Deviare2 hook WriteFile API twice for only one write

Question

Deviare2 is a professional API Hook Library on MS Windows. It's easy use and powerful. But when I want to hook WriteFile using a C# dummy writer ,I found it hooked WriteFile twice. I try to use API Monitor to hook dummy writer, I found API Monitor just hook one for every write call. That's strange!

hook code:

spyMgr = new NktSpyMgr();
        
NktProcess _process = GetProcess("DummyWriter.exe");

while (_process == null)
{
    Console.WriteLine("wait for process start...");
    System.Threading.Thread.Sleep(10);
    _process = GetProcess("DummyWriter.exe");
}
        
hookDllGetClassObj = spyMgr.CreateHook("kernel32.dll!WriteFile", (int)(eNktHookFlags.flgOnlyPreCall));

hookDllGetClassObj.Attach(_process, true);

hookDllGetClassObj.Hook(true);
hookDllGetClassObj.OnFunctionCalled += OnDllGetClassObjectCalled;

dummy write:

string key = "";

Task.Factory.StartNew(() => {
    int index=1;
    while (key == "")
    {
        using (StreamWriter sw = new StreamWriter("d:\\dummy.txt",true))
        {
            string str = string.Format("{0}:oh gotcha!", index);
            Console.WriteLine(str);
            sw.WriteLine(str);
            index++;
        }

        Thread.Sleep(500);
    }
});

key = Console.ReadLine();

Answer 1

The APIs are not hooked twice but the callback is called two times. One before the original API is called and then after.

You must check the NktHookCallInfo parameter and see if you are in the pre or postCall so you can do modifications to parameters and result.

BTW: Deviare InProc is the engine that does a more classic hooking style.