Hooking/Replacing AHK IUnknown methods(object, script-wide) crash

[Coco]

From this post:

Hook into the AutoHotkey implementation (for all Objects script-wide) by using NumGet to retrieve the QueryInterface implementation and NumPut to replace it.

I'm trying the above for AddRef but somehow it causes the script to crash. Not really sure if I'm doing it right. Here is my code, parts are commented:

Code: Select all

#NoEnv
SetBatchLines -1

obj := {}
; retrieve AHK's AddRef implementation
global native_addref := NumGet(NumGet(&obj) + A_PtrSize)

; These next lines test if it is indeed AddRef
instance := new Foo()
; call AddRef on 'instance'
MsgBox % "REF_COUNT: " . DllCall(native_addref, "Ptr", &instance)
; decrement ref count
MsgBox % "REF_COUNT: " . ObjRelease(&instance)
; release it, should call __Delete()
instance := ""

; here we try to replace AHK's AddRef with a custom AddRef
custom_addref := RegisterCallback("MyAddRef",, 1)
; THE NEXT LINE causes the script to crash
NumPut(custom_addref, NumGet(&obj) + A_PtrSize)
return

MyAddRef(obj_ptr)
{
    Critical
    MsgBox %A_ThisFunc%
    ; just cast it to AHK's native implemetation
    return DllCall(native_addref, "Ptr", obj_ptr)
}

class Foo
{
    __Delete()
    {
        MsgBox RELEASED ; for debugging
    }
}

[qwerty12]

Removing the write protection on the area written to works for me on x64 and x86 AutoHotkey:

Code: Select all

#NoEnv
SetBatchLines -1
 
obj := {}
; retrieve AHK's AddRef implementation
global native_addref := NumGet(NumGet(&obj) + A_PtrSize)
 
; These next lines test if it is indeed AddRef
instance := new Foo()
; call AddRef on 'instance'
MsgBox % "REF_COUNT: " . DllCall(native_addref, "Ptr", &instance)
; decrement ref count
MsgBox % "REF_COUNT: " . ObjRelease(&instance)
 
; here we try to replace AHK's AddRef with a custom AddRef
custom_addref := RegisterCallback("MyAddRef",, 1)
target := NumGet(&obj) + A_PtrSize
; THE NEXT LINE causes the script to crash
DllCall("VirtualProtect", "Ptr", target, "UInt", A_PtrSize, "UInt", PAGE_EXECUTE_READWRITE := 0x40, "UInt*", oldProtect)
NumPut(custom_addref, target+0)
DllCall("VirtualProtect", "Ptr", target, "UInt", A_PtrSize, "UInt", oldProtect, "UInt*", oldProtect)
DllCall("FlushInstructionCache", "Ptr", DllCall("GetCurrentProcess", "Ptr"), "Ptr", target, "UInt", A_PtrSize)
ObjAddRef(&instance)
return
 
MyAddRef(obj_ptr)
{
    Critical
    MsgBox %A_ThisFunc%
    ; just cast it to AHK's native implemetation
    return DllCall(native_addref, "Ptr", obj_ptr)
}
 
class Foo
{
    __Delete()
    {
        MsgBox RELEASED ; for debugging
    }
}

[trismarck]

This might be a stupid question, but will hooking into QueryInterface() and others trigger not just for that particular ahk object, but for all ahk objects? (and is that desired in this case)
//edit: looks like it will, ok

Hook into the AutoHotkey implementation (for all Objects script-wide) by using NumGet to retrieve the QueryInterface implementation and NumPut to replace it.

[Coco]

Removing the write protection on the area written to works for me on x64 and x86 AutoHotkey:

Thanks, that worked