Hello all,

Is there a C sample?

Regards,

Deviare documentation does not work.

https://www.nektra.com/products/deviare-api-hook-windows/doc-v2/index.html

Left panel is always empty.
Main panel only has links for QuickStart and for nothing else

Downloaded Deviare2-master, updated C++ tools, tried to compile DvEngine.sln.

Error: .text section not found File:CUSTOMBUILD Project:SpyMgrLib

A quick check of the file reveals no obvious deficiencies.

Any ideas?

appcrash in after hooked, remove the hook again.

1. select any process and select kernel32.dll!CreateFile (maybe any functions)
   
2. click "Remove All Hooks"
   
3. let the program call
   

The program has crashed.

After I tried to track it, I found that
HookEngine.cpp#L806
CNktAutoFastMutex cLock(this) // crash point

Currently I am trying run the code sample named "COMHookingBasis" under CSharp environment but I got this error as mentioned below:

Error CS0246: The type or namespace name 'Nektra' could not be found (are you missing a using directive or an assembly reference?)

Could you please help me solving this matter.

Thank you in advance.

hi here,
I am new to windows programming. I finally got all the source code compiled. When I ran CSharpConsole(64) on ../Deviar2/bin, it crashed. I could run it be VS2015. And then, i tried to run it with COM samples by "regsvr32 XXX". They failed either. I tried to run CSharpConsole(64) again with VS2015. It crashed either. I found RunningProcesses() return NULL. What I can do to detour this error? Many thanks!

Hi,

I have found this source

http://whiteboard.nektra.com/deviare-v-2-0/quickstart_v-2-0

but seem not work probably becouse I have missing something.

I need to monior each file access of a specific process and this source seem do it in theory.

Do you known where I can download the complete project source code of this ?

thank you !

I'm trying to run a sample but the Nektra.Deviare2.dll is not included. How can I archive this?

I have downloaded and compiled Deviare from source.
Windows 7 x64 SP1
Python 2.7.9 Stackless 32bit
pywin32 220

when running the following code not all process creation/destruction notifications show. There are specific process that i am looking for that happen very quickly and some of them are getting passed by. I have tested this in many different ways. but in this example I am using threading.Event() to stall the process creation. but it seems to be the "sweet spot" 0.728 seconds. with 4 creation and 4 destruction notifications out of 10 processes created and destroyed.

please excuse the code this is for testing purposes and wasn't meant to be pretty

import os
import win32com.client
import ctypes
import sys
import threading

dllPath = os.path.join(os.path.split(__file__)[0], 'DeviareCOM.dll')
dll = ctypes.windll[dllPath]
dll.DllRegisterServer()


class ProcessEvents:

    def OnProcessStarted(self, pyPID):
        process = win32com.client.Dispatch(pyPID)

        name = process.Name.split('.')[0]
        pid = process.Id
        user = process.UserName

        print 'OnProcessStarted:', name, pid, user

    def OnProcessTerminated(self, pyPID):
        process = win32com.client.Dispatch(pyPID)
        name = process.Name.split('.')[0]
        pid = process.Id
        user = process.UserName

        print 'OnProcessTerminated:', name, pid, user

win32com.client.pythoncom.CoInitialize()

processManager = win32com.client.DispatchWithEvents("DeviareCOM.NktSpyMgr", ProcessEvents)
processManager.Initialize()

hook = processManager.CreateHook("kernel32.dll!CreateProcess", 0)
hook.Hook(True)

event = threading.Event()
event.set()


def run():
    while event.isSet():
        pass

    for i in range(10):
        os.system("cmd /c echo Test")
    event.wait(0.0728)


threading.Thread(target=run).start()

MessageBox = ctypes.windll.user32.MessageBoxW
event.clear()
MessageBox(None, "", "", 0)

I am not sure if this is normal behavior please advise

I have windows 10 version 1607 (Build 14393) and using deviare 2.7.6 and recompiled with commenting "BuildOriginalNtCalls" function due to issue #16.

Now when testing in autocad application, it is giving Stack over flow exception in TlsSetValue inside Initialize().

I have upload crash dump to dropbox.

Please let me if you need more information.

Sorry to bug you here again. This is probably answered on the old forums, but I'm stuck.

I'm getting a crash at launch while using Deviare2:

First-chance exception at 0x004F2B75 in limbo.exe: 0xC0000005: Access violation reading location 0x00000000.

win32u.dll!_NtUserCallOneParam@8�() Unknown
limbo.exe!0044fd9a() Unknown
[Frames below may be incorrect and/or missing, no symbols loaded for limbo.exe]
limbo.exe!004457ac() Unknown
uxtheme.dll!ClassicSystemParametersInfoA() Unknown
uxtheme.dll!_InternalSystemParametersInfo() Unknown
uxtheme.dll!ThemeSystemParametersInfoA() Unknown
user32.dll!__EndUserApiHook@0�() Unknown
limbo.exe!00478878() Unknown
limbo.exe!00739980() Unknown
ntdll.dll!_NtClose@4�() Unknown
KernelBase.dll!CloseHandle() Unknown
kernel32.dll!@BaseThreadInitThunk@12�() Unknown
ntdll.dll!__RtlUserThreadStart() Unknown
ntdll.dll!__RtlUserThreadStart@8�() Unknown

The game is Limbo, running from the GoG version, which means there is no DRM or other foolishness.

I trimmed the C# code down to a minimal example, which is just the launch itself, no DLL load, and it still crashes. This also crashes when run as Admin. All Deviare 2.8.3 DLLs are in the app launch folder, and the DLLs are regsvr32 active.

            _spyMgr = new NktSpyMgr();
            hresult = _spyMgr.Initialize();
            if (hresult != 0)
                throw new Exception("Deviare initialization error.");

            // Launch the game, but suspended, so we can hook our first call and be certain to catch it.
            _gameProcess = _spyMgr.CreateProcess(@"G:\Games\limbo\limbo.exe", true, out continueevent);
            if (_gameProcess == null)
                throw new Exception("Game launch failed.");

            _spyMgr.ResumeProcess(_gameProcess, continueevent);

Bit of a loss here, any suggestions?

Hi all!
I have met the problem while using Deviare2 and looking for someone who could explain the observed behavior.

Let's consider following scheme of a project:

1. The .exe c# application(1), that creates NktSpyMgr object and place some hooks.
2. The .dll c# .net library(2) running in the process of application(1), that receives NktSpyMgr object from it and also place some hooks through it.
3. Some 3rd-party .exe application(3) we are hooking through NktSpyMgr

The problem I met is after several calls to the hooks handlers inside .net library(2) some of the hooks in this library(2) (sometimes all of them) will not trigger anymore, despite the corresponding winapi is called.

I have inspected the case a bit and found that the part of Deviare2 code that injected into the application(3) is working OK and trigger transport sending message to the client (CDvAgentMgr::OnUserHook code works well).
The client successfully received that message and trying to call the handler inside spymgr.cpp CNktSpyMgrEngineImpl::OnHookCalled

In the successfull case the call to handler will be inside lpHookImpl->Fire_OnFunctionCalled(cIHook, cIProc, cIHookCallInfo);

Next the hookevents.h Fire_OnFunctionCalled is triggered, and it tries to enumerate connections, but it seems that all connections are dead in the case of the error.

I have prepared the sample project based on COM sample to demonstrate the problem, it could be downloaded here
It works much similiar to the COM sample: it runs notepad.exe, the one should click File->Save first time, the hooks from dll will be triggered (a lot of times maybe), then close the dialog and click File->Save second time, and some of the hooks from dll will not be triggered (winapi calls to the hooked functions will go normally).

Am I do something completely wrong by design, or is this a bug? What could cause such a strange behavior?

UPD: Save dialog (not Open) should be used to reproduce the issue with sample.

Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.

Hello,

i just needed to know that i want to print all the api calls(e.g cretaefilew, queryinformation, closefile,readfile etc) (not only dll) of a hooked process, can i do that? and what method/function should i use. I am working In C# in deviare2.

Thanks.

I'm playing around with CSharpConsole from precompiled Deviare 2.8.0 release under a Windows 10 64 bit VM and while CSharpConsole64.exe can hook 64 bit process like notepad.exe no problem, CSharpConsole.exe crashes target 32 bit process like notepad++.exe, devenv.exe, etc. Is 32 bit hooking supported under Windows 10?

Faulting application name: notepad++.exe, version: 6.9.2.0, time stamp: 0x573b9c9e
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00d90030
Faulting process id: 0x10fc
Faulting application start time: 0x01d21359b0a69664
Faulting application path: C:\Program Files (x86)\Notepad++\notepad++.exe
Faulting module path: unknown
Report Id: c34e8c31-c38b-402c-834c-3df70f833943
Faulting package full name: 
Faulting package-relative application ID: 

This has killed me at least twice now, and I really am expecting LoadCustomDLL to return an error. I check and handle all errors, but LoadCustomDLL will report success, even if the dll path name is invalid.

In particular, if the pathname is invalid, LoadCustomDLL will return the int/hresult=0. And I'll crash later at NktHook.Hook.

If my pathname is valid, then LoadCustomDLL will return int/hresult=1, which is a little weird, but still matches the SUCCESS style macros. Still, it really ought to be 0, this is not a 'test for functionality' type call. The documentation does not indicate it would ever return '1'.

This is a fairly serious problem, because debugging this took me a couple of days. This crash because of a bad path is quite obscure, and would be dramatically better if LoadCustomDLL would return an error.

Here is the stack crawl when it crashes.

	>	00000001()	Unknown
 	[Frames below may be incorrect and/or missing]	
 	DvAgent.dll!TNktArrayList<CNktDvParam *,128,TNktArrayListItemRemove_Release<CNktDvParam *> >::RemoveAllElements() Line 330	C++
 	DvAgent.dll!CNktDvHookEngine::Hook(CNktDvHookEngine::tagHOOKINFO * aHookInfo=0x8007007e, unsigned long nCount=1, int bIsInternal=0) Line 494	C++
 	DvAgent.dll!CDvAgentMgr::OnEngMsg_AddHook(tagNKT_DV_TMSG_ADDHOOK * lpMsg=0xffe16054, CNktDvTransportBigData * lpConnBigData=0xffe300e0) Line 2522	C++
 	DvAgent.dll!CDvAgentMgr::TAC_OnEngineMessage(CNktDvTransportAgent * lpTransport=0x77ad4060, tagNKT_DV_TMSG_COMMON * lpMsg=0xffe16054, unsigned long nMsgSize=1084, CNktDvTransportBigData * lpConnBigData=0xffe300e0) Line 699	C++
 	DvAgent.dll!CNktDvTransportAgent::WorkerThreadProc(unsigned long nIndex=5) Line 564	C++
 	DvAgent.dll!TNktClassWorkerThread<CNktDvTransportAgent>::ThreadProc() Line 169	C++
 	DvAgent.dll!thread_start<unsigned int (__stdcall*)(void *)>(void * const parameter=0xffe0418c) Line 115	C++
 	kernel32.dll!@BaseThreadInitThunk@12�()	Unknown
 	ntdll.dll!___RtlUserThreadStart@8�()	Unknown
 	ntdll.dll!__RtlUserThreadStart@8�()	Unknown

Here is my simplified C# code that demonstrates the problem:

        _spyMgr = new NktSpyMgr();
        hresult = _spyMgr.Initialize();
        if (hresult != 0)
            throw new Exception("Deviare initialization error.");
#if DEBUG
        _spyMgr.SettingOverride("SpyMgrDebugLevelMask", 0xCF8);
#endif


        {
            // Launch the game, but suspended, so we can hook our first call and be certain to catch it.

            _gameProcess = _spyMgr.CreateProcess(game, true, out continueevent);
            if (_gameProcess == null)
                throw new Exception("Game launch failed.");

            // Load the NativePlugin for the C++ side.  The NativePlugin must be in this app folder.
            // The Agent supports the use of Deviare in the CustomDLL, but does not respond to hooks.

            _spyMgr.LoadAgent(_gameProcess);
            int result = _spyMgr.LoadCustomDll(_gameProcess, _nativeDLLName, true, true);  // *** trouble
            if (result < 0)
                throw new Exception("Could not load NativePlugin DLL.");

            // Hook the primary DX9 creation call of Direct3DCreate9, which is a direct export of 
            // the d3d9 DLL.  All DX9 games must call this interface, or the Direct3DCreate9Ex.
            // We set this to flgOnlyPreCall, because we want to always create the IDirect3D9Ex object.

            NktHook d3dHook = _spyMgr.CreateHook("D3D9.DLL!Direct3DCreate9", (int)eNktHookFlags.flgOnlyPreCall);
            if (d3dHook == null)
                throw new Exception("Failed to hook D3D9.DLL!Direct3DCreate9");

            // Make sure the CustomHandler in the NativePlugin at OnFunctionCall gets called when this 
            // object is created. At that point, the native code will take over.

            d3dHook.AddCustomHandler(_nativeDLLName, 0, "");

            // Finally attach and activate the hook in the still suspended game process.

            d3dHook.Attach(_gameProcess, true);
            d3dHook.Hook(true);  // *** Will crash here.


            // Ready to go.  Let the game startup.  When it calls Direct3DCreate9, we'll be
            // called in the NativePlugin::OnFunctionCall

            _spyMgr.ResumeProcess(_gameProcess, continueevent);
        }

I have an application that consists of a windows service that is hooking the windows print spooler process.
I'm having a problem, sometimes, for some reason, the spooler restarts, and the hook is lost.
What is the best way of monitoring if the hook is active in the hooked process and to hook this process as soon as it starts?

Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.

Hello, excuse for troubling, but I am a beginner in programming and I only began to study hook.

Question: it was succeeded to compile libraries and examples, but in case of start of an example of "CSharp\COMHookingBasis" nothing occurs - the console appears and at once finishes operation though "Console.WriteLine ("Press ESCAPE key to quit...");" shall occur in case of any outcome.
Help to understand, please.

I saw from the headers that #include <NCryptprotect.h> is missing, while #include <ncrypt.h> is present. I would like to hook all the functions of NCrypt.dll. Is it possible to add them? Can I easily do that by generating a custom db?

In CSharpConsole64 under Windows 10 64 bit VM after hooking sqlservr.exe (SQL Server 2016) with multiple kernel32 functions (specifically GetLocalTime and GetSystemTimeAsFileTime, latter being frequently called) it crashes the SQL Server after about 10 seconds of logging the events with few GetLocalTime and few dozen GetSystemTimeAsFileTime. Is it related to #16? The exception code seems different.

Faulting application name: sqlservr.exe, version: 2015.130.1601.5, time stamp: 0x5724ae45
Faulting module name: ntdll.dll, version: 10.0.14393.103, time stamp: 0x57b7e207
Exception code: 0xc00000fd
Fault offset: 0x0000000000039633
Faulting process id: 0xb3c
Faulting application start time: 0x01d213f220cda4c6
Faulting application path: C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 18c975dd-9023-44c4-a4f8-ce7858986dd7
Faulting package full name: 
Faulting package-relative application ID: 

the OnFunctionCalled never triggered. any suggesttion?

A document describing the purpose of each sample and the components each one uses from Deviare2 is missing.

This should partially address issues and non-issues found in the samples like in #26.

Always possible I'm doing something wrong, but I'm getting fatal errors when trying to rebuild the DB.

I wanted access to the d3d9.dll!SetRenderState function. As near as I can tell, that function is missing from the DB that ships with 2.8.3. If I use the DbFunctions call, I do not find that function in the returned list.

        NktDbObjectsEnum funcs = spyMgr.DbFunctions(theball.PlatformBits);
        for (int i = 0; i < funcs.Count; i++)
        {
            NktDbObject funcObj = funcs.GetAt(i);
            Console.WriteLine(i + ": " + funcObj.Name);
         ...

Trying to limit the function list to just the d3d9.dll module, I get an AccessViolation exception when I try to fetch the functions for that module. Not sure if this is related, but it seemed odd.

        INktDbModulesEnum modules = spyMgr.DbModules(theball.PlatformBits);
        NktDbModule d3d9 = modules.GetByName("d3d9.dll");   <<< works
        NktDbObjectsEnum functions = d3d9.DbFunctions();     <<< crash
        for (int i = 0; i < functions.Count; i++)
        {
            NktDbObject funcObj = functions.GetAt(i);
            Console.WriteLine(i + ": " + funcObj.Name + "  " + funcObj.Declaration);
        }

Searching the entire function list for a partial name match of "SetRender" did not show any results, which makes me think it is missing.

Then took a look at rebuilding the DB with current header files. As near as I can tell, this is not currently possible.

The documentation suggests using a zip file that is not available, but seems to be clearly related to the other tools in the Database folder. Running the build32.bat full and build64.bat full generated the expected preprocessed*.h files.

However, running the DbBuilder/build_32.bat against those files gives 60 or so errors.

c:\Users\bo3b\Documents\Code\Deviare2\Database\HeaderBuilder\Full\output\preprocessed32W.h:148788: error: wrong number of arguments specified for 'deprecated' attribute

This error appears to happen because the gcc compiler used for building the DB is old, and does not support parameters for the 'deprecated' attribute. For example:

typedef struct __declspec(deprecated("Use ""ADDRINFOEX2W"" instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings")) addrinfoex2A

It's not the double quotes, it's the entire string parameter it does not like.

There are a handful of other errors as well.

Not sure this is helpful, but thought I'd report it as not working with Visual Studio 2013, and SDK 8.1 headers. As noted, I cannot be certain I setup or built this all correctly.

hi
NktHook hook = _spyMgr.CreateHook("Fastprox.dll!CWbemObject::Get", (int)( eNktHookFlags.flgOnlyPreCall)); not working
NktHook hook = _spyMgr.CreateHook("Fastprox.dll!?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z", (int)( eNktHookFlags.flgOnlyPreCall)); not work
how else can???
thanks

Hello everyone!

I'm trying to hook some functions of the spoolsv.exe process, for instance the YSetJob and YGetJob functions (both undocumented). So far I'm abble to get the calls, but when I try to get the params through:
INktParamsEnum paramsEnum = hookCallInfo.Params();
nothing is returned.
I believe that I have to insert these functions into the nektras database, still, I don't even know where to begin with and actually I'm not entirely sure if this is the real problem here

Please, help!
Using C# and Visual Studio 2013 in this one.

Hi,

OS version : windows 7/windows 8.1
Office version : Office 2013
when testing latest deviare 2.8.3 with Microsoft Word application, Sophos Endpoint Security and Control (v10.6), detecting Buffer overflow and stopping word document from opening (word application just hangs at splash screen) .

I used CSharpConsole64.exe to hook to winword.exe

Please let me know if you need more information.

Hi, I can build the Samples\C\Test.sln, but the result seems not correct.

To understand deviare, I use the CTest to test. My command paramters are:

CTest.exe exec notepad -log=CTest.log. And logging contains:

..
CNktDvEngine::CreateHook (user32.dll!GetWindowTextW) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!NtRaiseException) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!NtRaiseHardError) => 00000000
CNktDvEngine::CreateHook (ntdll.dll!RtlUnhandledExceptionFilter2) => 00000000
CNktDvProcess::Create => 00000000
CNktDvHooksEnumerator::AddProcess => 00000000
1112011859: Hook state change [18624]: comdlg32.dll!ChooseColorA -> Activating
1112011859: Agent load [18624]: hRes=0x8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorA -> Error: 8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorW -> Activating
1112011875: Agent load [18624]: hRes=0x8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseColorW -> Error: 8A320003
1112011875: Hook state change [18624]: comdlg32.dll!ChooseFontA -> Activating
1112011875: Agent load [18624]: hRes=0x8A320003
1112011875: New process [18624]: C:\Windows\SysWOW64\notepad.exe
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontA -> Error: 8A320003
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontW -> Activating
1112011890: Agent load [18624]: hRes=0x8A320003
1112011890: Hook state change [18624]: comdlg32.dll!ChooseFontW -> Error: 8A320003
1112011890: Hook state change [18624]: comdlg32.dll!FindTextA -> Activating
1112011890: Agent load [18624]: hRes=0x8A320003
...
1112028203: Hook state change [18624]: shell32.dll!ExtractIconExA -> Removing
1112028203: Hook state change [18624]: wininet.dll!SetUrlCacheGroupAttributeA -> Removing
1112028203: Hook state change [18624]: shell32.dll!SHCreateDirectoryExW -> Removing
...

Initialization/Parsing HookAPI/Hook all these seem well, but logging file only contains

1. CreateHook success
2. Hook state change success
3. New process created
4. Agent loaded

Other SypMgr Events don't be hit? Like OnFunctionCalled/OnLoadLibraryCall. And how can I get the meaning of these errcode? My ultimate purpose is tracing internet traffic so I need to inspect network-related APIs', and recording payloads sent/recieved.

Please tell me what's wrong with it. Thx!

I use spystudio hook sublime ,
find a function CreaeteFile is I need.

Now , I change this example https://github.com/nektra/Deviare2/tree/master/Samples/Python/DenyAccessToTXT ,
(replace notepad.exe to sublime_text.exe , and StartNotepadAndHook)

But OnFunctionCalled not be call ,
how do I solve it ?

Thanks.

I would like to point out that identifiers like "_NKT_DV_ENGINEDATABASE_H" and "_DBGENERATOR_H" do not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?

I experienced random exceptions "Collection was modified; enumeration operation may not execute" thrown in RefreshJobsExecutionOrderForNextUpdate(). It happens because the the execution decrement is not protected by a _jobsLock. Adding the _jobsLock fixes it.

        lock (_jobsLock)
        {
            _jobs.Where(j => j.ExecutionOrder > 1).ForEach(j => j.ExecutionOrder--);
        }

When I want to hook WrtieFile using a C# dummy writer ,I found it hooked WriteFile twice for a StreamWriter WriteLine call.I try to sue API Monitor to Hook dummy writer,I found API Monitor just hook one for every write call.

http://stackoverflow.com/questions/40634008/deviare2-hook-writefile-api-twice-for-only-one-write

Hi,
While using your api to hook some functions in notepad++, I noticed some calls to CreateRemoteThread whenever I use the notepad's open file button. I do not understand why notepad would call this function, and in fact, rohitab's "ApiMonitor" does not see these calls. I fear these calls could be the result of interference from the hooking procedure itself, while performing process injection. Many other windows applications are also triggering the hook where I would not expect them to. Could you please look into this? Steps to reproduce:
1:Use CSharpConsole to hook CreateRemoteThread in notepad++
2:Try to open a file in notepad++
Optionally I recall these steps working with windows' notepad.exe 32bit.

Hello.
I have a small request: whether somebody can show or explain as it is correct to collect completely an example from Quickstart, and that there pieces of a code with explanations, but it not to be told where and what to add.
I thank for the help in advance.

When trying to send comments on Deviare at https://www.nektra.com/contact.html

405 Not Allowed
nginx/1.14.0 (Ubuntu)

I corrected.
../Deviare2-master/Database/HeaderBuilder/build32.bat Line:20
rem CALL "%VS140COMNTOOLS%....\VC\vcvarsall.bat" x86
CALL "%VS140COMNTOOLS%....\VC\vcvarsall.bat" x86 8.1
can get it right
preprocessed32W.h
compile32.log
preprocessed64W.h
compile64.log
but, i used "../Deviare2-master/Database/DbBuilder/build_db32.bat", error occurred.
DbGenerator32.log
I hope I can get help.

Deviare2\Source\Engine\SpyMgr\Asm\Injector_x86.inl is absent until x86 version is built and thus x64 build fails (because it includes it unconditionally).

The latest commit as of right now (802333b) references an external which doesn't exist (https://github.com/nektra/Deviare-InProc/tree/cda4718ef04a0bd009c5d6d41d82cf7a307d3186)

Extra null pointer checks are not needed in functions like the following.

• CNktDvEngDatabase::Finalize
• IDispEventWithTypeLibImpl
• TNktArrayListItemRemove_Delete::OnItemFinalize

Hello Mauro,

Do you know of any Deviare-InProc example code that also writes the "NktProcessMemory" parameters?

I am trying to intercept process calls and then redirect file and registry requests to another drive location (on a network).

Is this possible to do with Deviare-InProc?

Need: Identify all the applications that are opened, and kill some if needed.

While i am trying to hook explorer.exe, BitDefender(Advanced threat defense) blocks it.
Is there a way to skip this?

hi,

Today I observed winword.exe hangs at the startup (after showing splash screen, Not responding) while opening file.

OS: windows 10 64-bit v1709 (Build 16299.309)
Office version: office 2016

I was able to take the hang dump. please find the link below.

https://drive.google.com/open?id=1Ng1omYZcRowatnPCNcVZhgCJviYZUFgz

Please let me know, if you need additional information.

I new to hooking and I am looking to start with Deviare but the API page is down.

https://www.nektra.com/products/deviare-api-hook-windows/doc-v2/

Have the docs being moved in another page?

Thanks

Hi,

When I tried to open the word document from network drive, two word processes are being opened with one window (UI), where document is opened in "Protected View". If I don't click on "Enable Editing" button, still two processes will be opened.

Now If I use CSharpConsole64.exe to hook to winword.exe, it is not able to hook and returns some error. Please find the attached screenshot.

It is able to hook only one winword.exe (hook is active) and not other winword.exe (in inactive list and has stError)

OS : windows 10 1703 (15063.483) [Anniversary Update also has the same issue).
deviare version : 2.8.3
Office versoin : Office 2016 64-bit

Please let me know if you more information.

When I build and run the COMHookingBasis C# sample in Visual Studio 2013, I never hit the breakpoint on OnDllGetClassObjectCalled.

I hit other breakpoints, so the connection to debugger is correct.

This along with other tests makes me think that the

            hookDllGetClassObj.OnFunctionCalled += OnDllGetClassObjectCalled;

is not functional. I tested on both Win7 and Win10, neither work. No errors are reported.

Adding a handler to the SpyMgr itself seems to work, but hook specific call handlers do not get called.

hRes = lpIntObj->GetObj()->GetFunctions(&cDbObjsEnum);
"lpIntObj" was overridden by the local variable definition(#L87), but was not reassigned, resulting in always being null.

Team,
I followed all the steps in this page http://whiteboard.nektra.com/deviare-v-2-0/quickstart_v-2-0.
And when I run the sample applications,
NktProcessesEnum enumProcess = spyMgr.Processes();
the above statement is returning the NULL value for enumProcess. Please suggest the right solution to proceed further. Let me know if you need any other information.

Thanks.

I'd like to hook all calls to some API function independent from what program makes them. Getting the information about calling program would be nice too.

Can Deviare be used for that? It looks like it is possible but I cannot find an example of such usage. Are there any?

It's a new sphere for me, I'd like to ask a question before I dive in.

I got a message about updrading the runtime: after the upgrade, when i hit the compile button many errors popup like "cmd.exe failed" and so on.

I tried running the "build.bat" but it says it didn't find visual studio 2012.

Could you update this project for use with visual studio 2015 or at least update the build script or add a 2015-specific one?

Thanks