Collaborative RCE Tool Library - COM Debugging Tools (including sub-categories)

Tool Added: OLE RE Tools

2008-03-27T09:41:43Z

Listed in categories: COM Debugging Tools

Most recent version:
1.0

Most recent release date:
September 12, 2005

Description:
Some utils to assist in reverse-engineering OLE applications.
Use on Win32 may require addition of BINMODE.

guidextract.pl - find and label OLE GUIDs in an executable
guids.txt - list of GUIDs and interface names from my registry
reg2guidlist.pl - make your own guids.list from a registry export file
listmethods.pl - list interface methods and offsets in Vtbl

Tool Added: TypeLib Browser

2008-03-27T09:34:55Z

Listed in categories: COM Debugging Tools

Most recent version:
2.05

Most recent release date:
July 18, 2006

Description:
The TypeLib Browser is a tool designed to let you to examine the contents of COM servers and ActiveX controls and to provide alternate ways to use them or to give workarounds to features still not available in the Power Basic compilers, such events sink.

Besides letting you to inspect all the information available in the typelibs, it generates wrapper functions that use direct VTable calls.

Tool Updated: GUID-Finder

2008-01-23T22:05:27Z

Listed in categories: COM Debugging Tools, IDA Extensions

Most recent version:
1.0b

Most recent release date:
January 17, 2008

Description:
A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.

[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..

[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?

Tool Added: CoClassSyms

2008-01-13T21:04:01Z

Listed in categories: COM Debugging Tools

Most recent version:
1.0

Most recent release date:
March 1999

Description:
"CoClass" in the "CoClassSyms" name refers to the TKIND_COCLASS entries in the typelib from which the symbols are created. CoClassSyms is a command-line program that operates on executable files containing a type library. This can be an .OCX or some other DLL such as MSHTML.DLL (which is a core component of Microsoft Internet Explorer).

The output from CoClassSyms is either a .MAP or .DBG file. The code included with this article only supports .MAP file generation. However, if you drop in the DLL from this month's Under the Hood column, CoClassSyms generates a .DBG file instead. In either case, the output file has the same root file name as the input executable. Thus, running CoClassSyms on MSHTML.DLL creates MSHTML.MAP or MSHTML.DBG.

Regardless of whether you make a .MAP or .DBG file, you'll no doubt want to get the debugger to recognize and load the symbol information. If you generate a .DBG file, make sure it is in the same directory as the associated executable. In my experience, the Visual Studio 6.0 debugger automatically loads the .DBG file as needed. Using WinDBG, I had to explicitly load the .DBG file in the command window. I wasn't able to get Visual Studio 5.0 to load the .DBG file, but I couldn't determine the cause of the problem.

If everything goes well and the debugger loads your generated .DBG file, you should be able to set breakpoints by name on the methods. (Hint: you may want to first generate a .MAP file to get an idea of the available method names.) Of course, since you likely don't have source code for the executable, you'll be in the assembly language view when the breakpoints hit. You should also see method names in the call stack.

Tool Added: OLE/COM Object Viewer (OLEview)

2008-01-10T19:57:45Z

Listed in categories: COM Debugging Tools

Most recent version:
1.00.0.1

Most recent release date:
October 18, 2000

Description:
Browses, configures, and tests Microsoft Component Object Model classes installed on a computer.

Tool Updated: COMRaider

2008-01-10T19:54:14Z

Listed in categories: COM Debugging Tools

Most recent version:

Most recent release date:
November 8, 2006

Description:
COMRaider is a tool designed to fuzz COM Object Interfaces. It can also extract information about them and their interfaces etc.

Features include:

* Capability to easily enumerate safe for scripting objects
* Ability to scan for COM objects by path, filename, or guid
* Integrated type library viewer
* Integrated debugger to monitor exceptions, close windows,log api
* External vbs script allows you to easily edit fuzzer permutations
* Built in webserver to test exploits on the fly
* Enumerate and view controls with killbit set
* Distributed auditing mode to allow entire teams to work together
* Ability to upload crash files to central server for group analysis
* Automation tools allowing you to easily fuzz multiple libraries, individual classes, or specific functions.

Tool Updated: MetaPuck

2008-01-10T19:28:05Z

Listed in categories: .NET Executable Editors, COM Debugging Tools

Most recent version:
1.0

Most recent release date:
2005

Description:
MetaPuck is a tool to spy the information, being hidden in the MetaData block inside the CLR (Common Language Runtime) Portable Executeable images of the .NET framework, and displays it in a well overlookable TreeView. It also parses .NET "typelibs". Included full source code.

Tool Updated: COMView

2008-01-01T14:13:57Z

Listed in categories: COM Debugging Tools

Most recent version:
2.98

Most recent release date:
July 2007

Description:
COMView is a tool for viewing and handling COM (Component Objects Model) things.
It is intended to be used by programers, although it might also be useful for experienced end users.
The following functions are included:

* Shows COM related entries in the registry
* Build in registry editor to modify these entries
* Consistency check of COM related registry information
* Shows type library information
* Can generate ASM include files from type libraries
* "Dispatch helper" ASM includes may be generated to simplify using IDispatch and events.
* COM objects can be created and interfaces exposed are shown
* OLE container is implemented allowing to view and test OLE/ActiveX controls
* Object properties may be edited and methods be executed.
* Object model exposed by an application/control may be walked.
* May connect to source interfaces and display events

Please note: to get benefits from using COMView it is expected to be familiar with COM basics, there is no tutorial included in COMView.