Class: TurboRex::Windows::COM::InProcFinder

Inherits:
Finder
  • Object
show all
Includes:
Utils
Defined in:
lib/turborex/windows/com/com_finder.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Utils

clsid_to_raw, create_istorage, create_istream, dll_get_class_object, #get_disptbl_count, #get_pid_by_std_objref, #get_proxy_file_info, #internal_get_proxyfile, marshal_interface, marshal_interface_to_string, #to_ptr, unmarshal_interface, unmarshal_interface_from_string

Methods included from PEFile::Scanner

data_section?, #draw_xrefs_dg, #has_path?, scan_all_sections, scan_section

Methods included from Utils::DisassemblerHelper

#_disassemble_executable_sections, #add_dasm_all_method, #addrtolabel, #backtrace, #solve_cppobj_call, #solve_guard_icall

Constructor Details

#initialize(clsid) ⇒ InProcFinder

Returns a new instance of InProcFinder.



22
23
24
25
26
27
 
# File 'lib/turborex/windows/com/com_finder.rb', line 22

def initialize(clsid)
  @clsid = clsid
  @process = TurboRex::Windows::Process.new(nil, -1)
  @memory = @process.memory
  @ptr_len = @process.cpusz / 8
end

Instance Attribute Details

#clsidObject (readonly)

Returns the value of attribute clsid.



17
18
19
 
# File 'lib/turborex/windows/com/com_finder.rb', line 17

def clsid
  @clsid
end

#server_pathObject (readonly)

Returns the value of attribute server_path.



18
19
20
 
# File 'lib/turborex/windows/com/com_finder.rb', line 18

def server_path
  @server_path
end

Instance Method Details

#locate_interface_methods(iid) ⇒ Object 



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/turborex/windows/com/com_finder.rb', line 29

def locate_interface_methods(iid)
  Win32::Registry::HKEY_CLASSES_ROOT.open("CLSID\\{#{@clsid}}") do |reg_clsid|
    reg_clsid.open('InprocServer32') do |reg_inproc32|
      @server_path = reg_inproc32.read_s_expand('')
    end
  end

  class_factory = Utils.dll_get_class_object(@clsid, @server_path)
  ppv = INTERNAL_APIPROXY.alloc_c_ptr('PVOID')
  unless class_factory.CreateInstance(0, Utils.clsid_to_raw(iid), ppv)
    # class_factory.Release
    pvtbl = to_ptr(@memory.get_page(ppv[0], @ptr_len))
    proxy_file_info = get_proxy_file_info(iid)
    return false unless proxy_file_info

    count = get_disptbl_count(proxy_file_info)

    if count
      methods = []
      @memory.get_page(pvtbl, count * @ptr_len).split('').each_slice(@ptr_len) { |m| methods << to_ptr(m.join) }

      first_method = methods.first
      _module = @process.modules.find { |m| first_method > m.addr && first_method < m.addr + m.size }
      if relative
        return {
          module: _module.path,
          methods: methods.map.with_index { |method, i| { index: i, rva: method - _module.addr } }
        }
      else
        return {
          module: _module.path,
          methods: methods.map.with_index { |method, i| { index: i, va: method } }
        }
      end
     
    end
  end
end