This quick start will show the basic capabilities for intercepting system calls with Deviare from a C# program. Requirements are: a proper C# compiler/editor (VisualStudio or SharpDevelop), and Deviare 2.0
Projects should build without problems in Visual Studio 2015 with Update 1 or later.
Project Setup (Free COM)
We'll use Deviare with C#. Open a Visual Studio session and create a new C# Windows Forms project. Name it as 'DeviareTest'.
With the project successfully setup, select solution platform (x64 or x86), disable "Visual Studio hosting process" and "Create application without a manifest". Finally build the project and copy the next files to (Release\Debug) directory:
rename DeviareTest32.exe.manifest to DeviareTest.exe.manifest
Rename DeviareTest64.exe.manifest to DeviareTest.exe.manifest
Then select "Add Reference" => "Browse" and include "Nektra.Deviare2.dll"
Our task will be to hook CreateFileW system calls. In this case, we'll use a known application such as NOTEPAD.EXE as a target for our example.
Modify thread model
Prior to calling any Deviare library methods, we need to initialize the NktSpyMgr class. This can be done in the Form constructor:
Get our target process
Then you can find a hardcoded process like notepad:
In the Form load event handler, we create a new Hook object passing the system call to be intercepted in module!function format to the _spyMgr.CreateHook function
Note that our handler will be called *before* the execution of the hooked function begins. Another option is flgOnlyPostCall, which calls our handler when the hooked function terminates (right after return), making it possible to inspect returned values. Using neither flag will generate events for both precall and postcall interception.
When this system call is executed in the context of the target process, we want to catch it in our event handler. To define this handler we can do the following:
We need to call Hook() to enable the interception mechanism for this particular hook.
We specify the processes we want to attach. _process was returned from the GetProcess function above, and in our example represents the notepad process.
Finally, we use the OnFunctionCalled event to process the call. In this case, we will inspect CreateFileW information:
Now let's see how we can implement a simple reporting routine for every CreateFileW call.
As an example, we want to report the CreateFileW function parameters for each interception. Its prototype is:
We can easily traverse those parameters using the hookCallInfo.Params() enumerator:
With this code, we get an output like:
Feel free to investigate and modify the C++/C# Deviare samples available, along with examining the API documentation provided.
Deviare v.2.0 >