Hooking COM object methods.

princezna · Post by **princezna** » Thu Mar 01, 2012 1:54 pm

I'm trying to hook methods of COM object instances created by CoCreateInstance.

I had little success so far. The hook doesn't seem to fire at all in 32bit applications and crash with access violation in 64bit applications.

I'm probably retrieving the method address or using HookCode incorrectly.

This is the code for Show method of FileOpenDialog interface:

Code: Select all

HRESULT __stdcall FileOpenDialogShowCallback(LPVOID This, HWND hwndOwner)
{
	return (E_ACCESSDENIED);
	return (
		FileOpenDialogShowNext(This, hwndOwner)
	);
}

#define GETINTERFACEMETHOD(pInterface, uIndex) ((PVOID) ((DWORD *) *((DWORD * ) (pInterface)))[uIndex])

HRESULT
CoCreateInstanceCallback(REFCLSID  rclsid,
                         LPUNKNOWN pUnkOuter,
                         DWORD dwClsContext,
                         REFIID riid,
                         LPVOID *ppv)
{
	HRESULT ret;

	ret = CoCreateInstanceNext(rclsid, pUnkOuter, dwClsContext, riid, ppv);
	if (ret == S_OK && rclsid == CLSID_FileOpenDialog) {
		LPVOID funcPointer = (LPVOID) (((LPVOID *) (*ppv)) + 3);
		HookCode(funcPointer /* GETINTERFACEMETHOD((*ppv), 3) */, FileOpenDialogShowCallback,
			(PVOID *) &FileOpenDialogShowNext);
	}

	return (ret);
}

BOOL WINAPI
DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
{
	if (fdwReason == DLL_PROCESS_ATTACH) {
		InitializeMadCHook();
		HookAPI("Ole32.dll", "CoCreateInstance",
				CoCreateInstanceCallback, (PVOID *) &CoCreateInstanceNext);
	} else if (fdwReason == DLL_PROCESS_DETACH) {
		FinalizeMadCHook();
	}

	return (TRUE);
}

princezna · Post by **princezna** » Thu Mar 01, 2012 1:55 pm

Anyone has any experience with hooking COM object methods? Code sample?

Post by **madshi** » Thu Mar 01, 2012 4:44 pm

Maybe this one helps?

Code: Select all

PVOID GetInterfaceMethod(PVOID intf, DWORD methodIndex)
{
  return *(PVOID*)(*(ULONG_PTR*)intf + methodIndex * sizeof(PVOID));
}

princezna · Post by **princezna** » Fri Mar 02, 2012 9:38 am

Thanks, madshi.

Unfortunately still no luck.

This is what happens when I try to display the file open dialog by clicking Open in the File menu of a 64bit version of notepad:
http://img515.imageshack.us/img515/8650 ... leopen.png

Which might actually be the correct behavior when returning E_ACCESSSDENIED in the IFileOpenDialog->Show callback, but...

This is what happens when I try the same thing with a 32bit version of notepad:
http://img824.imageshack.us/img824/6573 ... leopen.png

The dialog is unfortunately in czech, so here's the translation:

Instruction at the address of 0x002f27f0 is pointing to the memory address of 0x002f27f0. Cannot execute operation on memory: written.

Clicking OK button will exit the program.

Subsequently this error pops up when I try to run most 32bit applications like iexplore, chrome, total commander, ...

All of this is happening on the same system running win7 64bit. No other hooking facility except for madCodeHook is running afaik.

Any ideas what might be the cause or what I'm doing wrong? I've been trying to solve this for days... :-/

Post by **madshi** » Fri Mar 02, 2012 10:00 am

I've just noticed your "CoCreateInstanceCallback" is missing a WINAPI.

princezna · Post by **princezna** » Fri Mar 02, 2012 11:21 am

What a stupid mistake! Works great now.

Thanks!

Post by **madshi** » Fri Mar 02, 2012 11:39 am

The simplest bugs are often hardest to find...

madshi.net

Hooking COM object methods.

Hooking COM object methods.

Re: Hooking COM object methods.

Re: Hooking COM object methods.

Re: Hooking COM object methods.

Re: Hooking COM object methods.

Re: Hooking COM object methods.

Re: Hooking COM object methods.