OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract For the experienced reverse-engineer, a basic analysis of what a particular piece of malware does can be a relatively quick and painless process. However, when it comes to malware that depends heavily on OLE (old terminology for COM) calls, the usual analysis speed comes to a grinding halt. This short article attempts to demystify the process of reversing OLE method calls.

Full Article ...

Printer Friendly ...

Article Comments

smidgeonsoft

Posted: Thursday, September 15 2005 08:00.05 CDT

Very nice writeup.

I offer the following to the analysis. Since COM is a binary interface let us find the method without resorting to locating a header file, but use the binaries at hand. Looking up GUID, 3050F5D2-98B5-11CF-BB82-00AA00BDCE0B in the system registry, we see that there is a typelib node containing 3050F1C5-98B5-11CF-BB82-00AA00BDCE0B. Looking that value up in the registry gives us the location of the binary description, MSHTML.TLB, a typelib structured as a PE file. Now, using my utility, PEBrowse Professional, we open up this file. Expanding the "Resources" and under that the "'TYPELIB'" node we find a single node, "1". Selecting it, we request an "image" which will now produce the ODL for the Microsoft HTML Object Library. Perform a find on the original GUID, and you will be placed at the dispinterface for IHTMLInputElement. Scroll down to "id(12)" and you will find the method "name".

anonymouse Posted: Thursday, September 15 2005 11:37.10 CDT

since smidgeonsoft mentioned tlb and such
i remember some thing
long back i was looking at a dll (and i saw the MSFT header
now searching along to find what the heck was it
some one told me it was cab file header (now i hexed a random cabinet file and it was not MSFT but MSCF)and along the way i landed on this program
http://www.com.it-berater.org/typelib_browser.htm

it generates a lot of info from those type libs
including code prototypes
and even saves them as *.bas neat an clean

like this



' ****************************************************************************************

' [get_]name property

' Interface name = IHTMLInputElement

' Attributes = 20 [&H14] [Bindable] [DisplayBind]

' VTable offset = 48 [&H30]

' DispID = -2147418112 [&H80010000]

' ****************************************************************************************

DECLARE FUNCTION Proto_htmlfileIHTMLInputElement_get_name ( _

    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>

  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]

    ) AS LONG                                           ' %VT_HRESULT <LONG>



FUNCTION htmlfileIHTMLInputElement_get_name ALIAS "htmlfileIHTMLInputElement_get_name" ( _

    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>

  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]

    ) EXPORT AS LONG                                    ' %VT_HRESULT <LONG>



    IF ISFALSE pthis THEN htmlfile_HRESULT = %E_POINTER : EXIT FUNCTION

    CALL DWORD @@pthis[12] USING Proto_htmlfileIHTMLInputElement_get_name(pthis, p) TO htmlfile_HRESULT

    FUNCTION = htmlfile_HRESULT

    p = ACODE$(p)



END FUNCTION

nikolatesla20	Posted: Wednesday, September 28 2005 09:26.52 CDT
Bout time someone focused on COM. It's not that hard

hoglund	Posted: Monday, October 10 2005 01:13.27 CDT
Good article, thanks! -Greg

droption	Posted: Friday, June 23 2006 00:35.52 CDT
Perfect work

Donner2011

Posted: Wednesday, December 21 2011 04:07.33 CST

Hello I am so delighted I found your site, I really found you by mistake, while I was watching on yahoo for something else, Anyways I am maternity wedding dresses
Pregnancy wedding dresses
maternity dresses for weddings
chiffon maternity wedding dresses
short maternity wedding dresses
plus size maternity wedding dresses
christmas costumes here now and would just like to say thank for a tremendous post and a all round entertaining blog. Please do keep up the great work.

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit