Archived Blog
Finding the virtual address of COM object functions
08.22.2008 - 3:00 PM
and show us information about it, such as the names of its objects and functions.
Two examples of such tools are the OlyView and TLB Viewer.
But what if we want to know additional information, such as the virtual address inside the
module that handles each function of our object?
In this blog, we will see a way to determine the virtual address of those functions.
The first thing we will do is to use the #import pragma command of the VC compiler.
MSDN says:
"The #import directive is used to incorporate information from a type library.
The content of the type library is converted into C++ classes, mostly describing the COM interfaces."
The #import directive will generate for us a .tlh header file that will have the prototypes of our
objects and the interfaces that were hosted by the module:
Now that we have the header file, we can use the CoCreateInstance API to load the object.
If you are wondering how we will find the virtual address of the functions that the object uses,
the answer is very simple: we will throw the virtual table of the object!
And here we can see a simple C Program that can dump the virtual address of the IShockwaveFlash
interface functions of the Flash9b.ocx module:
Here we can see the result:
From these results we now know the address of the object functions and we can
then open up our favorite disassembler and audit the functions for security vulnerabilities.
Game over!
Security Researcher: Moti Joseph
