Flag: Tornado! Hurricane!

OpenRCE Article Comments: Reverse Engineering Microsoft OLE

Article Abstract For the experienced reverse-engineer, a basic analysis of what a particular piece of malware does can be a relatively quick and painless process. However, when it comes to malware that depends heavily on OLE (old terminology for COM) calls, the usual analysis speed comes to a grinding halt. This short article attempts to demystify the process of reversing OLE method calls.

Full Article ...    Printer Friendly ...

Article Comments
smidgeonsoft Posted: Thursday, September 15 2005 08:00.05 CDT
Very nice writeup.

I offer the following to the analysis.  Since COM is a binary interface let us find the method without resorting to locating a header file, but use the binaries at hand.  Looking up GUID, 3050F5D2-98B5-11CF-BB82-00AA00BDCE0B in the system registry, we see that there is a typelib node containing 3050F1C5-98B5-11CF-BB82-00AA00BDCE0B.  Looking that value up in the registry gives us the location of the binary description, MSHTML.TLB, a typelib structured as a PE file.  Now, using my utility, PEBrowse Professional, we open up this file.  Expanding the "Resources" and under that the "'TYPELIB'" node we find a single node, "1".  Selecting it, we request an "image" which will now produce the ODL for the Microsoft HTML Object Library.  Perform a find on the original GUID, and you will be placed at the dispinterface for IHTMLInputElement.  Scroll down to "id(12)" and you will find the method "name".

anonymouse Posted: Thursday, September 15 2005 11:37.10 CDT
since smidgeonsoft mentioned tlb and such
i remember some thing
long back i was looking at a dll (and i saw the MSFT header
now searching along to find what the heck was it
some one told me it was cab file header (now i hexed a random cabinet file and it was not MSFT but MSCF)and along the way i landed on this program
http://www.com.it-berater.org/typelib_browser.htm

it generates a lot of info from those type libs
including code prototypes
and even saves them as *.bas neat an clean

like this

' ****************************************************************************************
' [get_]name property
' Interface name = IHTMLInputElement
' Attributes = 20 [&H14] [Bindable] [DisplayBind]
' VTable offset = 48 [&H30]
' DispID = -2147418112 [&H80010000]
' ****************************************************************************************
DECLARE FUNCTION Proto_htmlfileIHTMLInputElement_get_name ( _
    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>
  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]
    ) AS LONG                                           ' %VT_HRESULT <LONG>

FUNCTION htmlfileIHTMLInputElement_get_name ALIAS "htmlfileIHTMLInputElement_get_name" ( _
    BYVAL pthis AS DWORD PTR _                          ' %VT_DISPATCH <dispinterface>
  , BYREF p AS STRING _                                 ' *%VT_BSTR <DYNAMIC UNICODE STRING> [out]
    ) EXPORT AS LONG                                    ' %VT_HRESULT <LONG>

    IF ISFALSE pthis THEN htmlfile_HRESULT = %E_POINTER : EXIT FUNCTION
    CALL DWORD @@pthis[12] USING Proto_htmlfileIHTMLInputElement_get_name(pthis, p) TO htmlfile_HRESULT
    FUNCTION = htmlfile_HRESULT
    p = ACODE$(p)

END FUNCTION



nikolatesla20 Posted: Wednesday, September 28 2005 09:26.52 CDT
Bout time someone focused on COM. It's not that hard

hoglund Posted: Monday, October 10 2005 01:13.27 CDT
Good article, thanks!

-Greg

droption Posted: Friday, June 23 2006 00:35.52 CDT
Perfect work

Donner2011 Posted: Wednesday, December 21 2011 04:07.33 CST
Hello I am so delighted I found your site, I really found you by mistake, while I was watching on yahoo for something else, Anyways I am maternity wedding dresses
Pregnancy wedding dresses
maternity dresses for weddings
chiffon maternity wedding dresses
short maternity wedding dresses
plus size maternity wedding dresses
christmas costumes here now and would just like to say thank for a tremendous post and a all round entertaining blog. Please do keep up the great work.


Add New Comment
Comment:










There are 30,781 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

newlulu on:
Jun/10
Advanced debugging techniques

newlulu on:
Jun/10
2 anti-trace mechanisms spe...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit