Hi, Is there an available tool which hooks the windows COM runtime? I want to be able to see all the instances which get created, view queries to their interfaces, method calls, etc.
Thanks!
A:
With in-proc COM servers there's almost nothing to hook - the consumer calls CoCreateInstance() or CoGetClassObject() and that's all it does. All the rest is done inside the COM object implementation. You might want to look at ATL sources to see how it usually works inside - for example when the consumer calls QueryInterface() the call directly goes to the corresponding object and the object itself is the only entity to observe the call.
This is not very fortunate but is a direct consequence of how in-proc COM servers are implemented. The developer can use Process Monitor to notice the registry accesses corresponding to ClassId->Dll mapping discovery and extensive tracing inside the COM object to see what's going on. ATL has a bunch of useful stuff (like COM_INTERFACE_ENTRY_FUNC_BLIND macro) to incorporate tracing.
sharptooth
2009-11-20 10:17:09
But isn't CoCreateInstance implemented by the standard COM runtime library? If it isn't statically linked into the server, we should be able to globally hook this function.And what about out of proc servers? All consumer calls to their methods get marshalled, so surely there is a way to intercept these calls?
Danra
2009-11-20 15:56:00
There're no easy ways I'm aware of. Certainly you can hook into the .dll file that implements CoCreateInstance() but it's not an elegant or easy solution.
sharptooth
2009-11-20 16:02:04
I feel it is perfectly elegant to hook into the COM library since this is what I want to do :)I just don't know of any tool which does this sort of hooking and presents the results nicely, spy++ style (except for handling COM objects and not windows).
Danra
2009-11-20 19:20:58
+2
A:
Check out http://www.nektra.com/products/com-spy-console, it's free.
Hernán
2009-11-21 07:34:36
Looks promising, it enumerates all the registered interfaces and displayed the methods supported by IDispatch. However, the actual hooking functionality didn't work for me, perhaps because I'm using windows 7 (did't work even when I ran the monitor as an admin).The listed version is 0.1, so it wouldn't be surprising if *some* functionalty is missing.Anyway, I'll try it soon on windows XP, hopes it works well there!
Danra
2009-11-21 08:08:18
Doesn't seem to work at all for me...Just lists the interfaces installed in the registry.
Danra
2009-11-23 08:44:20
+1
A:
to monitor the things you want you'll need to hook into system dlls and inject your blind delegators on interfaces queried. Needless to say how complex and error prone this task is, especially if consider that many implementors do not follow COM principles accurately. Though, some applications do that for their own purposes, without exposing this functionality.
If you really want to go this way - take a look at these:
- MS Detours will help you with DLL hooking (http://research.microsoft.com/en-us/projects/detours/)
- "House of COM" article on blind delegation (http://www.microsoft.com/msj/0399/com/com0399.aspx). Written by Don Box (or should I say "the world's greatest COM expert Don Box"? :-)
Andrey
2009-11-21 09:53:11
+2
A:
You could try Jonas Blunck's COMTrace -- I'm not sure if it works on Windows 7, but it's worth a try.
Kim Gräsman
2009-11-23 17:06:56
Great thing. The interface is not perfect, but the thing itself works.
sharptooth
2009-11-27 13:38:17