There are many free tools available that could prove helpful for analyzing COM components. My favorites are COMRaider and Jose Roca's TypeLib Browser.
Those tools are good for a 1st pass analysis (like fuzzing or calling a specific method from a VBS script), but when it comes to have a look at the binary implementation itself, things become a little thougher...
There are some IDA Pro helpers (scripts and plugins) hanging around, but given the complexity of COM and C++ reversing, it remains quite hard to tell where the code is through static analysis only.
Then I stumbled upon this post (by WebSense) that gives a very easy way to locate all exported methods through the use of #import directive in Visual Studio. Since they only give away screenshots, here is the full piece of code that will retrieve the RVA of the first 10 methods of Flash plugin.
#include <windows.h>
#include <stdio.h>
// Note: this must be a CPP file to use #import directive
#import "C:\\WINDOWS\\SYSTEM32\\Macromed\\Flash\\Flash9e.ocx" no_namespace
int main() {
printf("Hello, world of COM!\n");
CoInitialize(NULL);
IShockwaveFlash *pShockwave=NULL;
HRESULT hr = CoCreateInstance( __uuidof(ShockwaveFlash),
NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER,
__uuidof(IShockwaveFlash),
(void**)&pShockwave
);
if (hr==S_OK) {
DWORD dwVT=*(DWORD*)pShockwave;
DWORD *p=(DWORD*)dwVT;
for (int i=1;i<11;i++) {
printf("[%d] VA=%08x RVA=%08x\n",
i,
*p,
*p-(DWORD)GetModuleHandle("Flash9e.ocx")
);
p++;
}
pShockwave->Release();
}
return 0;
}
Sample output:
C:\>cl test.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.762 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
test.cpp
Microsoft (R) Incremental Linker Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.
/out:test.exe
test.obj
C:\>test.exe
Hello, world of COM!
[1] VA=300b4ec2 RVA=000b4ec2
[2] VA=300b38a4 RVA=000b38a4
[3] VA=300b38b1 RVA=000b38b1
[4] VA=300bd353 RVA=000bd353
[5] VA=300b78b7 RVA=000b78b7
[6] VA=300b7d33 RVA=000b7d33
[7] VA=300cbe5c RVA=000cbe5c
[8] VA=300c7c34 RVA=000c7c34
[9] VA=300c7c46 RVA=000c7c46
[10] VA=300c7b9d RVA=000c7b9d
Beware: the COM component will be instanciated by this code. Do not try this on malicious code, unless you know what you are doing!
Subscribe to:
Post Comments (Atom)
3 comments:
Hiya, I'm really glad I've found this info. Today bloggers publish only about gossip and net stuff and this is actually frustrating. A good web site with interesting content, this is what I need. Thank you for making this web-site, and I will be visiting again. Do you do newsletters? I Can not find it.
I am glad I could help :)
Sorry, I do not do any newsletter. But I tweet occasionally.
Greetings! Very helpful advice in this particular post! It is the little changes which will make the biggest changes. Many thanks for sharing!
Post a Comment