2

I've successfully reverse a DLL file which uses a COM interface and found the Class ID (CLSID) and Interface ID (IID). In Visual Studio debugging memory, it shows S_OK with CoCreateInstance() and all the function pointers of that COM interface. I saw this question but that uses IDA to reverse a DLL.

I've followed an article which shows finding methods definition using Visual Studio debug mode. I've both CLSID and IID from which I get the interface pointer.

So, my question is how can I find the (undocumented) function definitions? Is there any easy general guidelines to follow? It will be easy if someone show an procedure with Visual Studio, reversing with IDA is bit more complex.

Update: According to the answer I reverse the DLL in IDA but the assembly shows the

off_180002230 dq offset off_1800023D0 ; DATA XREF: .rdata:off_180002480↓o dq offset ILxssUserSession dq offset IUnknown_QueryInterface_Proxy dq offset IUnknown_AddRef_Proxy dq offset IUnknown_Release_Proxy dq offset ObjectStublessClient3 dq offset ObjectStublessClient4 dq offset ObjectStublessClient5 dq offset ObjectStublessClient6 dq offset ObjectStublessClient7 dq offset ObjectStublessClient8 dq offset ObjectStublessClient9 dq offset ObjectStublessClient10 dq offset ObjectStublessClient11 dq offset ObjectStublessClient12 dq offset ObjectStublessClient13 dq offset ObjectStublessClient14 unk_1800022B8 db 22h ; " ; DATA XREF: .rdata:0000000180002DE0↓o

How can I relate those offset to a real function pointer? The current DLL is a proxy stub DLL and the real function is implemented/defined in another DLL. I've also seen this question which shows to follow function pointers.

Improve this question
1
  • For those who want to disassemble a COM interface, load PDB file in IDA. This helps me to disassemble it. Also you may use simple structs within structs as a inherited class. Commented May 27, 2018 at 8:32

1 Answer 1

Reset to default
3

Well, in general you follow the code flow from DllGetClassObject and find the code which creates COM classes depending on clsid and iid. Due to COM methods are virtual methods of C++ class, you'll be able to find VTBL for each COM class, and from there determine how many methods it has. Then you reverse each method to understand how many arguments it has and which are the types of arguments.

Improve this answer
5
  • the only way is through disassembling. IDA may recognize the arguments count automatically, but the types of the arguments are up to you to reverse engineer. Also pay attention to the fact that COM methods pass the pointer to this as stack argument, not via ECX. I.e. first argument in COM methods is always this. Commented Apr 19, 2018 at 8:29
  • 1
    each pointer in vtable points to the function code, which you need to disasseble. One by one. Commented Apr 23, 2018 at 7:33
  • It depends on the class hierarchy. Yes the first 3 methods in ppv are always QueryInterface, AddRef and Release due to all COM classes are derived from IUnknown. If the class is derived from IDispatch (which is derived from IUnknown), then there's going to be GetTypeInfoCount, GetTypeInfo, GetIDsOfNames and Invoke. And after those, there will be own methods of the COM class. Commented May 24, 2018 at 10:29
  • Ia asked if the offsets are different in 32bit and 64bit. Commented May 24, 2018 at 12:22
  • Yep, these ppv items are pointers, so in 32bit code the offsets will be a multiple of 4, in x64 - multiple of 8. Ex 0, 4, 8 vs 0, 8, 0x10 etc. Commented May 24, 2018 at 14:31

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.