0

I'm trying hook custom Credentential Provider UI, based on ICredentialProvider interface.

Using this guide(Vtable Patching) , i'm succesufly hook COM interface.

But trouble with hooking GetCredentenialAt method, i'm set vtable index equal to 10, and try relogin. LogonUI screen blinking on :Ctrl+Alt+Del Screen:.

my source code:

#include "stdafx.h"
#include "VtableHooks.h"
#include "credentialprovider.h"

namespace Hook
{
    STDMETHODIMP GetCredentialAt(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc);
    STDMETHODIMP QueryInterface(IUnknown* This, REFIID riid, void **ppvObject);
}

struct Context
{
    Context(): m_Name("Hooked object"){}
    PVOID m_OriginalQueryInterface;
    PVOID m_OriginalGetCredentialAt;
    ATL::CComBSTR m_Name;
};
std::auto_ptr<Context> g_Context;
HRESULT HookMethod(IUnknown* original, PVOID proxyMethod, PVOID* originalMethod, DWORD vtableOffset)
{   PVOID* originalVtable = *(PVOID**)original;
    if (originalVtable[vtableOffset] == proxyMethod)
        return S_OK;
    *originalMethod = originalVtable[vtableOffset];
    originalVtable[vtableOffset] = proxyMethod;
    return S_OK;
}

HRESULT InstallComInterfaceHooks(IUnknown* originalInterface, REFIID riid)
{
    HRESULT hr = S_OK;
    if (riid == IID_ICredentialProvider)
    {       
        // Only single instance of a target object is supported in the sample
        if (g_Context.get())return E_FAIL;

        ATL::CComPtr<ICredentialProvider> so;
        HRESULT hr = originalInterface->QueryInterface(IID_ICredentialProvider, (void**)&so);
            if (FAILED(hr)) return hr; // we need this interface to be present

        // remove protection from the vtable
        DWORD dwOld = 0;
        if (!::VirtualProtect(*(PVOID**)(originalInterface), sizeof(LONG_PTR), PAGE_EXECUTE_READWRITE, &dwOld))
            return E_FAIL;

        // hook interface methods
        g_Context.reset(new Context);
        HookMethod(so, (PVOID)Hook::QueryInterface, &g_Context->m_OriginalQueryInterface, 0);
        HookMethod(so, (PVOID)Hook::GetCredentialAt, &g_Context->m_OriginalGetCredentialAt, 10);    
    }
    return hr;
}

typedef HRESULT (WINAPI *QueryInterface_T)(IUnknown* This, REFIID riid, void **ppvObject);
STDMETHODIMP Hook::QueryInterface(IUnknown* This, REFIID riid, void **ppvObject)
{
    QueryInterface_T qi = (QueryInterface_T)g_Context->m_OriginalQueryInterface;
    HRESULT hr = qi(This, riid, ppvObject);
    return hr;
}

typedef HRESULT(WINAPI *GetCredentialAt_T)(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc);
STDMETHODIMP Hook::GetCredentialAt(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc)
{   
    GetCredentialAt_T qi = (GetCredentialAt_T)g_Context->m_OriginalGetCredentialAt;
    HRESULT hr = qi(This, dwIndex, ppcpc);
    return hr;
}
r1se
  • 67
  • 1
  • 1
  • 6
  • I suspect from the error description that you've successfully hooked a vtable in your process, and then expect that to work system-wide. – MSalters Mar 18 '15 at 15:48
  • i dont have error for debugging because my program dont go to Hook::GetCredentialAt – r1se Mar 18 '15 at 16:27

1 Answers1

0

Using IDA, i'm showing load 3rd custom dll. This Dll break interface.

r1se
  • 67
  • 1
  • 1
  • 6