Spying on COM Objects

Question

I've set myself a new task which involves "spying" on COM objects.

Even if you don't do COM, you're probably familiar with API hooking techniques where you can hook onto an imported function and execute your own code before calling the original. API hooking is somewhat complex but it quickly gets messy (too messy for production code IMO) if you try to hook onto COM Object Methods.

So, at the moment, to do "my job", I set an API hook for CoCreateInstance and I dispatch hand-written proxies for the interfaces that I am interested in. Now that's not a lot of interfaces but it's not the neatest of solutions either.

Is there a way to do this in a neater way, preferably without using API hooking?

On a another note, this article seems to be great work http://www.ddj.com/windows/184416546?pgno=5 but the binary doesn't work anymore (I guess it was written around Win98 time). Does anyone know the internals of it and can point me to the right direction to making it work again?

Thanks

Answer 1

I'd definitely recommend using Keith Brown's 'Universal Delegator' to do the low-level interception. The ComTrace tool mentioned by Kim Grasman uses it. It lets you wrap an arbitrary com object in a 'shell' that can do interception, logging, etc. The original articles (with code) describing the universal delegator are here and here.

If you want to spy on com objects in arbitrary processes (that you don't have the source for) then you'll also need to do code injection, using CreateRemoteThread() or something similar. There's an article here that might get you started if you've not done it before.

Answer 2

I don't have a definitive answer, but I know a guy who might :)

Jonas Blunck's tools are all about interception at different levels, his ComTrace is based on Keith Brown's technique, if I recall correctly, and sounds similar to what you're doing, except he parses type libraries and headers to keep track of interfaces dynamically.

We wrote Developer Playground together (I mostly did UI), it's based on API hooking, and I know Jonas said he wanted to rework ComTrace to use the same API hooking library, because it gave the best "resolution" for interception.

I don't know what you want to use this for, but I suggest you check out Jonas' tools and shoot him an e-mail - he might be able to prod you in the right direction.