Hi everyone,
In my research I want to hook (intercept) the method (virtual tables hook) "ExecQuery" of "IWbemServices" interface(COM objects)
and I use Application Verifier (note: important only for injection in this thread) to inject a dll in the beginning of a specific process.
We can assume that the above process is using com objects and will use "ExecQuery" method during its execution, ("CoCreateInstance" and "ConnectServer" too.).
I want the dll to hook "ExecQuery" after injection. (ofcourse I waited till ole32.dll and fastprox.dll were loaded).
From my knowledge I know I need to create a com instance, and use it to query "IWbemServices" interface.
After I get the interface I can hook the virtual table of it.
Code copy of the process to execute:
Code copy of DLL:
The COM functions used in MAIN(above process) are working.
I get an E_FAIL from
"hres2 = CoCreateInstance(
CLSID_WbemLocator,
0,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc2);"
code in dll function.
and IWbemLocator and IWbemServices stay NULL.
any suggestions?
A working code sample will be good also.
In my research I want to hook (intercept) the method (virtual tables hook) "ExecQuery" of "IWbemServices" interface(COM objects)
and I use Application Verifier (note: important only for injection in this thread) to inject a dll in the beginning of a specific process.
We can assume that the above process is using com objects and will use "ExecQuery" method during its execution, ("CoCreateInstance" and "ConnectServer" too.).
I want the dll to hook "ExecQuery" after injection. (ofcourse I waited till ole32.dll and fastprox.dll were loaded).
From my knowledge I know I need to create a com instance, and use it to query "IWbemServices" interface.
After I get the interface I can hook the virtual table of it.
Code copy of the process to execute:
Code:
wchar_t comName[MAX_PATH]=L"test";
DWORD dComputer = MAX_PATH;
WCHAR temp[MAX_PATH];// = L"ProcessorNameString";
//LPSTARTUPINFOW stinfo=NULL;
char lzValue[255];
HKEY hKey;
LONG returnStatus;
DWORD dwType = REG_SZ;
DWORD dwSize = 255;
unsigned int i = 1000;
HRESULT hres;
IEnumWbemClassObject* pEnumerator;
IWbemServices *pSvc=NULL;
IWbemLocator *pLoc = NULL;
hres = CoInitializeEx(0, COINIT_MULTITHREADED);
hres = CoInitializeSecurity(
NULL,
-1, // COM authentication
NULL, // Authentication services
NULL, // Reserved
RPC_C_AUTHN_LEVEL_DEFAULT, // Default authentication
RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation
NULL, // Authentication info
EOAC_NONE, // Additional capabilities
NULL // Reserved
);
unsigned int te2 = GetLastError();
printf("%d\n",te2);
hres = CoCreateInstance(
CLSID_WbemLocator,
0,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc);
te2 = GetLastError();
printf("%d\n", te2);
hres = pLoc->ConnectServer(
L"ROOT\\CIMV2", // Object path of WMI namespace
NULL, // User name. NULL = current user
NULL, // User password. NULL = current
0, // Locale. NULL indicates current
NULL, // Security flags.
0, // Authority (for example, Kerberos)
0, // Context object
&pSvc // pointer to IWbemServices proxy
);
te2 = GetLastError();
printf("%d\n", te2);
hres = pSvc->ExecQuery(L"WQL", L"SELECT * from Win32_Processor", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);Code copy of DLL:
Code:
BOOL WINAPI DllMain(
_In_ HINSTANCE hinstDLL,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
PRTL_VERIFIER_PROVIDER_DESCRIPTOR* pVPD = (PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpvReserved;
UNREFERENCED_PARAMETER(hinstDLL);
switch (fdwReason) {
case DLL_PROCESS_VERIFIER:
ucmRegisterProvider(); // new - getting callback of every loaded dll
*pVPD = &avrfDescriptor;
break;
}
if (t1 == 1) //wait till "fastprox.dll" is loaded...
{
InstallComInterfaceHooks(NULL);
}
return TRUE;
}
HRESULT InstallComInterfaceHooks(IUnknown* originalInterface)
{
HRESULT hres2;
IWbemLocator *pLoc2 = NULL;
hres2 = CoCreateInstance(
CLSID_WbemLocator,
0,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc2);
IWbemServices *pSvc2 = NULL;
hres2 = pLoc2->ConnectServer(
BSTR(L"ROOT\\CIMV2"), // Object path of WMI namespace
NULL, // User name. NULL = current user
NULL, // User password. NULL = current
0, // Locale. NULL indicates current
NULL, // Security flags.
0, // Authority (for example, Kerberos)
0, // Context object
&pSvc2 // pointer to IWbemServices proxy
);
// Only single instance of a target object is supported in the sample
if (g_Context.get())
return E_FAIL;
// getting the interface of the object
//IUnknown *so;
IWbemServices *so = NULL;
//CoCreateInstance(CLSID_IWBEM)
//ATL::CComPtr<IWbemServices> so;
HRESULT hr = pSvc2->QueryInterface(IID_IWbemServices, (void**)&so);
if (FAILED(hr))
return hr; // we need this interface to be present
// remove protection from the vtable
DWORD dwOld = 0;
if (!::VirtualProtect(*(PVOID**)(originalInterface), sizeof(LONG_PTR), PAGE_EXECUTE_READWRITE, &dwOld))
return E_FAIL;
// hook interface methods
g_Context.reset(new Context);
HookMethod(originalInterface, (PVOID)Hook::ExecQuery, &g_Context->m_OriginalExecQuery, 20);
return S_OK;
}The COM functions used in MAIN(above process) are working.
I get an E_FAIL from
"hres2 = CoCreateInstance(
CLSID_WbemLocator,
0,
CLSCTX_INPROC_SERVER,
IID_IWbemLocator, (LPVOID *)&pLoc2);"
code in dll function.
and IWbemLocator and IWbemServices stay NULL.
any suggestions?
A working code sample will be good also.