Flag: Tornado! Hurricane!

OpenRCE Article Comments: Reverse Engineering Microsoft OLE

Article Abstract For the experienced reverse-engineer, a basic analysis of what a particular piece of malware does can be a relatively quick and painless process. However, when it comes to malware that depends heavily on OLE (old terminology for COM) calls, the usual analysis speed comes to a grinding halt. This short article attempts to demystify the process of reversing OLE method calls.

Full Article ...    Printer Friendly ...

Article Comments
smidgeonsoft Posted: Thursday, September 15 2005 08:00.05 CDT
Very nice writeup.

I offer the following to the analysis.  Since COM is a binary interface let us find the method without resorting to locating a header file, but use the binaries at hand.  Looking up GUID, 3050F5D2-98B5-11CF-BB82-00AA00BDCE0B in the system registry, we see that there is a typelib node containing 3050F1C5-98B5-11CF-BB82-00AA00BDCE0B.  Looking that value up in the registry gives us the location of the binary description, MSHTML.TLB, a typelib structured as a PE file.  Now, using my utility, PEBrowse Professional, we open up this file.  Expanding the "Resources" and under that the "'TYPELIB'" node we find a single node, "1".  Selecting it, we request an "image" which will now produce the ODL for the Microsoft HTML Object Library.  Perform a find on the original GUID, and you will be placed at the dispinterface for IHTMLInputElement.  Scroll down to "id(12)" and you will find the method "name".

anonymouse Posted: Thursday, September 15 2005 11:37.10 CDT
since smidgeonsoft mentioned tlb and such
i remember some thing
long back i was looking at a dll (and i saw the MSFT header
now searching along to find what the heck was it
some one told me it was cab file header (now i hexed a random cabinet file and it was not MSFT but MSCF)and along the way i landed on this program
http://www.com.it-berater.org/typelib_browser.htm

it generates a lot of info from those type libs
including code prototypes
and even saves them as *.bas neat an clean

like this

' ****************************************************************************************
' [get_]name property
' Interface name = IHTMLInputElement
' Attributes = 20 [&H14] [Bindable] [DisplayBind]
' VTable offset = 48 [&H30]
' DispID = -2147418112 [&H80010000]
' ****************************************************************************************
DECLARE FUNCTION Proto_htmlfileIHTMLInputElement_get_name ( _
    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>
  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]
    ) AS LONG                                           ' %VT_HRESULT <LONG>

FUNCTION htmlfileIHTMLInputElement_get_name ALIAS "htmlfileIHTMLInputElement_get_name" ( _
    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>
  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]
    ) EXPORT AS LONG                                    ' %VT_HRESULT <LONG>

    IF ISFALSE pthis THEN htmlfile_HRESULT = %E_POINTER : EXIT FUNCTION
    CALL DWORD @@pthis[12] USING Proto_htmlfileIHTMLInputElement_get_name(pthis, p) TO htmlfile_HRESULT
    FUNCTION = htmlfile_HRESULT
    p = ACODE$(p)

END FUNCTION



nikolatesla20 Posted: Wednesday, September 28 2005 09:26.52 CDT
Bout time someone focused on COM. It's not that hard

hoglund Posted: Monday, October 10 2005 01:13.27 CDT
Good article, thanks!

-Greg

droption Posted: Friday, June 23 2006 00:35.52 CDT
Perfect work

Donner2011 Posted: Wednesday, December 21 2011 04:07.33 CST
Hello I am so delighted I found your site, I really found you by mistake, while I was watching on yahoo for something else, Anyways I am maternity wedding dresses
Pregnancy wedding dresses
maternity dresses for weddings
chiffon maternity wedding dresses
short maternity wedding dresses
plus size maternity wedding dresses
christmas costumes here now and would just like to say thank for a tremendous post and a all round entertaining blog. Please do keep up the great work.


Add New Comment
Comment:










There are 30,635 total registered users.


Recently Created Topics
Keep you Slim Easily
Apr/19
Your Best Slim &...
Apr/19
Amazing Your Lucky Skin
Apr/18
Your Skin Very Soft...
Apr/17
Question about debbu...
Apr/16
IDA PRO Struct Point...
Apr/15
problems with pseudo...
Apr/04
Problem with ollydbg
Mar/22
Should binaries be n...
Mar/22
Ida pro on infineon ...
Mar/10


Recent Forum Posts
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin
Pydbg load() issue
phreak
Pydbg load() issue
netw0rm
How would you interp...
mbin
Pydbg load() issue
phreak


Recent Blog Entries
loisjoneis
Apr/19
Detox Max Review - amazing ...

martanhawkings
Apr/19
iPhone 4S- Purchase Apple’s...

elenablacik
Apr/18
Cleanse Pure Premium Supple...

hermesfrsac
Apr/17
Il convient que vous devrie...

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

cin100dy on:
Dec/16
Devil May Cry Cosplay Costu...

NeOXQuiCk on:
Nov/26
DONGLE

maharlee on:
Nov/21
Cheap Nike Shoes NZ,Nike Sh...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit