i am trying to hook CopyItems function ,its working fine but when i am trying to call Real CopyItems Function in the Callback function it is getting crash , my code is as below, please help me.

 PVOID GetInterfaceMethod(PVOID intf, DWORD methodIndex)
 {
  return *(PVOID*)(*(DWORD*)intf + methodIndex * 4);
 }

typedef HRESULT (WINAPI  *CopyItemsNext)(IUnknown *punkItems,IShellItem *psiDestinationFolder);
CopyItemsNext Real_CopyItems = NULL;
CopyItemsNext Actual_CopyItems;


HRESULT WINAPI CopyItemsCallback(IUnknown *punkItems,IShellItem *psiDestinationFolder)
{

    MessageBoxW(NULL,L"CopyItems Function Called", L"HookedCopyItemS", MB_OK);
    return Real_CopyItems(punkItems, psiDestinationFolder);
}


HRESULT WINAPI CoCreateInstanceCallback(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, REFIID riid, LPVOID *ppv)
{
   const char *IFileOperation_GUID = "{3AD05575-8857-4850-9277-11B85BDB8E09}";
   char GUIDString[64];

   HRESULT HR = Real_CoCreateInstance(rclsid, pUnkOuter, dwClsContext, riid, ppv);

   sprintf_s(GUIDString,64, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\0",
    rclsid.Data1, rclsid.Data2, rclsid.Data3,
    rclsid.Data4[0], rclsid.Data4[1],
    rclsid.Data4[2], rclsid.Data4[3],
    rclsid.Data4[4], rclsid.Data4[5],
    rclsid.Data4[6], rclsid.Data4[7]);

   if(strcmp(GUIDString, IFileOperation_GUID) == 0)
   {
       MessageBoxA(NULL, "IFileOperation_GUID Found", GUIDString, MB_OK);

       if(Real_CopyItems == NULL)
       {
        Actual_CopyItems = (CopyItemsNext)GetInterfaceMethod(*ppv, 17);
        MessageBoxA(NULL,"AFTER GetInterfaceMethod", "TEST", MB_OK);

        if (MH_CreateHook(Actual_CopyItems, &CopyItemsCallback, reinterpret_cast<void**>(&Real_CopyItems)) != MH_OK)
        {
            MessageBoxW(NULL, L"Failed CreateHook Real_CopyItem", L"Info!", MB_ICONWARNING|MB_OK);
        }
        if (MH_EnableHook(Actual_CopyItems) != MH_OK)
        {
            MessageBoxW(NULL, L"Failed EnableHook Real_CopyItem", L"Info!", MB_ICONWARNING|MB_OK);
        }
    }
}
return HR;
}

//DllMain Function 
BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
    if (MH_Initialize() != MH_OK)
    {
        MessageBoxW(NULL, L"Failed Initialize", L"Info!", MB_ICONWARNING|MB_OK);    
    }
    if (MH_CreateHook(&CoCreateInstance, &CoCreateInstanceCallback, reinterpret_cast<void**>(&Real_CoCreateInstance)) != MH_OK)
    {
        MessageBoxW(NULL,L"Failed MH_CreateHook CoCreateInstance",L"Info!",MB_ICONWARNING|MB_OK);
    }
    if (MH_EnableHook(&CoCreateInstance) != MH_OK)
    {
        MessageBoxW(NULL,L"Failed MH_EnableHook StartDocA",L"Info!",MB_ICONWARNING|MB_OK);
    }
    break;

case DLL_PROCESS_DETACH:
    if (MH_Uninitialize() != MH_OK)
    {               
    }
    if (MH_DisableHook(Actual_CopyItems) != MH_OK)
    {
    }
    if (MH_DisableHook(&CoCreateInstance) != MH_OK)
    {
    }

    break;
}
return TRUE;
}

In the above code inside the CopyItemsCallback function i am displaying Message box just to confirm weather the function is getting hook r not ,so i got that message box after that i am calling Real CopyItems Function but there it is getting crash so please check what is the problem with my code .

IFileOperation::CopyItems is a COM method, not a regular Win32 function, so you need to treat it differently than CoCreateInstance, which is a plain Win32 API.

When you call a COM method using C++ syntax, what you don't see is the "this" pointer (same as the interface pointer) being passed behind the scenes as a hidden parameter. But if you want to call a COM method using C-style code, you have to deal with this manually.

So your definition of the CopyItems function should instead look something like this:

typedef HRESULT (STDMETHODCALLTYPE *CopyItemsNext)(IFileOperation * pThis, IUnknown *punkItems, IShellItem *psiDestinationFolder);

...and when you call through to the 'real' one, you'll have to pass that pThis as the first parameter.

Note that this trick is specific to COM, you can't in general treat C++ methods this way. It just happens that COM was designed to be usable from plain C, so COM requires that the 'this' pointer is passed just as a normal parameter would be. (COM methods are marked with STDMETHODCALLTYPE which is what tells the compiler to treat them differently than methods without that.) However, for non-COM C++ classes, a compiler might do something else, such as passing the this pointer in a register.

--

By the way, note that the DWORD in your GetInterfaceMethod will only work on 32-bit windows; use DWORD_PTR if you want a type that is always the size of a pointer and which will then work with either 32-bit or 64-bit code.