MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

c++ / delphi package - dll injection and api hooking

MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby EaSy » Tue Sep 22, 2015 11:08 am

Hi,
we have a new problem with hooking shell32!CFileOperation::SetOperationFlags on W8 and higher x64 version using new MCH 3.1.10. The problem is that the hooked orig function returns E_INVALIDARG instead of S_OK. The only difference from the previous version is the bugfix "(2) fixed: some conflicts with other hook libraries (x64)". Are you able to fix this or need more info? Thx.

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby madshi » Tue Sep 22, 2015 2:52 pm

That's quite surprising, to be honest. Is this only with x64, or does it happen with x86, too? Could you provide a disasm of the to-be-hooked function before and after it's hooked? And maybe also a disasm of the trampoline, if that's not too much effort. That would be a great help - thank you!
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby EaSy » Wed Sep 23, 2015 8:17 am

orig
Code: Select all
0:087> uf shell32!CFileOperation::SetOperationFlags
SHELL32!CFileOperation::SetOperationFlags:
00007ffc`dfcf8dc8 f6c203          test    dl,3
00007ffc`dfcf8dcb 0f85ec9e2f00    jne     SHELL32!CFileOperation::SetOperationFlags+0xe (00007ffc`dfff2cbd)

SHELL32!CFileOperation::SetOperationFlags+0x5:
00007ffc`dfcf8dd1 4883c1f0        add     rcx,0FFFFFFFFFFFFFFF0h
00007ffc`dfcf8dd5 eb09            jmp     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation (00007ffc`dfcf8de0)

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation:
00007ffc`dfcf8de0 899158030000    mov     dword ptr [rcx+358h],edx
00007ffc`dfcf8de6 89514c          mov     dword ptr [rcx+4Ch],edx
00007ffc`dfcf8de9 f6c240          test    dl,40h
00007ffc`dfcf8dec 0f85d19e2f00    jne     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0x11 (00007ffc`dfff2cc3)

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0xe:
00007ffc`dfcf8df2 33c0            xor     eax,eax
00007ffc`dfcf8df4 c3              ret

SHELL32!CFileOperation::SetOperationFlags+0xe:
00007ffc`dfff2cbd b857000780      mov     eax,80070057h
00007ffc`dfff2cc2 c3              ret

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0x11:
00007ffc`dfff2cc3 81ca00000820    or      edx,20080000h
00007ffc`dfff2cc9 89514c          mov     dword ptr [rcx+4Ch],edx
00007ffc`dfff2ccc e92161d0ff      jmp     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0xe (00007ffc`dfcf8df2)


3.1.9
Code: Select all
0:038> uf 00007ffc`e1ed0000
SHELL32!CFileOperation::SetOperationFlags+0x5:
00007ffc`dfcf8dd1 4883c1f0        add     rcx,0FFFFFFFFFFFFFFF0h
00007ffc`dfcf8dd5 eb09            jmp     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation (00007ffc`dfcf8de0)

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation:
00007ffc`dfcf8de0 899158030000    mov     dword ptr [rcx+358h],edx
00007ffc`dfcf8de6 89514c          mov     dword ptr [rcx+4Ch],edx
00007ffc`dfcf8de9 f6c240          test    dl,40h
00007ffc`dfcf8dec 0f85d19e2f00    jne     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0x11 (00007ffc`dfff2cc3)

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0xe:
00007ffc`dfcf8df2 33c0            xor     eax,eax
00007ffc`dfcf8df4 c3              ret

SHELL32!CFileOperation::SetOperationFlags+0xe:
00007ffc`dfff2cbd b857000780      mov     eax,80070057h
00007ffc`dfff2cc2 c3              ret

SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0x11:
00007ffc`dfff2cc3 81ca00000820    or      edx,20080000h
00007ffc`dfff2cc9 89514c          mov     dword ptr [rcx+4Ch],edx
00007ffc`dfff2ccc e92161d0ff      jmp     SHELL32!CFileOperation::SetOperationFlagsWithoutValidation+0xe (00007ffc`dfcf8df2)

00007ffc`e1ed0000 ff2500000000    jmp     qword ptr [00007ffc`e1ed0006]

00007ffc`e1ee0000 f6c203          test    dl,3
00007ffc`e1ee0003 0f85b42c11fe    jne     SHELL32!CFileOperation::SetOperationFlags+0xe (00007ffc`dfff2cbd)

00007ffc`e1ee0009 e9c38de1fd      jmp     SHELL32!CFileOperation::SetOperationFlags+0x5 (00007ffc`dfcf8dd1)


3.1.10
Code: Select all
0:108> uf 00007ffc`e1ee0000
00007ffc`e1ee0000 ff2500000000    jmp     qword ptr [00007ffc`e1ee0006]

00007ffc`e1ef0000 f6c203          test    dl,3
00007ffc`e1ef0003 50              push    rax
00007ffc`e1ef0004 48b8bd2cffdffc7f0000 mov rax,offset SHELL32!CFileOperation::SetOperationFlags+0xe (00007ffc`dfff2cbd)
00007ffc`e1ef000e 48870424        xchg    rax,qword ptr [rsp]
00007ffc`e1ef0012 c3              ret


3.1.10 version seems to be broken.
Last edited by EaSy on Wed Sep 23, 2015 8:41 am, edited 1 time in total.
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby madshi » Wed Sep 23, 2015 8:35 am

Oh, I see, thanks. The new code obviously didn't check if it's a conditional (e.g. jne) or unconditional (jmp) jump, and treated both the same. I'm sorry about that. Will fix it urgently and release a new build.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby EaSy » Wed Sep 23, 2015 8:40 am

thx
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby madshi » Fri Oct 09, 2015 1:22 pm

Should be fixed in this build:

http://madshi.net/madCollectionBeta.exe (installer 2.7.12.2)

Can you confirm?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 3.1.10 and shell32!CFileOperation::SetOperationFlags

Postby EaSy » Mon Oct 12, 2015 11:54 am

It is working.
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests