0

I'm quite new to COM object reversing (Windows Platform). I'm trying to reverse Internet Explorer on Windows 8.1, where child IE process communicates with Parent IE process via com (Due to Protected Mode).

This is an ASM snippet of a virtual function from ieframe.dll ( Part of class CShellUIHelper) which responsible for a COM operation (I've MS public symbol.)

CShellUIHelper::XX_XX{

..
..
    mov     eax, [ebp+var_2BC]
    lea     edx, [ebp+Filename]
    mov     edi, esp
    push    edx
    push    [ebp+var_2AC]
    mov     esi, [eax]
    push    ecx             ; _DWORD
    push    eax             ; _DWORD
    mov     esi, [esi+25Ch]
    mov     ecx, esi        ; _DWORD
    call    ds:___guard_check_icall_fptr
    call    esi             ; call {combase!ObjectStublessClient30+0x5c0

}

Here its calling a COM interface method at last line using "call esi" instruction which is actually "call esi+025ch". Runtime i've found its actually calling combase!ObjectStublessClient30(x,x)

Here i want to find the, interface method name its calling using combase!ObjectStublessClient30().

To find the method name I'm follwing this Stack Exchange Answer, which looks pretty similar.

https://reverseengineering.stackexchange.com/questions/2822/com-interface-methods

But the problem is, in this answer the interface name was known which is IShellWindows, but in my case the I dont know the interface name.

I'm stuck at this point. So my questions is what path I should follow to find out the interface name and method name.?

Community
  • 1
  • 1
Dev.K.
  • 2,428
  • 5
  • 35
  • 49
  • There isn't any reasonable way to reverse-engineer this. If you end up in combase.dll then you actually called into the proxy, it ensures that the COM call is made in a thread-safe way. You'll have to first know the exact interface that is getting used, then count off the methods implemented by that interface. If you don't know the interface then you know nothing. – Hans Passant Sep 13 '16 at 15:46
  • @HansPassant is there any approach, that I can follow to find out the interface ? – Dev.K. Sep 13 '16 at 16:40
  • You'll need a lot more reverse-engineering. You need to disassemble the CoCreateInstance() or the QueryInterface() call so you can identify the interface GUID. That it goes through a proxy doesn't exactly make this any easier. – Hans Passant Sep 13 '16 at 16:47

1 Answers1

1

The fact that you've ended up in combase!ObjectStublessClient30 would seem to indicate that you've hit a proxy object, so you need to backtrack and figure out the type of the interface pointer you're dealing with.

To clarify [remember, backtracking!],

; 5. ... and in stack slot var_2BC now.
    mov     eax, [ebp+var_2BC]
    lea     edx, [ebp+Filename]
    mov     edi, esp
    push    edx
    push    [ebp+var_2AC]
; 4. ... which is the vtable for the interface pointer in eax now ...
    mov     esi, [eax]

    push    ecx             ; _DWORD
    push    eax             ; _DWORD
; 3. ... in the interface vtable that ESI points to now, ...
    mov     esi, [esi+25Ch] ; 2. You now, the method at offset 25Ch ...
; 1. ESI clearly contains a pointer to the [stubless stub] method now
    mov     ecx, esi        ; _DWORD
    call    ds:___guard_check_icall_fptr
    call    esi             ; call {combase!ObjectStublessClient30+0x5c0

The interface pointer is going to be of type IFoo *, where IFoo is the name of the interface. What you have to do is track the pointer back to someplace that tells you the type, whether in the form of the IID as with ->QueryInterface (always at offset 0 in any interface vtable, because they all ultimately inherit from IUnknown) or CoCreateInstance, or from C++ name mangling like if its a parameter to a function/method that's given a name in the public symbols.

If you find such a name or IID, you can then try to either find it mentioned somewhere in the platform SDK include directory, or failing that in a COM type library in or near one of the relevant DLLs (if the latter, it would have extension .tlb); the best way I know to look at type libraries is with the OLE/COM Object Viewer oleview.exe that's hopefully in the bin dir of your platform SDK.

SamB
  • 9,039
  • 5
  • 49
  • 56