code not interceptable

[dhkim]

Hi,
I have a some question.
I'm using madCodeHook 4.2.1.
I'll trying to hook (using HookCode to COM Interface) PhotosApp.exe in Windows 11.
An error occurs on a specific interface and error code is 0x770002.
I know that error code is "code not interceptable".
But other process have no problem.
How to solve this problem?? is there a solution example??

[iconic]

What API are you hooking in PhotosApp.exe on Windows 11 and is your project code in Delphi or c/c++? The main 2 or 3 things I can think of off the top of my head are the code design does not allow for disassembly that allows for this, it might be prone to a crash or too short, and the 2nd thing I can think of is the code page needed for the trampoline jump area could not be allocated near the original API address. Another possibility, since PhotosApp is likely a sandboxed Metro UI app (now simply called a Store App), is that the process may have a process mitigation policy enforced for dynamic code generation/modification. So, that's all I think think of right now. If you use a free tool (and open source) like Process Hacker you can see which mitigations are set _per_ process. If you see that dynamic code policy is enforced then that's likely the reason. In Process Hacker you can open up the process' Property dialog and at the end of the dialog you'll see "Mitigation Policies". Here's what a random DLLHost.exe process showed me for example, PhotosApp might be just as strict with security (it is now incorporated with OneDrive):


DEP (permanent); ASLR (high entropy, force relocate); Dynamic code prohibited; Strict handle checks; Extension points disabled; CF Guard; Signatures restricted (Microsoft only); Non-system fonts disabled; Images restricted (remote images, low mandatory label images)

--Iconic

[madshi]

FWIW, error code 0x770002 means that the madCodeHook disassembler has analyzed the code you wanted to hook, and found that it would be dangerous to hook that code. Meaning, hooking it would likely result in instability/crashes. The disassembler looks for things Iconic already mentioned, e.g. the code could be too short (less than 6 bytes long), or it could contain a jump/loop back into the first 6 bytes of the code. In such cases, madCodeHook refuses to install the hook, in order to protect you from crashing the target process.

[dhkim]

Thank you for reply iconic.
The "Mitigation Policies" for PhotosApp.exe look like this.
DEP (permanent); ASLR (high entropy, force relocate); Strict handle checks; Signatures restricted (Store only).
I don't think it is a dynamic code issue.

My project is c/c++ develop with visual studio 2019.
I'll trying to hook IXpsDocumentPackageTarget interface.
Hook method is Release (method index 2), GetXpsOMPackageWriter (method index 3), GetXpsOMFactory (method index 4).
Hook for Release and GetXpsOMFactory method is no problem but GetXpsOMPackageWriter is problem.

[iconic]

I've answered a similar question here a few years ago involving the same returned error code and it was also involving interface hooking. I recommended the OP replace the virtual method address directly in the vTable/VMT and it worked fine for him. Please see http://forum.madshi.net/viewtopic.php?f ... 002#p53287

--Iconic