hookcode fails in powerpoint for mch3.1.xx

c++ / delphi package - dll injection and api hooking

hookcode fails in powerpoint for mch3.1.xx

Postby wali » Tue Oct 11, 2016 9:29 am

Environment: win7 & win10, office2010&office2013&office2016
mch3.1.11&mch3.1.12&mch3.1.13
Steps:
1.register our add-in, see "NLOfficePEP.dll" in the attached document
2.hookcode afer hookapi when do drag and drop action, see "HookAPI.cpp" in the attached document
3.firstly drag text, succeed.
then drag slides, failed
4. close powerpoint, firstly drag slides succeed.
then drag text, failed

following windbg assemble debug, found that first injection always succeeded, and second injection failed.
what is critical is that HookCode always return TRUE.
Attachments
NLOfficePEP3.7z
before uncompress please rename to NLOfficePEP.7z.003
(21.48 KiB) Downloaded 30 times
NLOfficePEP2.7z
before uncompress please rename to NLOfficePEP.7z.002
(256 KiB) Downloaded 30 times
NLOfficePEP1.7z
before uncompress please rename to NLOfficePEP.7z.001
(256 KiB) Downloaded 30 times
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Thu Oct 13, 2016 4:12 am

Here is one additional tip that demo works normally for mch 3.0
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby madshi » Thu Oct 13, 2016 9:14 am

Neither RAR nor 7zip seem to be able to extract the attached 7z files. Maybe my 7zip installation is outdated, but I don't really want to update it at this point. Maybe you can use simple zip format?

What do you mean with "injection" succeeded or failed? Do you mean DLL injection? That doesn't really make a lot of sense to me.

Do you have any more information about the "failed" situation? What does "failed" mean exactly? Does your PC explode in that moment? Does the OS bluescreen? Or how do you decide when things "failed" or "succeeded"?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Thu Oct 13, 2016 10:05 am

1. I changed 7z files name, because uploading was denied for invalid file type. Before extracting 7z files, just should rename them back, such as NLOfficePEP.7z.001.
Anyway, Attachments are simple rar files.
2. When talking about "injection failed", I mean assemble instruction 'jmp' has not been inserted.
3. No OS bluescreen, No PC explode, just no "jmp" instruction in excepted assemble code.
And "HookCode" returns True.

Thanks!
Attachments
NLOfficePEP.part02.rar
(197.77 KiB) Downloaded 29 times
NLOfficePEP.part01.rar
(256 KiB) Downloaded 29 times
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Mon Oct 17, 2016 1:24 am

Any progress? Thank you.
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Tue Oct 25, 2016 1:33 am

It is an urgent problem for the company products of NEXTLAB.
Would you please play more attention to this bug, and give a quick reply?
Thank you!
Last edited by wali on Wed Oct 26, 2016 1:25 am, edited 1 time in total.
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby madshi » Tue Oct 25, 2016 8:09 am

I'm sorry for the late reply. This is high on my to do list, I think I should get to it this week.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: hookcode fails in powerpoint for mch3.1.xx

Postby madshi » Thu Oct 27, 2016 2:38 pm

I've tried to reproduce the issue you reported.

I'm having trouble to get "DoDragDrop" to get called at all when trying to drag slides in PowerPoint 2010 x64 on my Windows 8.1 x64 PC. The API gets called fine when dragging text, but not at all when dragging slides, it seems. That's different to your report. Even if I restart PowerPoint and then directly drag slides (without having dragged text first), "DoDragDrop" doesn't seem to be called at all.

Maybe I'm dragging slides in the wrong way? How do you do that? I just simply start with an empty project, then I copy the one and only slide, so I have 2 slides. Then I drag the first slide to the 2nd, so they swap their order. Do you use a different way of slide dragging?

FWIW, your code has one problem that I can see: You're repeatedly calling HookCode(), using the same "NextQueryContinueDrag" function variable, without properly unhooking the old hook before. That's not correct usage. Please try inserting the following code before your HookCode() call. Maybe that already "fixes" the issue?

Code: Select all
   if (NextQueryContinueDrag != NULL)
   {
      UnhookCode((PVOID*)&NextQueryContinueDrag);
      NextQueryContinueDrag = NULL;
   }
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Fri Oct 28, 2016 4:02 am

You are correct, repeated call is the reason.
I am curious why mch 3.0 works fine.
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am

Re: hookcode fails in powerpoint for mch3.1.xx

Postby madshi » Fri Oct 28, 2016 9:21 am

So the problem is solved?

At some point I think I added a check to detect if the same hook callback function is used repeatedly and to block that. Probably 3.0 doesn't have that check yet.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: hookcode fails in powerpoint for mch3.1.xx

Postby wali » Fri Oct 28, 2016 9:55 am

Yes , it is solved.
Thanks.
wali
 
Posts: 23
Joined: Tue Oct 11, 2016 7:05 am


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 3 guests