├── README.md
└── resources
    └── IUnknown_type.png


/README.md:
--------------------------------------------------------------------------------
 1 | # ida-utils
 2 | 
 3 | A small but brave and growing collection of advice, links and observations regarding reverse engineering using IDA Pro.
 4 | 
 5 | ## Reversing COM binaries
 6 | 
 7 | ### Understanding COM objects/binaries
 8 | 
 9 | [COM](https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363(v=vs.85).aspx) - Component Object Model
10 | 
11 | https://www.codeproject.com/Articles/13601/COM-in-plain-C
12 | - one of the best articles I have read. I highly recommend it
13 | 
14 | https://reverseengineering.stackexchange.com/questions/13282/ida-pro-list-com-methods
15 | - a very informative thread
16 | 
17 | http://bytepointer.com/resources/index.htm
18 | - a very interesting site. Highly recommend all the articles regarding COM
19 | 
20 | http://www.moserware.com/2008/01/finally-understanding-com-after.html
21 | - interesting article with references to other good links for understanding COM
22 | 
23 | http://www.moserware.com/2009/04/using-obscure-windows-com-apis-in-net.html
24 | - interesting article referenced in the previous recommendation
25 | 
26 | COM functions reside in ole32.dll `C:\Windows\System32\ole32.dll`
27 | 
28 | More information regarding COM can be found everywhere since [it is as old as me](https://en.wikipedia.org/wiki/Component_Object_Model).
29 | 
30 | 
31 | ### COM reversing tools
32 | 
33 | - [IDA Pro](https://www.hex-rays.com/products/ida/) :smile:
34 | - [Win32 Python COM module](http://timgolden.me.uk/pywin32-docs/pythoncom.html)
35 | - [RCE COM Tools library](http://www.woodmann.com/collaborative/tools/index.php/Category:COM_Tools)
36 | - [Microsoft OLE-COM Object Viewer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688269(v=vs.85).aspx)
37 |     - the binary comes when the Windows SDK. On my machine, I found the binary as follows (path and sample MD5 hash):
38 | 
39 | ```
40 | C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\arm64\oleview.exe - dd683d280b74d2cc2e6a31a574ac6da0
41 | C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x64\oleview.exe   - 3cec2bf41e410926f62e189bef547d30
42 | C:\Program Files (x86)\Windows Kits\10\bin\10.0.17134.0\x86\oleview.exe   - 0eeccd530de75c398329a1ba0194614f
43 | ```
44 | 
45 | ### Using IDA Pro
46 | 
47 | #### Types
48 | 
49 | As ashamed as I am, I must admit I originally did not know in what type library (if any) I could find the IDA structures relating to COM.
50 | 
51 | First I used IDA's load header feature to load headers such as [guiddef.h](https://github.com/tpn/winsdk-10/blob/master/Include/10.0.10240.0/shared/guiddef.h).
52 | The files are originally found when installing the Windows SDK (in my case there were in `C:\Program Files (x86)\Windows Kits\10\Include\10.0.17134.0`).
53 | Initially I found most of my required headers, online, [here](https://github.com/tpn/winsdk-10/blob/master/Include/10.0.10240.0/) for example.
54 | 
55 | A second attempt was as to create an IDA .til file. Not knowing all the header files I would need I parsed the 133 functions pages displayed here: [MSDN list of functions that are provided by COM.](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680586(v=vs.85).aspx) to find out that all the functions were exported by:
56 | ```
57 | Callobj.h
58 | Combaseapi.h
59 | GuidDef.h
60 | Messagedispatcherapi.h
61 | Objbase.h
62 | Ole2.h
63 | Olectl.h
64 | ROApi.h
65 | Urlmon.h
66 | ```
67 | witch I subsequently collected from the SDK in order to build into the .til. At this point I realised the types were probabil in a visual studio type library, something that IDA has.
68 | 
69 | The type library I was looking for was:
70 | `vc9 - Visual Studio v9 headers (without windows.h)`
71 | The header files are also found in `vc6win - Visual C++` but with a different flavor.
72 | 
73 | One could have used something similar to `for /R %i in (*.til) do (tilib.exe -lc "%i" | grep GUID -c | grep -v 0)` to find any referenced target structures, but where would the reverse engineering fun in that be?
74 | 
75 | After loading the type library and doing a type change, such beauty beholds, an example:
76 | ![IUnknown](/resources/IUnknown_type.png)
77 | 
78 | #### Scripts
79 | Haven't found many.
80 | 
81 | - https://github.com/noobdoesre/py-com-tools
82 | 
83 | #### Plugins
84 | 
85 | IDA already comes with:
86 | 
87 | - [Dieter Spaar's COM Interface Plugin](https://www.hex-rays.com/products/ida/support/download.shtml)
88 | 
89 | - [Class Informer](https://sourceforge.net/projects/classinformer/) plugin by Sirmabus that can help reconstruct RTTI information for your COM object. It requires IDA Pro 6.9 or greater.
90 | 
91 | 


--------------------------------------------------------------------------------
/resources/IUnknown_type.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abarbatei/ida-utils/bc0099d9d4e66e11e42a51f97a338b5bf61467a1/resources/IUnknown_type.png


--------------------------------------------------------------------------------