Geeks With Blogs
Henk Devos Henk's Random Thoughts

Many people have asked me how i repeatedly succeeded in getting the exact definition of an undocumented COM interface.
It is actually quite easy.

I always do this in the Visual C++ debugger, with full Windows debug symbols installed.

First you have to get hold of an implementation of the interface. This is usually the hard part.

Once you have the interface pointer, see which address the pointer points to.
Copy this address to the memory window.

Your memory window is now displaying the vtable for the interface.
Every 4 bytes in the memory window are for a function of the interface.
Be careful: The addresses are in intel byte order, so you have to reverse order of the bytes to get an actual address.

Now you can just copy the addresses one by one in your EIP register (the instruction pointer).
Your call stack will display the exact definition of the function, complete with parameters etc.
You will have to invent the names for the parameters yourself, but they do not really matter.
The first three functions will be the IUnknown functions QueryInterface, AddRef and Release.
After that come all the other functions of the interface.

Posted on Monday, March 15, 2004 7:27 PM Shell Programming | Back to top

Comments on this post: How to reverse engineer a COM interface

# re: How to reverse engineer a COM interface
Requesting Gravatar...
I am trying to do this, but I cannot see how can I change the value of EIP register, or any register for that matter. Can you help with that? Is this related to the fact that I do not have full Windows debug symbols installed?
Left by Tani on Apr 27, 2004 3:06 PM

# re: How to reverse engineer a COM interface
Requesting Gravatar...
Open the registers window and type the new value there.
Or alternatively, in the watch window type eip, then change the value.
Left by Henk Devos on Apr 27, 2004 3:10 PM

# re: How to reverse engineer a COM interface
Requesting Gravatar...
Thanks, the watch window worked. I cannot type anything on the registers window, but that's fine.

Now I can do all the steps. For the moment I am getting a pointer to IDispatch and looking at the vtable.
So I copy the value of IDispatch* to the memory window. Then copy the first 4 bytes to EIP. All I can see in the Call Stack winodw is something like this:

USER32! 77e11ef0()
USER32! 77e1204c()
USER32! 77e15f69()
WinMainCRTStartup() line 198 + 54 bytes
KERNEL32! 7c581af6()

I cannot see the arguments (the above is for the third methos which must be QueryInterface).

I have to mention that my COM interface is not in process since it resides in an .exe.

Left by Tani on Apr 28, 2004 2:21 PM

# re: How to reverse engineer a COM interface
Requesting Gravatar...
The problem is that you don't have debug symbols, so you don't see the function name.
But in this case, it would just be the IDispatch functions.
Usually when objects support IDispatch they will have a type library.
You can convert this type library back to the interface definition with COM object viewer.
Left by Henk Devos on Apr 28, 2004 2:28 PM

Your comment:
 (will show your gravatar)

Copyright © Henk Devos | Powered by: