and to be able to intercept services, processes owned by other users and Internet Explorer running in Protected Mode.
  • Feature: Complete x64 support.
  • Feature: Use of Free COM to run without installation (and Administrative privileges).
  • Feature: x32 interception from a x64 process.
  • Feature: Interception of functions that are not in the database. You can intercept them but you cannot get / set parameter values.
  • Feature: Return Value is in the database now.
  • Feature: Deferred hook: If you want to intercept a module that is not loaded it will be hooked when it loads.

Changes on v1.1

Released in October 2011

  • Fixed: Runs in W7 64 bits.
  • Fixed: It doesn't require administrative privileges.
  • Fixed: Lots of performance improvements.
  • Fixed: DeviareCSharpExample performance improvement.
  • Fixed: Lots of functions and types added to the database.

Changes on v1.0.1

Released in August 24th 2010

  • Feature: ReportProcessCreation has a new option _create_process_hook_calling_process that report processes created from the calling process. Useful to debug application where you can set up the hooks and then execute a process to apply them.
  • Feature: New console written in CSharp similar to C++ Console.
  • Fix: When a typelib wasn't find in the registry, the DeviareDB was generating a exception.
  • Fix: IStackTrace was dead-locking when a module from the attached modules was unloaded.
  • Fix: When shutting down with lock attached, an assertion was triggered if the application didn't wait until all the hooks were removed.
  • Fix: more basic types added to the variant map, some types like short unsigned int were treated as SAFEARRAY.
  • Fix: on shutdown a dead-lock could occur when an event was in process when calling Shutdown.
  • Fix: Array types were not working at all.
  • Fix: Enumeration types didn't work, now they are treated as UINT.
  • Fix: IMemory VirtualQueryEx size parameter was wrong and could generate a exception in the last VirtualProtectEx when restoring privileges.
  • Feature: type's cache to make important speed improvements.

Changes on v0.9.4b

Released in May 2009

  • Fix: Database Editor: fix improper offset set in parameters
  • Fix: error handling calling convention in API Hooks
  • CreateSpyMgr API no longer calls CoCreateInstance. This allows use of Deviare.dll w/o registration

Changes on v0.9.3b

Released in February 2009

  • Fix: duplicated IIDs
  • Fix: deadlock on process creation
  • Added Python example and wrappers

Changes on v0.9.2b

Released in December 2008

  • Fix: error handling WORD parameters that caused crash in functions like InternetConect, HttpOpenRequest, and others form wininet.dll.

Changes on v0.9.1b

Released in December 2008

  • Added the source code of the Deviare COM Console.
  • Added a sample add-in (with code) for hooking Outlook objects.
  • Added a property to try & install hooks immediately.
  • Deviare COM Objects are now registered as Free Apartment

Changes on 0.9.0b

Released in November 2008

  • Deviare is now a proper COM Library. It must be registered, and Classes can be created by traditional Component instantiation methods such as CreateObject & CocreateInstance.
  • Removed TLBs and .NET bindings. Languages like C#, VB and Python can use automated wrappers for COM Objects.
  • Hooks may now be installed immediately during the call of a function, allowing the use of contextual values.
  • Added method to list attached processes from any hook.
  • Fix: missing reports from process creations.
  • Fix: .NET deadlock due to garbage collection.
  • Minor fixes and performance improved in multithreaded environments.
  • IStackTrace interface lets you inspect the stack trace in a call.
  • New COM support:
    • Added experimental COM support. Intercept and monitor COM Components (see DeviareComConsole).
    • Added Interface and Events to monitor certain process activities (IMonitor).

Changes on 0.8.3b

Released in June 2008

  • New IStackTrace interface lets you inspect the stack trace in a call.
  • New function IParam.CastTo lets you modify the way a parameter is interpreted.
  • Fix: leaks in the GetLogonSID and other functions.
  • Corrected the C++ Deviare Console project which had wrong import paths.
  • The C++ Deviare Console now shows the parameters' names in the output.
  • The C++ Deviare Console now identifies GUIDs from COM objects (IIDs, CLSIDs, etc.) on parameters and adds their name in the output.

Changes on 0.8.2b

Released in February 2008

  • General fixes and overall performance improved.
  • New IProcess->RawMemory function: Lets you read and write the memory of any process.
  • New modules in database: inet functions and some ntdll functions.
  • Editor included in the package: You can now add DLLs and functions to the type database, and hook any function.

Changes on 0.8.1b

Released in December 2007

  • Many general and stability fixes.
  • Performance greatly improved.
  • Fixed: callInfo.ReturnValue function.


Released in July 2007

  • Code Interception Library released.
  • Deviare API allows to hook many processes from your application without having to use Inter-process communication (IPC) code.
  • It can be used in COM, C++, VB and .NET.