Problem in hooked mshtml native method

c++ / delphi package - dll injection and api hooking
Post Reply
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Problem in hooked mshtml native method

Post by ameetmalekar »

Hi,

We are trying to hook C++ member function(non-exported) with following prototype from MSHTML.dll, by using HookCode.

HRESULT CHtmTagStm::WriteTag(DWORD,wchar_t*,ULONG,BOOL);

Hook functions we have tried are:

Code: Select all

HRESULT WINAPI PQR(void*,DWORD,wchar_t*,ULONG,BOOL); // 5 parameters

HRESULT __fastcall PQR(void* ,void*,DWORD,wchar_t*,ULONG,BOOL); // 6 parameters
The function gets hooked successfully, 'BUT' after 1 or 2 iterations
it throws an ACCESS VIOLATION error. i. e. C0000005

source code of function:

Code: Select all

HRESULT __fastcall PQR(void* r1,void* r2,DWORD x1,wchar_t* x2,ULONG x3,BOOL x4)
{
	FILE* fp = fopen("","ab+");
	fprintf(fp,"\r\n%s",x2);
	fclose(fp);
	UnHookCode(r1,r2,x1,x2,x3,x4);
}
The hooked pointer is correct as we get the expected data in wchar_t* buffer.

How should we determine whats wrong in above code?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem in hooked mshtml native method

Post by madshi »

It doesn't make much sense to me that you're mixing WINAPI and __fastcall. You need to use the correct calling convention for both. I'd guess it's likely to be __thiscall?
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Problem in hooked mshtml native method

Post by ameetmalekar »

We are not mixing it. We have tried different calling conventions types one after another.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Problem in hooked mshtml native method

Post by iconic »

@Ameet,

What happens if you don't call UnHookCode in the callback? Have you also commented out the file open/print/close calls? What API are you actually hooking?

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem in hooked mshtml native method

Post by madshi »

And have you tried __thiscall? You should look at the disassembly of the function you want to hook to figure out which parameters and calling convention that function really has.
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Problem in hooked mshtml native method

Post by ameetmalekar »

Hi,

When we try to compile the hook function with __thiscall
we get following error:

error C3865: '__thiscall' : can only be used on native member functions

After figuring out the diassembly, we have found out that the calling convention of target function is c++ member function, i.e, __thiscall

the function clears the stack off when it returns as follows:

retn 10h

10h = 16

therefore, no. of parameters = 4, as pointers are 32bit aligned on 32-bit system.

@iconic --> If we dont call Unhook it is not calling original system method, so browser displays blank. Yes we tried hooking without logs.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem in hooked mshtml native method

Post by madshi »

You will probably have to create a little dummy class so that the calling convention is used correctly. You will run into a compiler problem that way, though. There's a trick in MSVC++ to make it compile. I figured this out just a while ago for one of my own projects. Something like this:

Code: Select all

// step 1 - define a global method variable and assign the method you want to hook:
static DWORD (__thiscall CYourDummyObject::* SomeMethodVar)(DWORD) = &CYourDummyObject::SomeMethod;

// step 2 - convert to simple PVOID:
PVOID SomeMethodAddr = (PVOID) (void*&) SomeMethodVar;
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Problem in hooked mshtml native method

Post by ameetmalekar »

Hi,

As per your suggestion to hook class member function, we wrote accompanied code below.
The output of this code is:
1) Function is hooked.
2) Hooked function is called ONLY once.
3) ON UnHook Application crashes.

Please help to identify the Problem below code

Code: Select all

class CDummyClass
{
public:
	CDummyClass()
	{
	}

	static HRESULT (__thiscall *WriteTag_Unhook)(DWORD x1,DWORD x2,DWORD x3,DWORD x4);

	HRESULT __thiscall WriteTag_M(DWORD x1,DWORD x2,DWORD x3,DWORD x4)
	{
		writeLog(L"WriteTag_M");//----------------------------------------> Logged ONCE
		return WriteTag_Unhook(x1,x2,x3,x4);//----------------------------> Crash ???????? Can't Figure out Why.....
	}

	~CDummyClass()
	{
	}
};

HRESULT (__thiscall* CDummyClass::WriteTag_Unhook)(DWORD x1,DWORD x2,DWORD x3,DWORD x4) =NULL;


static HRESULT (__thiscall CDummyClass::* WriteTagVar)(DWORD,DWORD,DWORD,DWORD) = &CDummyClass::WriteTag_M;
PVOID WriteTagAddr = (PVOID) (void*&) WriteTagVar;

//HookCode line
HookCode((PVOID)addr_WriteTag,WriteTagAddr,(PVOID*)&CDummyClass::WriteTag_Unhook)

//UnhookCode line
UnhookCode((PVOID*)&CDummyClass::WriteTag_Unhook);
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem in hooked mshtml native method

Post by madshi »

Not sure why you name it "unhook", that's not really what it is. The name is confusing, see also Iconic's post where he thought you'd actually unhook. What you're really doing is not unhooking at all, instead you're trying to call the next hook or the original code. Anyway, this is just naming, so it's not really all that important...

I'm not sure why the crash occurs. Are you sure that you got the number of parameters and the calling convention right? You might want to look at the asm code in the debugger and step through it instruction by instruction to understand what's going on. FWIW, when you call "WriteTag_Unhook", madCodeHook adds some special code for safe unhooking etc. That might be confusing when stepping through the code in the debugger. For easier debugging you may want to use the flag "NO_SAFE_UNHOOKING". But don't forget the remove the flag later again when you're done.
Post Reply