Thursday, February 03, 2011

Intercepting calls to COM interfaces

Contents
1.       Introduction
2.       Some basic concepts of COM
3.       Practical example
3.1.    Approach #1: Proxy object
3.2.    Approach #2: Vtable patching
4.       Conclusions
5.       References

Introduction

In this article I’m going to describe how to implement COM interface hooks. COM hooks have something in common with the user-mode API hooks (both in goals and in methods), but there are also some significant differences due to the features of COM technology. I’m going to show two the most often used approaches to the problem, emphasizing advantages and disadvantages of each one. The code sample is simplified as much as possible, so we can concentrate on the most important parts of the problem.

Some basic concepts of COM

Before we start with intercepting calls to COM objects, I’d like to mention some underlying concepts of COM technology. If you know this stuff well, you can just skip this boring theory and move straight to the practical part.

All COM classes implement one or several interfaces. All the interfaces must be derived from IUnknown. It’s used for reference counting and obtaining pointers to other interfaces implemented by an object. Every interface has a globally unique interface identifier - IID. Clients use interface pointers to call all methods of COM objects.

This feature makes COM components independent on binary level. It means if a COM server is changed it doesn’t require its clients to be recompiled (as long as the new version of the server provides the same interfaces). It is even possible to replace COM server with your own implementation.
vtable.png

Read more: Codeproject