hook COM interface throw vTable

Question

I'm trying hook custom Credentential Provider UI, based on ICredentialProvider interface.

Using this guide(Vtable Patching) , i'm succesufly hook COM interface.

But trouble with hooking GetCredentenialAt method, i'm set vtable index equal to 10, and try relogin. LogonUI screen blinking on :Ctrl+Alt+Del Screen:.

my source code:

#include "stdafx.h"
#include "VtableHooks.h"
#include "credentialprovider.h"

namespace Hook
{
    STDMETHODIMP GetCredentialAt(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc);
    STDMETHODIMP QueryInterface(IUnknown* This, REFIID riid, void **ppvObject);
}

struct Context
{
    Context(): m_Name("Hooked object"){}
    PVOID m_OriginalQueryInterface;
    PVOID m_OriginalGetCredentialAt;
    ATL::CComBSTR m_Name;
};
std::auto_ptr<Context> g_Context;
HRESULT HookMethod(IUnknown* original, PVOID proxyMethod, PVOID* originalMethod, DWORD vtableOffset)
{   PVOID* originalVtable = *(PVOID**)original;
    if (originalVtable[vtableOffset] == proxyMethod)
        return S_OK;
    *originalMethod = originalVtable[vtableOffset];
    originalVtable[vtableOffset] = proxyMethod;
    return S_OK;
}

HRESULT InstallComInterfaceHooks(IUnknown* originalInterface, REFIID riid)
{
    HRESULT hr = S_OK;
    if (riid == IID_ICredentialProvider)
    {       
        // Only single instance of a target object is supported in the sample
        if (g_Context.get())return E_FAIL;

        ATL::CComPtr<ICredentialProvider> so;
        HRESULT hr = originalInterface->QueryInterface(IID_ICredentialProvider, (void**)&so);
            if (FAILED(hr)) return hr; // we need this interface to be present

        // remove protection from the vtable
        DWORD dwOld = 0;
        if (!::VirtualProtect(*(PVOID**)(originalInterface), sizeof(LONG_PTR), PAGE_EXECUTE_READWRITE, &dwOld))
            return E_FAIL;

        // hook interface methods
        g_Context.reset(new Context);
        HookMethod(so, (PVOID)Hook::QueryInterface, &g_Context->m_OriginalQueryInterface, 0);
        HookMethod(so, (PVOID)Hook::GetCredentialAt, &g_Context->m_OriginalGetCredentialAt, 10);    
    }
    return hr;
}

typedef HRESULT (WINAPI *QueryInterface_T)(IUnknown* This, REFIID riid, void **ppvObject);
STDMETHODIMP Hook::QueryInterface(IUnknown* This, REFIID riid, void **ppvObject)
{
    QueryInterface_T qi = (QueryInterface_T)g_Context->m_OriginalQueryInterface;
    HRESULT hr = qi(This, riid, ppvObject);
    return hr;
}

typedef HRESULT(WINAPI *GetCredentialAt_T)(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc);
STDMETHODIMP Hook::GetCredentialAt(IUnknown* This, DWORD dwIndex, ICredentialProviderCredential** ppcpc)
{   
    GetCredentialAt_T qi = (GetCredentialAt_T)g_Context->m_OriginalGetCredentialAt;
    HRESULT hr = qi(This, dwIndex, ppcpc);
    return hr;
}

Answer 1

Using IDA, i'm showing load 3rd custom dll. This Dll break interface.