Intercepting COM Objects with CoGetInterceptor

Wednesday, February 28, 2018

A while back I wrote about COM interception with CoTreatAsClass. The idea there is to redirect a CLSID to another CLSID implemented by the interceptor. This has the advantage of automatic redirection in cases where a different implementation is desired. However, it makes it difficult to just wrap the original class because its creation becomes masked as well, and so CoTreatAsClass needs to be called again, removing the redirection just enough time to create the original object. This creates an inherent race condition, where new instances could be created in between and the interception "missed". The COM infrastructure includes other...
tags: , , , ,
no comments

ProcMon vs. ProcMonX

Wednesday, January 17, 2018

The (now classic) Process Monitor tool from Sysinternals allows watching important activities on a system: process and thread creation/termination, image loading/unloading, file system operations and registry operations (and some profiling events). This tool helped me many times in diagnosing issues or just understanding what's going on in a particular scenario. Yesterday I released the first preview of a tool called Process Monitor X (ProcMonX), as a possible alternative to ProcMon. ProcMonX provides information on similar activities to ProcMon, but adds many more events, such as networking, ALPC and memory. In fact, the number of possible events is staggering, since there...
no comments

Driver Introspection with DriverMon

Saturday, November 18, 2017

In the past few weeks I've been working in my non-existent spare time on DriverMon - a driver monitoring tool for Windows. The tool is far from complete, but it's already quite useful. In this post I'll describe how to use it and some of the challenges of building such a tool. Initially I wanted to be able to track every I/O Request Packet (IRP) targeted to monitored devices. The term "devices" here is important, as the Windows I/O system is device-centric rather than driver-centric. That is, requests are delivered to devices, not drivers. A device can be thought of...
no comments

Integrating COM IPC into Existing Executables

Friday, October 6, 2017

A few days ago at work, a requirement arouse to create some form of inter-process communication (IPC) between two cooperating processes where the source code for the executables themselves already existed, so such mechanism should integrate into the existing code as easily as possible, while providing bi-directional communication. Several options were brought up, including pipes and sockets. The processes are services and have no UI, so Window messages were not an option. Other ideas included shared memory with notifications using kernel event objects... and then I suggested COM. There was a brief silence and then people started murmuring things like "COM...
tags: , , ,
no comments

Hooking COM Classes

Monday, August 7, 2017

There are some common scenarios that benefit from the ability to hook operations. The canonical example is hooking Windows API functions for debugging purposes, or for malware detection. In this scenario, some DLL is injected into a target process and then hooks relevant functions. There are several ways to do that, but that is not the focus of this post; the interested reader can search the web for more information. In the Component Object Model (COM) world, things are not so easy. Since COM is object based, it's not generally possible to get the address of a COM interface method,...
tags: , , , ,
no comments

Packaging Apps into Single Files

Tuesday, May 9, 2017

One of the hallmarks of easy-to-use tools is simple installation, preferably no installation at all. The classic example is the Sysinternals tools. Each tool is a single executable, self contained, and can be run from anywhere, including network shares and web locations. These tools have no dependencies (except for built-in Windows DLLs), or so it seems. One canonical example is Process Explorer that hides within it two binaries. The first is a kernel driver, used to extract information from the system that cannot be done from user mode (such as reading values of kernel variables), and the other is a 64...
tags: , , , ,
no comments

Sharing Code between Windows, WinRT and Windows Phone

Monday, December 16, 2013

In recent times, I often find myself developing for more than one “Windows” platform – typically Windows Phone and Windows 8 Store and sometimes Windows (WPF) as well. In this post, I’d like to share some of the tools and techniques I’ve been using to ease code sharing. Portable Class Libraries (PCLs) PCLs came out in Visual Studio 2012 and provide an easy way to create a single project that can be referenced by multiple project types. When you create a PCL, you get the following dialog: This dialog allows you to select multiple targeted platforms (at...

Using KeyedCollection<> instead of a Dictionary<>

Wednesday, October 23, 2013

The System.Collections.Generic.Dictionary<TKey, TValue> class is one of the most useful of all .NET collections. It maps a key to a value, and allows for fast retrieval based on the key, as it’s implemented as a hash table, calling GetHashCode on the key object to get to a specific “bucket”, and then looks up the actual value (with Object.Equals or a specific IEqualityComparer<Tkey>.Equals).One feature that Dictionary<> doesn’t support is the ability to access items by integer index. That is, insertion order is not maintained. For most cases, this may be ok, but some cases require fast search and index based...
one comment

Extreme DevCon 2013

Monday, July 15, 2013

Next week, John Bryce Training, along with some of its partners, set up a two day conference named Extreme Dev Con 2013, on the 22nd and 23rd of July in Hertzliya (Israel). The conference consists mainly of full one-day seminars, several happening at the same time (naturally).I will be presenting a full day seminar, titled something like “.NET deep dive for performance”. The rough topics are listed in the above link, but basically I will cover various topics that somehow relate to that elusive thing called “performance”. From process and AppDomains, through the garbage collector and friends, threads and...

Build 2013 Summary

Saturday, June 29, 2013

The Microsoft Build 2013 conference is now over, so it’s time for some summaries and impressions. All the following is my personal thoughts from my viewpoint, and may not reflect the way things actually are. Last caveat – some of the information is based on the sessions I attended. Naturally, I couldn’t attend most sessions, and I may not even remember all info given in the session I attended. Still…The conference was 3 days in length. With about 14 sessions going on at the same time slot, this is too short a conference; 4 days would have been better....