COM组件导出表查看+IDA函数名标记

arryboom

最近在研究某软件注册机制，发现有暗桩存于COM组件方式调用的DLL中，检索了诸多资源得到以下可用的com导出表查看和IDA标记插件。

首先，该COM组件虽为DLL，但使用常规PE工具看PE导出表肯定是看不到相关函数名的:


但是调试该软件时得知有多个COM导出类，于是一番查询找到了DLL Export Viewer神器，除了可以看常规PE的导出表还可以看COM组件类型的：



但是此时发现一个问题，COM组件的方法名有了，但是该工具并没有给出COM方法的地址，无法在IDA里面对应到具体的代码位置，



于是又是一番检索，发现了DumpVTable这个专门针对COM组件的IDA标记插件

[Bash shell] 纯文本查看 复制代码

>DumpVTable.exe
usage:
    >this.exe target_file out_file [-r] [-y]

    target_file: A path of a target COM file.
    out_file: A file name of an output Python script.
    -r: Register a target file as COM during analysis.
        It may require Administrators privilege.
    -y: Do not show a warning message.
As an example, assuming that you are going to analyze Flash10zr.ocx with IDA Pro.

First, you can use this tool to create a Python script (out.py).

>DumpVTable.exe C:\Windows\SysWOW64\Macromed\Flash\Flash10zr.ocx out.py

愉快的用DumpVTable生成了py，然后IDA->FILE->SCRIPT FILE运行




果然美丽的标记了我们的subxxxxxxx们




然后突然发现坛子里早有大佬就此也发布了插件 https://www.52pojie.cn/forum.php?mod=viewthread&tid=850643
这个没有验证，因为我已经在走下一步了


最后是这几个工具的备份：

DumpVTable-master.zip (225.93 KB, 下载次数: 225)

2019-4-28 17:29 上传

点击文件名下载附件

dllexp-x64.zip (70.16 KB, 下载次数: 120)

2019-4-28 17:29 上传

点击文件名下载附件

dllexp.zip (54.55 KB, 下载次数: 120)

2019-4-28 17:29 上传

点击文件名下载附件

对了补充一下：
特别注意：由于需要加载dll之后获取虚表，所以千万不要用于实机恶意程序分析

arryboom

再补个此类工具的原理介绍，转载
https://reverseengineering.stackexchange.com/questions/13282/ida-pro-list-com-methods


Original questionThis is not as trivial as one would hope for quite a simple reason, COM objects are internal objects, and do not expose their implementation details by exporting functions.Instead, COM provides an interface to create COM instances of a specific class using a class UUID (commonly known CLSID) as means to identify a COM class. COM objects are created by calling CoCreateInstance documented here.The returned object is a C++ object implementing a set of APIs exposed as a virtual function table for that COM object, so there's no need to export those functions and that's you can't find them using IDA's exports view.Side note: Although COM related reversing questions are not at all too scarce, there are a lot fewer questions related to reversing COM classes. Most COM related questions involve attempts to reverse engineer software using COM, while it appears the OP is trying to reverse engineer a COM class. I guess this is somewhat because most COM classes are documented to some extent.DLL Export Viewer resultsAs documented here, DLL Export Viewer supports reading COM Type Libraries from type library resources embedded inside the DLL. I'll describe COM Type Libraries in a few paragraphs and you'll see how you could get that data in IDAPython.From the original site:

Version 1.10

• Added support for 64-bit DLL files.
• New option: Display method and properties of COM type libraries.
  

Actually reverse engineering a COM providerAlthough your question was a bit misguided, there are still several resources that could help you RE COM object providers.DocumentationSome resouces are available for in-depth COM understanding (and therefore reversing) online, such as MSDN's basic COM development guide, Microsoft System Journal about come type librariesOleview.exeFirst, for basic understanding of COM objects and ability to browse COM objects defined on your machine you should try using Oleview, downloadable as part of windows Driver Kit or similar.OleView.exe lets you list installed COM objects, the interfaces they provide (which describe the actual methods implemented by that COM object), each COM object's class ID, etc. If you can find your COM object here, it'll greatly help you in later stages.Class informer pluginUsing the class informer IDA plugin, you might be able to find RTTI information for your COM object. This will help you find and partially map your COM object's Virtual Function Table (which, again, describes available functionality of a COM object by actually pointing to the implementation methods). Using IDA's builtin COM Helper plugin might also be useful.Manually parsing type library files (*.tlb) using pythonAlthough this is roughly what Oleview.exe (and the likes) are doing, you could manually parse any *.tlb file you find (usually located near the COM DLL or embedded as a resource inside it) to get the information you're interested in (including offsets in the binary where functions are implemented). A python module called pythoncom exists for that, as part of the python for win32 extensions. Documentation is here, and the module can be downloaded here










There is an old plugin by Dieter Spaar which uses TypeLib API to enumerate COM methods and find their addresses. The code is somewhat old so might need some adjustments for the later IDA versions. Note that it relies on presence of the typelib info so might not work for barebones (typelib-less) COM objects.It is based on this article by Matt Pietrek.Edit: one more thing. To figure out the addresses of the interface's methods, the plugin has to actually create the class implementing the interface (by calling CoCreateInstance) which means that it will execute code from the DLL/OCX. So you need to take care with files of uncertain origins.

arryboom

再补个DumpbinGUI，也是查看导出表，外网说微软官方工具用途很多，但是实测不能解析COM组件的导出表

DumpBinGUI.zip (461.87 KB, 下载次数: 64)

2019-4-28 21:53 上传

点击文件名下载附件

liyu6056

厉害了，感谢分享

arryboom

补充个另外的DLL export查看

https://github.com/jNizM/DllExport

JakerPower

感谢分享.下载收藏。。。

arryboom

再补个COMRaider，应该是早年fuzz com组件的工具，也可看com组件方法导出，Github也有，此处备份

COMRaider_Setup.zip (1.95 MB, 下载次数: 122)

2019-4-29 14:29 上传

点击文件名下载附件

spchen

感谢分享

loquat

赞一下，全是干货

0x3E6

楼主测试的DLL能导出所有函数名吗？我在Win7和Win10测试只导出了2个类的函数