Skip to content

Add New Features #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kwakmu18 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add New Features #48

kwakmu18 wants to merge 5 commits into from

Conversation

@kwakmu18
Copy link

@kwakmu18 kwakmu18 commented Dec 15, 2024
edited
Loading

Hello, we developed new features on OleView .NET. Please check and get some ideas!
You can see descrptions and images in my repository: https://github.com/BoB13-MSRC-GS/oleviewdotnet

1. Solve the problem of interface not being extracted

Description

  • For classes that are empty because the interface is not extracted or that only output IUnknown, the interface is identified and extracted.
  • It iterates through the IIDs registered in the registry for the CLSID of the class to be extracted and performs CoCreateInstance. If successful, it is judged to be correct and the interface is extracted through the IID.

Added Code

  • FindInterface cpp project
    • This program will call CoCreateInstance(CLSCTX_LOCAL_SERVER) for all iids in Registry(HKEY_CLASSES_ROOT\Interface).
  • FindInterfaceInproc cpp project
    • This program will call CoCreateInstance(CLSCTX_INPROC_SERVER) for all iids in Registry(HKEY_CLASSES_ROOT\Interface).
  • OleViewDotNet\Forms\FindInterfaceForm.cs
    • This form is for showing FindInterface and FindInterfaceInproc's results.

Edited Code

  • OleViewDotNet\Forms\COMRegistryViewer.cs
    • Add some logics to run FindInterface.exe and FindInterfaceInproc.exe and add results to oleviewdotnet.

2. IDL Method Name Resolve

Description

  • IDL Method Name Resolve
    • To use this feature, you need to enable "Resolve Method Name by IDA" in the Processes tab.
    • This feature is implemented leveraging the IDA decompile engine.
    • The path to the binary is displayed at the top of the IDL.
    • It may not be accurate because it is a guess based on the number of methods and the number of arguments.
    • The first time DLL copy and analysis process using idat64.exe may take some time.
  • IDL Method Name Resolve(HARD)
    • If this mode is enabled, it will decompile all DLL/EXEs loaded into the process.
  • IDL Method Name Resolve(Fix Mode)
    • If this mode is enabled, you can perform method name resolution quickly by specifying a DLL/EXE.

Added Code

  • OleViewDotNet\Forms\DllFixForm.cs
    • This form is for IDL Method Name Resolve(Fix Mode).
  • OleViewDotNet\Forms\IDAPathForm.cs
    • OleViewDotNet will find IDA Path automatically by searching Registry.
    • But if it failed to find IDA Path, you can manually input IDA Path by this form.
  • OleViewDotNet\Forms\ResolveMethod.cs
    • This file has some logics about method name resolving.
  • OleViewDotNet\Forms\ResolvingForm.cs
    • This form is for showing progress about method name resolving.

Edited Code

  • OleViewDotNet\ProgramSettings.cs
    • Add some settings variable.
  • OleViewDotNet\Forms\MainForm.cs
    • Add some settings variable and method.
  • OleViewDotNet\Forms\SourceCodeViewerControl.cs
    • Add some logics to perform method name resolving.

3. Class object Call Sequence

Description

  • Lists all sequence of other class objects that can be obtained from an exposed COM class.
  • You can obtain various class objects from exposed COM classes, such as IWallet → IWalletItemManager → IWalletItemList → IWalletItem, and understanding them is deep and complex.
  • From a vulnerability research perspective, it easily identifies the scope of class objects that can be accessed and analyzed.

Added Code

  • OleViewDotNet\Forms\CallSequenceForm.cs
    • This form is for showing analyzed call sequence results.

Edited Code

  • OleViewDotNet\Forms\ComRegistryViewer.cs
    • Add some logics to perform analyzing class object call sequence.

@kwakmu18
Add New Features
14aa63b 
Add New Features
@kwakmu18
fix language issue
4d644af 
fix language issue
@kwakmu18
20241216 Update
4bae77b 
[1] fix dll/exe uppercase problem
[2] remove #endregion
[3] Improving the method to retrieve the service's PID
@kwakmu18
20241217 Update
3612d40 
20241217 Update
Fix Some Issue
@kwakmu18
20241218 Update
016ca7e 
20241218 Update
Fix Issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kwakmu18