From Collaborative RCE Tool Library
COM Tools
| Tool name: | Class Informer |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.openrce.org/blog/view/1344/Class_Informer_IDA_plug-in | |||
| Current version: | 1.01 | |||
| Last updated: | April 2, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data. Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read easier as an aid to reverse engineering. Creates a list window with found vftables for browsing. RTTI ("Run-Time Type Identification"): http://en.wikipedia.org/wiki/RTTI RTCI ("Run Time Class Information") the MFC forerunner to "RTTI": http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx ------------------------------------------------------------ See also screenshot example of vftable info set by plug-in below. | |||
| Also listed in: | IDA Extensions | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | COMRaider |
| ||
|---|---|---|---|---|
| Author: | David Zimmer | |||
| Website: | http://labs.idefense.com/software/fuzzing.php#more_comraider | |||
| Current version: | ||||
| Last updated: | November 8, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc. Features include: * Capability to easily enumerate safe for scripting objects * Ability to scan for COM objects by path, filename, or guid * Integrated type library viewer * Integrated debugger to monitor exceptions, close windows,log api * External vbs script allows you to easily edit fuzzer permutations * Built in webserver to test exploits on the fly * Enumerate and view controls with killbit set * Distributed auditing mode to allow entire teams to work together * Ability to upload crash files to central server for group analysis * Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions. | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | COMView |
| ||
|---|---|---|---|---|
| Author: | japheth | |||
| Website: | http://www.japheth.de/COMView.html | |||
| Current version: | 2.98 | |||
| Last updated: | July 2007 | |||
| Direct D/L link: | http://www.japheth.de/Download/COMView.zip | |||
| License type: | Free | |||
| Description: | COMView is a tool for viewing and handling COM (Component Objects Model) things. It is intended to be used by programers, although it might also be useful for experienced end users. The following functions are included: * Shows COM related entries in the registry * Build in registry editor to modify these entries * Consistency check of COM related registry information * Shows type library information * Can generate ASM include files from type libraries * "Dispatch helper" ASM includes may be generated to simplify using IDispatch and events. * COM objects can be created and interfaces exposed are shown * OLE container is implemented allowing to view and test OLE/ActiveX controls * Object properties may be edited and methods be executed. * Object model exposed by an application/control may be walked. * May connect to source interfaces and display events Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView. | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CoClassSyms |
| ||
|---|---|---|---|---|
| Author: | Matt Pietrek | |||
| Website: | http://www.microsoft.com/msj/0399/comtype/comtype.aspx | |||
| Current version: | 1.0 | |||
| Last updated: | March 1999 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | "CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer). The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG. Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem. If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack. | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | GUID-Finder |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.openrce.org/repositories/users/Sirmabus | |||
| Current version: | 1.0b | |||
| Last updated: | January 17, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | A GUID/UUID finding/fixing IDA plug-in. The COM side of RE'ing (at least with "dead listing") can be pretty elusive. With this you can at least partially glean what interfaces and classes a target is using. This plug-in scans the IDB for class and interfaces GUIDs and creates the matching structure with label. IDA can find these on it's own, but it often misses them, so this can fill in the gap. Plus this plug-in allows you to easily add custom declarations, and is handy to do a general audit for such GUIDs. This is based Frank Boldewin's IDA Python script that you can find here: http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames or off his home page: http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip It's a great utility, I found me self using it regularly. But I wanted one that wasn't dependant on IDA Python, and one that might be a bit faster. I've made some enhancements too (see below). Some interesting reading: http://en.wikipedia.org/wiki/Globally_Unique_Identifier http://en.wikipedia.org/wiki/UUID [How to run it] Just invoke it using your selected IDA hot-key, or from "Edit->Plugins". Normally you will want to keep the ""Skip code segments for speed"" check box checked, because it can make a big difference in the run time. With unchecked, code segments are also scanned. You'll want to scan the code to if the target is a Delphi, or others where data tends to be code/.text segment, or if you just want to be more thorough. It might take some time to scan everything depending on the size of the IDB your computer, etc.. When it's done, you should see a list of interfaces and classes in the IDA log window. If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on the line and IDA will jump to it. [How it works] 1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt". A little enhancement here over Frank's format, you can have blank lines and have comments prefixed with '#' (first char, whole line only. Not a very forgiving parser). In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib") to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs plus all the ones to be found in VS2005 libraries along with DirectX 9.1,. There could be more explicitly created in header (.h/.hpp) files but have yet to make a utility to parse them. If you want to add custom GUID defines (from 3rd party software, etc.), just edit these text files manually. 2. After it loads in the defs, the plug-in iterates through all segments in your currently open IDB. By default it will skip code/".text" segments, and import/export segments for speed. Usually you find GUIDs in the ".rdata", and ".data" segments. I originally intended to sort all the GUIDs by similarity and search with partial wild cards for speed. If you take a look at the GUID defs you will see that many GUIDs share common numbers that often differ only be the least significant digits ("Data4"). At least in theory, searching for groups wild cards should make searching faster. Maybe next version.. [Known problems/issues/limitations] 1. If a given GUID 16byte def just so happens to match something that is not really a GUID, the plug-in will try to convert it to one regardless (another reason not to run it over code sections). So far I have not found this to be much of issue, although it could be. Could add a confirm dialog for each to let the user decide. 2. Some GUID set operations will fail. This is usually because something is bad/wrong at the particular address; like a partial code def, or incorrect xref. The plug-in will display most of these errors in the IDA log window for manual correction. 3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull? | |||
| Also listed in: | COM Debugging Tools, IDA Extensions | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | MetaPuck |
| ||
|---|---|---|---|---|
| Author: | y0da | |||
| Website: | http://y0da.cjb.net | |||
| Current version: | 1.0 | |||
| Last updated: | 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code. | |||
| Also listed in: | COM Debugging Tools, .NET Executable Editors | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | OLE RE Tools |
| ||
|---|---|---|---|---|
| Author: | Joe Stewart | |||
| Website: | http://www.openrce.org/articles/full_view/17 | |||
| Current version: | 1.0 | |||
| Last updated: | September 12, 2005 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Some utils to assist in reverse-engineering OLE applications. Use on Win32 may require addition of BINMODE. guidextract.pl - find and label OLE GUIDs in an executable guids.txt - list of GUIDs and interface names from my registry reg2guidlist.pl - make your own guids.list from a registry export file listmethods.pl - list interface methods and offsets in Vtbl | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | OLE/COM Object Viewer (OLEview) |
| ||
|---|---|---|---|---|
| Author: | Microsoft | |||
| Website: | http://www.microsoft.com/downloads/details.aspx?familyid=5233b70d-d9b2-4cb5-aeb6-45664be858b6 | |||
| Current version: | 1.00.0.1 | |||
| Last updated: | October 18, 2000 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | Browses, configures, and tests Microsoft Component Object Model classes installed on a computer. | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | PEBrowse Professional |
| ||
|---|---|---|---|---|
| Author: | SmidgeonSoft | |||
| Website: | http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html | |||
| Current version: | 10.0.1 | |||
| Last updated: | July 12, 2009 | |||
| Direct D/L link: | http://www.smidgeonsoft.com/download/PEBrowse.zip | |||
| License type: | Free | |||
| Description: | PEBrowse Professional is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies produced according to the Portable Executable specifications published by Microsoft. For Microsoft Windows Vista, Windows XP, Windows 2000, and others. (We have received reports that the software also works on other OSes, including Wine (!) and Windows CE.) With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using PEBrowse. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu. While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as: * Module entry-point * Exports (if any) * Debug-symbols (if a valid PDB, i.e., program database file, is present) * Imported API references * Relocation addresses * Internal functions/subroutines * Any valid address inside of the module Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays. PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files. PEBrowse Professional also displays all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. It seamlessly handles mixed assemblies, i.e., those that contain both native and managed code. Finally, PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped. | |||
| Also listed in: | .NET Disassemblers, .NET Tools, Delphi Tools, Disassemblers, Exe Analyzers, Memory Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | TypeLib Browser |
| ||
|---|---|---|---|---|
| Author: | José Roca | |||
| Website: | http://www.com.it-berater.org/typelib_browser.htm | |||
| Current version: | 2.05 | |||
| Last updated: | July 18, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | The TypeLib Browser is a tool designed to let you to examine the contents of COM servers and ActiveX controls and to provide alternate ways to use them or to give workarounds to features still not available in the Power Basic compilers, such events sink. Besides letting you to inspect all the information available in the typelibs, it generates wrapper functions that use direct VTable calls. | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | WinApiOverride |
| ||
|---|---|---|---|---|
| Author: | Jacquelin POTIER | |||
| Website: | http://jacquelin.potier.free.fr/winapioverride32/ | |||
| Current version: | 5.1.11 | |||
| Last updated: | July 18, 2009 | |||
| Direct D/L link: | http://jacquelin.potier.free.fr/exe/winapioverride32_bin.zip | |||
| License type: | Free / Open Source (GPL v2) | |||
| Description: | WinAPIOverride32 is an advanced api monitoring software. You can monitor and/or override any function of a process. This can be done for API functions or executable internal functions. It tries to fill the gap between classical API monitoring softwares and debuggers. It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application. Main differences between other API monitoring softwares : - You can define filters on parameters or function result - You can define filters on dll to discard calls from windows system dll - You can hook functions inside the target process not only API - You can hook asm functions with parameters passed through registers - Double and float results are logged - Preserve registers, floating stack and LastError - You can easily override any API or any process internal function - You can break process before or/and after function call to change memory or registers - You can call functions which are inside the remote processes - Can hook COM OLE and ActiveX interfaces - All is is done like modules : you can log or override independently for any function | |||
| Also listed in: | .NET Tracers, API Monitoring Tools, COM Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
Subcategories
There are 2 subcategories to this category.
