Hello,
What you're saying is... Hooking CoCreateInstance() only fails with MS Office 365 and only when using HookAPI(), HookCode() succeeds though?
Is this correct or incorrect in its entirety?
CoCreateInstance hook is working for all COM interfaces expect IFileDialogue.
What this suggests is that HookCode() did correctly install the hook and all
interfaces can be accessed except for IFileDialog. But, how do you even know
that an instance of IFileDialog is even being instantiated? What if it's now
a newer dialog derived from a different base class or perhaps some custom interface altogether?
How are you checking for IFileDialog, CLSID, IID, both?
It may never even be instantiated. Also, Office 365 might even be calling the different API CoCreateInstance
Ex()
The fact that it works with other interfaces tells me the hook is working fine (meaning HookCode() installed it fine, that is)
Now, what is strange is how HookAPI() is not succeeding yet HookCode() is hooking correctly. HookAPI() needs to translate the
API and module name into the correct function pointer and then the behavior becomes very similar to
HookCode()'s internal functionality. We may have to investigate that with Office 365. What do your HookAPI() flags look like?
Are you supplying the parameter with any flags?
Also, if you read above in this same thread, 0x770002 is actually not a real NTSTATUS issued from Windows.
It's a custom error code set when madDisasm determines that that code's structure isn't suitable for stable
hooking. Hence the custom meaning of the error "Code is not Interceptable". But, it is, so we'll need to look
at this most likely. Madshi may have more to say about this though so I don't want to jump to conclusions yet.
--Iconic
