COM16WOW.EXE (16-bit)->COM32WOW.DLL (32-bit)->CoGetClassObject->COM16DLL.DLL (16-bit)
Last active
May 20, 2021 13:14
-
-
Save otya128/ef78c2ee77b466394f6f4451bb0c03c0 to your computer and use it in GitHub Desktop.
WOW32 COM thunk test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <compobj.h> | |
#include <stdio.h> | |
#pragma comment(lib, "compobj") | |
class CCF : public IClassFactory | |
{ | |
public: | |
STDMETHOD( QueryInterface )( THIS_ REFIID, LPVOID FAR * ); | |
STDMETHOD_( ULONG, AddRef )( THIS ); | |
STDMETHOD_( ULONG, Release )( THIS ); | |
/* IClassFactory methods */ | |
STDMETHOD( CreateInstance )( THIS_ LPUNKNOWN, REFIID, LPVOID FAR * ); | |
STDMETHOD( LockServer )( THIS_ BOOL ); | |
}; | |
HRESULT CCF::QueryInterface(REFIID iid, void FAR* FAR* ppvObj) | |
{ | |
if (IsEqualGUID(iid, IID_IUnknown) || IsEqualGUID(iid, IID_IClassFactory)) | |
{ | |
*ppvObj = this; | |
AddRef(); | |
return NOERROR; | |
} | |
return (HRESULT)E_NOINTERFACE; | |
} | |
ULONG CCF::AddRef() | |
{ | |
return 1; | |
} | |
ULONG CCF::Release() | |
{ | |
return 1; | |
} | |
HRESULT CCF::CreateInstance(IUnknown *pUnkOuter, REFIID riid, void **ppvObject) | |
{ | |
*ppvObject = NULL; | |
return (HRESULT)E_NOINTERFACE; | |
} | |
HRESULT _loadds CCF::LockServer(BOOL fLock) | |
{ | |
FILE *fp; | |
fp = fopen("COM16WOW.TXT", "w"); | |
fprintf(fp, "CCF::LockServer! %p %d\n", this, fLock); | |
fclose(fp); | |
return S_OK; | |
} | |
extern "C" __declspec(dllexport) HRESULT WINAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID *ppvObj) | |
{ | |
if (IsEqualGUID(rclsid, CLSID_CCF)) | |
{ | |
CCF *pCF = new CCF(); | |
HRESULT hr = pCF->QueryInterface(riid, ppvObj); | |
return hr; | |
} | |
return (HRESULT)CLASS_E_CLASSNOTAVAILABLE ; | |
} | |
extern "C" int CALLBACK LibMain(HINSTANCE hinst, WORD wDataSeg, WORD cbHeapSize, LPSTR lpszCmdLine) | |
{ | |
return 1; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows Registry Editor Version 5.00 | |
[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{CC371C44-CE81-4A73-8F87-163C3499691C}] | |
[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{CC371C44-CE81-4A73-8F87-163C3499691C}\InprocServer] | |
@="COM16DLL.dll" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <stdio.h> | |
#include <compobj.h> | |
#pragma comment(lib, "compobj.lib") | |
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPCSTR lpCmdLine, int nCmdShow) | |
{ | |
DWORD(WINAPI*LoadLibraryEx32W)(LPCSTR, DWORD, DWORD) = (DWORD(WINAPI*)(LPCSTR, DWORD, DWORD))GetProcAddress(GetModuleHandle("KERNEL"), "LoadLibraryEx32W"); | |
DWORD(WINAPI*GetProcAddress32W)(DWORD, LPCSTR) = (DWORD(WINAPI*)(DWORD, LPCSTR))GetProcAddress(GetModuleHandle("KERNEL"), "GetProcAddress32W"); | |
DWORD(*CallProcEx32W)(DWORD, DWORD, DWORD, ...) = (DWORD(*)(DWORD, DWORD, DWORD, ...))GetProcAddress(GetModuleHandle("KERNEL"), "_CallProcEx32W"); | |
DWORD hModule; | |
DWORD test; | |
CoInitialize(NULL); | |
hModule = LoadLibraryEx32W("COM32WOW.DLL", 0, 0); | |
test = GetProcAddress32W(hModule, "_test@0"); | |
CallProcEx32W(0, 0, test); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <compobj.h> | |
#include <stdio.h> | |
__declspec(dllexport) void WINAPI test() | |
{ | |
FILE *fp; | |
CLSID clsid; | |
IClassFactory *cf; | |
HRESULT hr; | |
fp = fopen("COM32WOW.TXT", "w"); | |
hr = CLSIDFromString(L"{CC371C44-CE81-4A73-8F87-163C3499691C}", &clsid); | |
fprintf(fp, "%08x\n", hr); | |
hr = CoGetClassObject(&clsid, CLSCTX_INPROC_SERVER, NULL, &IID_IClassFactory, &cf); | |
fprintf(fp, "%08x %p\n", hr, cf); | |
hr = CoGetClassObject(&clsid, CLSCTX_INPROC_SERVER16, NULL, &IID_IClassFactory, &cf); | |
fprintf(fp, "%08x %p %p %p\n", hr, cf, cf->lpVtbl, cf->lpVtbl->LockServer); | |
fflush(fp); | |
cf->lpVtbl->LockServer(cf, 1); | |
fprintf(fp, "OK"); | |
fclose(fp); | |
} |
cf->lpVtbl->CreateInstance(cf, NULL, <undefined interface id>, &pv);
=>S_OK
pv=IUnknown
TODO: Interface{}\ProxyStubClsid
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cf->lpVtbl