Blog Stats
  • Posts - 67
  • Articles - 0
  • Comments - 27
  • Trackbacks - 130

 

<< Terrorists win! | Home | Termites on stage >>

How to reverse engineer a COM interface

Many people have asked me how i repeatedly succeeded in getting the exact definition of an undocumented COM interface.
It is actually quite easy.

I always do this in the Visual C++ debugger, with full Windows debug symbols installed.

First you have to get hold of an implementation of the interface. This is usually the hard part.

Once you have the interface pointer, see which address the pointer points to.
Copy this address to the memory window.

Your memory window is now displaying the vtable for the interface.
Every 4 bytes in the memory window are for a function of the interface.
Be careful: The addresses are in intel byte order, so you have to reverse order of the bytes to get an actual address.

Now you can just copy the addresses one by one in your EIP register (the instruction pointer).
Your call stack will display the exact definition of the function, complete with parameters etc.
You will have to invent the names for the parameters yourself, but they do not really matter.
The first three functions will be the IUnknown functions QueryInterface, AddRef and Release.
After that come all the other functions of the interface.

  • Share This Post:
  • Share on Twitter
  • Share on Facebook
  • Share on Technorati

Print posted @ Monday, March 15, 2004 7:27 PM

Feedback

# re: How to reverse engineer a COM interface

Gravatar I am trying to do this, but I cannot see how can I change the value of EIP register, or any register for that matter. Can you help with that? Is this related to the fact that I do not have full Windows debug symbols installed? 4/27/2004 3:06 PM | Tani

# re: How to reverse engineer a COM interface

Gravatar Open the registers window and type the new value there.
Or alternatively, in the watch window type eip, then change the value.
4/27/2004 3:10 PM | Henk Devos

# re: How to reverse engineer a COM interface

Gravatar Thanks, the watch window worked. I cannot type anything on the registers window, but that's fine.

Now I can do all the steps. For the moment I am getting a pointer to IDispatch and looking at the vtable.
So I copy the value of IDispatch* to the memory window. Then copy the first 4 bytes to EIP. All I can see in the Call Stack winodw is something like this:

74531400()
0012ff14()
USER32! 77e11ef0()
USER32! 77e1204c()
USER32! 77e15f69()
WinMainCRTStartup() line 198 + 54 bytes
KERNEL32! 7c581af6()

I cannot see the arguments (the above is for the third methos which must be QueryInterface).

I have to mention that my COM interface is not in process since it resides in an .exe.

Thanks 4/28/2004 2:21 PM | Tani

# re: How to reverse engineer a COM interface

Gravatar The problem is that you don't have debug symbols, so you don't see the function name.
But in this case, it would just be the IDispatch functions.
Usually when objects support IDispatch they will have a type library.
You can convert this type library back to the interface definition with COM object viewer. 4/28/2004 2:28 PM | Henk Devos
Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification:
 
 

 

 

Copyright © Henk Devos