i have question error code 0x770002

c++ / delphi package - dll injection and api hooking

i have question error code 0x770002

Postby kimjw0820 » Wed Nov 30, 2016 9:54 am

Hello madshi,

I am trying to hook methods such as CoCreateInstance from Ole32.dll
but office 2016 32bit word, excel, ppt HookAPI fail.

error code : 0x770002

test : win10 64bit / office 32bit
3PC test..

office 2013 CoCreateInstance hook success.
office 2016 another api hook success.
another process hook success.

Thanks. :)
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby madshi » Thu Dec 15, 2016 10:11 am

This error code means "code not interceptable", which means that madCodeHook has the opinion that trying to hook that API would result in stability issues.

Are you calling HookAPI with any special flags? How does your HookAPI call look like exactly?
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: i have question error code 0x770002

Postby kimjw0820 » Mon Dec 19, 2016 8:06 am

not special flags..
i calling function to HookAPI("ole32.dll", "CoCreateInstance", reinterpret_cast<void *>(new_function), reinterpret_cast<void **>(&original_function)) ...

only ms-office 2016 fail..
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby madshi » Fri Jan 06, 2017 6:02 pm

Sorry for the late reply.

Unfortunately I only have an Office 2010 license, so I'm not sure how I can test Office 2016. Any ideas? Maybe you could create a test VM for me, so that I could reproduce the problem on my PC? You could email me the VM download URL, and of course I would delete the VM after testing is done.

You're saying the problem occurs with Office 32bit. Have you tested Office 64bit? Does the problem occur there, too? (I'm not sure if Office even exists in a 64bit version.)

Which exact madCodeHook build are you using?
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: i have question error code 0x770002

Postby kimjw0820 » Tue Jan 10, 2017 1:57 am

hello madshi,
you posible try office 365 for free?
try 1-month free (https://products.office.com/en-us/try)

using version 3.1.12 - 2016-12-07 download

Thanks :)
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby madshi » Tue Jan 10, 2017 8:26 am

Does the problem occur with that version, too?
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: i have question error code 0x770002

Postby kimjw0820 » Thu Jan 12, 2017 12:50 am

yes, office 365 == office 2016
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby kimjw0820 » Wed Apr 26, 2017 5:57 am

hello..??
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby madshi » Wed Apr 26, 2017 10:54 pm

Sorry for failing to follow-up on this one.

Recently I had another customer report a similar problem, and he told me that upgrading to the latest madCodeHook build solved the issue for him. Could you try the latest build?

http://madshi.net/madCollection.exe
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: i have question error code 0x770002

Postby kimjw0820 » Fri Apr 28, 2017 3:02 am

hello,
madchook 3.x, 4.x Still failing...
date 3.29~3.30 build lib office 2016 CoCreateInstance hook fail..
kimjw0820
 
Posts: 30
Joined: Fri Sep 11, 2015 1:54 am

Re: i have question error code 0x770002

Postby ankur_singh » Wed Jan 08, 2020 3:29 pm

Hello Madshi,

I am facing same issue in office 365 on using HookAPI (error code : 0x770002). If I use HookCode hook is getting Installed successfully and working for maximum calls but for File Save Dialogue my callbackFunc is not getting called. Same code is working properly on office 2016 msi.

Thanks
ankur_singh
 
Posts: 4
Joined: Wed Jan 08, 2020 1:40 pm

Re: i have question error code 0x770002

Postby madshi » Wed Jan 08, 2020 3:38 pm

I'm not sure I understand the HookCode vs HookAPI distinction. Can you clarify?
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: i have question error code 0x770002

Postby ankur_singh » Wed Jan 08, 2020 6:42 pm

I tried to hook CoCreateInstance from Ole32.dll by calling HookApi but it failed with error ->
Failed to install hook. NTSTATUS: 0x770002 Description: ole32.dll@CoCreateInstance
. This only happens on machine with MS office 365. Hook is successful on machine with office 2016 / 2013.

I also tried to hook same method (CoCreateInstance ) by calling HookCode, I didn't got any error even on Office 365 machine. Only weird thing which I noticed is that, CoCreateInstance hook is working for all COM interfaces expect IFileDialogue.

Both method ( HookCode and HookApi ) is causing some problem while hooking CoCreateInstance method of ole32.dll. Please suggest me how to solve these issues.
Thanks :D
ankur_singh
 
Posts: 4
Joined: Wed Jan 08, 2020 1:40 pm

Re: i have question error code 0x770002

Postby iconic » Wed Jan 08, 2020 8:01 pm

Hello,

What you're saying is... Hooking CoCreateInstance() only fails with MS Office 365 and only when using HookAPI(), HookCode() succeeds though?
Is this correct or incorrect in its entirety?
CoCreateInstance hook is working for all COM interfaces expect IFileDialogue.

What this suggests is that HookCode() did correctly install the hook and all
interfaces can be accessed except for IFileDialog. But, how do you even know
that an instance of IFileDialog is even being instantiated? What if it's now
a newer dialog derived from a different base class or perhaps some custom interface altogether?
How are you checking for IFileDialog, CLSID, IID, both?

It may never even be instantiated. Also, Office 365 might even be calling the different API CoCreateInstanceEx()
The fact that it works with other interfaces tells me the hook is working fine (meaning HookCode() installed it fine, that is)

Now, what is strange is how HookAPI() is not succeeding yet HookCode() is hooking correctly. HookAPI() needs to translate the
API and module name into the correct function pointer and then the behavior becomes very similar to
HookCode()'s internal functionality. We may have to investigate that with Office 365. What do your HookAPI() flags look like?
Are you supplying the parameter with any flags?

Also, if you read above in this same thread, 0x770002 is actually not a real NTSTATUS issued from Windows.
It's a custom error code set when madDisasm determines that that code's structure isn't suitable for stable
hooking. Hence the custom meaning of the error "Code is not Interceptable". But, it is, so we'll need to look
at this most likely. Madshi may have more to say about this though so I don't want to jump to conclusions yet.

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: i have question error code 0x770002

Postby ankur_singh » Thu Jan 09, 2020 10:24 am

But, how do you even know that an instance of IFileDialog is even being instantiated?


I am using API monitor tool ( http://www.rohitab.com/apimonitor ) to trap the calls of CoCreateInstance. I am getting CoCreateInstance for IFIleDialogue in office 365. One thing which I also noticed is that hook only fails when CoCreateInstance is called from mso.dll of office 365.
ankur_singh
 
Posts: 4
Joined: Wed Jan 08, 2020 1:40 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 16 guests