Skip to content

Instantly share code, notes, and snippets.

@otya128

otya128/COM16DLL.CPP

Last active May 20, 2021 13:14
Show Gist options
  • Save otya128/ef78c2ee77b466394f6f4451bb0c03c0 to your computer and use it in GitHub Desktop.
Save otya128/ef78c2ee77b466394f6f4451bb0c03c0 to your computer and use it in GitHub Desktop.
Download ZIP
WOW32 COM thunk test
Raw
README.md

WOW32 COM thunk test

COM16WOW.EXE (16-bit)->COM32WOW.DLL (32-bit)->CoGetClassObject->COM16DLL.DLL (16-bit)

Raw
COM16DLL.CPP
#include <Windows.h>
#include <compobj.h>
#include <stdio.h>
#pragma comment(lib, "compobj")
class CCF : public IClassFactory
{
public:
STDMETHOD( QueryInterface )( THIS_ REFIID, LPVOID FAR * );
STDMETHOD_( ULONG, AddRef )( THIS );
STDMETHOD_( ULONG, Release )( THIS );
/* IClassFactory methods */
STDMETHOD( CreateInstance )( THIS_ LPUNKNOWN, REFIID, LPVOID FAR * );
STDMETHOD( LockServer )( THIS_ BOOL );
};
HRESULT CCF::QueryInterface(REFIID iid, void FAR* FAR* ppvObj)
{
if (IsEqualGUID(iid, IID_IUnknown) || IsEqualGUID(iid, IID_IClassFactory))
{
*ppvObj = this;
AddRef();
return NOERROR;
}
return (HRESULT)E_NOINTERFACE;
}
ULONG CCF::AddRef()
{
return 1;
}
ULONG CCF::Release()
{
return 1;
}
HRESULT CCF::CreateInstance(IUnknown *pUnkOuter, REFIID riid, void **ppvObject)
{
*ppvObject = NULL;
return (HRESULT)E_NOINTERFACE;
}
HRESULT _loadds CCF::LockServer(BOOL fLock)
{
FILE *fp;
fp = fopen("COM16WOW.TXT", "w");
fprintf(fp, "CCF::LockServer! %p %d\n", this, fLock);
fclose(fp);
return S_OK;
}
extern "C" __declspec(dllexport) HRESULT WINAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID *ppvObj)
{
if (IsEqualGUID(rclsid, CLSID_CCF))
{
CCF *pCF = new CCF();
HRESULT hr = pCF->QueryInterface(riid, ppvObj);
return hr;
}
return (HRESULT)CLASS_E_CLASSNOTAVAILABLE ;
}
extern "C" int CALLBACK LibMain(HINSTANCE hinst, WORD wDataSeg, WORD cbHeapSize, LPSTR lpszCmdLine)
{
return 1;
}
Raw
COM16DLL.reg
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{CC371C44-CE81-4A73-8F87-163C3499691C}]
[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{CC371C44-CE81-4A73-8F87-163C3499691C}\InprocServer]
@="COM16DLL.dll"
Raw
COM16WOW.C
#include <Windows.h>
#include <stdio.h>
#include <compobj.h>
#pragma comment(lib, "compobj.lib")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPCSTR lpCmdLine, int nCmdShow)
{
DWORD(WINAPI*LoadLibraryEx32W)(LPCSTR, DWORD, DWORD) = (DWORD(WINAPI*)(LPCSTR, DWORD, DWORD))GetProcAddress(GetModuleHandle("KERNEL"), "LoadLibraryEx32W");
DWORD(WINAPI*GetProcAddress32W)(DWORD, LPCSTR) = (DWORD(WINAPI*)(DWORD, LPCSTR))GetProcAddress(GetModuleHandle("KERNEL"), "GetProcAddress32W");
DWORD(*CallProcEx32W)(DWORD, DWORD, DWORD, ...) = (DWORD(*)(DWORD, DWORD, DWORD, ...))GetProcAddress(GetModuleHandle("KERNEL"), "_CallProcEx32W");
DWORD hModule;
DWORD test;
CoInitialize(NULL);
hModule = LoadLibraryEx32W("COM32WOW.DLL", 0, 0);
test = GetProcAddress32W(hModule, "_test@0");
CallProcEx32W(0, 0, test);
}
Raw
COM32WOW.C
#include <Windows.h>
#include <compobj.h>
#include <stdio.h>
__declspec(dllexport) void WINAPI test()
{
FILE *fp;
CLSID clsid;
IClassFactory *cf;
HRESULT hr;
fp = fopen("COM32WOW.TXT", "w");
hr = CLSIDFromString(L"{CC371C44-CE81-4A73-8F87-163C3499691C}", &clsid);
fprintf(fp, "%08x\n", hr);
hr = CoGetClassObject(&clsid, CLSCTX_INPROC_SERVER, NULL, &IID_IClassFactory, &cf);
fprintf(fp, "%08x %p\n", hr, cf);
hr = CoGetClassObject(&clsid, CLSCTX_INPROC_SERVER16, NULL, &IID_IClassFactory, &cf);
fprintf(fp, "%08x %p %p %p\n", hr, cf, cf->lpVtbl, cf->lpVtbl->LockServer);
fflush(fp);
cf->lpVtbl->LockServer(cf, 1);
fprintf(fp, "OK");
fclose(fp);
}
@otya128
Copy link
Author

otya128 commented May 20, 2021
edited
Loading 

cf->lpVtbl->CreateInstance(cf, NULL, <undefined interface id>, &pv);
=>S_OK
pv=IUnknown

TODO: Interface{}\ProxyStubClsid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment