tyranid / oleviewdotnet Goto Github PK

I click "File"->"open 32bit Viewer", but still open a 64bit Viewer.

I tryied to compile and run program and I got following runtime crash:

Does anybody have a command line version that can output proxy definitions of interfaces in idl format?

Hello, I'm encountering an incompatibility problem with Windows 11(tested version Windows11 22H2 22621.1992) while using oleviewdotnet. It seems that there are several interfaces where the function parameters of the VARIANT type are recognized as the FC_USER_MARSHAL type (which is the default type when recognition fails). Here are two examples:

Example 1:

CLSID: 8856f961-340a-11d0-a96b-00c04fd705a2
IID: 3050f804-98b5-11cf-bb82-00aa00bdce0b
Proc3
Example 2:

CLSID: 011b3619-fe63-4814-8a84-15a194ce9ce3
IID: 37b03538-a4c8-11d2-b634-00c04f79498e
Proc16
I kindly request assistance in resolving this issue. Thank you very much.

This line cause an exception on my machine:

COMIELowRightsElevationPolicy.cs:40
Policy = (ElevationPolicy)key.GetValue("Policy", 0);

It seems the result of key.GetValue is a long when the registry value is a REG_QWORD, and the above code causes an unboxing operation to an int, which fails.

I'm not sure what the "right" way to fix this issue is, but this worked:

        object val = key.GetValue("Policy", 0);
        if (val is long) {
            Policy = (ElevationPolicy)(long)val;
        } else {
            Policy = (ElevationPolicy)val;
        }

For comprehensive inspection of objects if would be helpful to see the numerical id and the help string (usually contains comment/description of method if provided by the developer) of methods and properties.

I've ran into an issue when trying to dissect the CLSID for Outlook. I am able to pull data about the exports using Powershell, but I am unable to replicate the same data with OleView and the original OLE Object Viewer.

In order to capture the data in Powershell, I follow the same outline defined by Mandiant here

Specifically:

$comObj = [Activator]::CreateInstance([type]::GetTypeFromCLSID("0006F03A-0000-0000-C000-000000000046"))
$comObj | Get-Member

You can see in the image below that the Methods are exposed and can see the functions provided by the COM Object:

However, trying to replicate this in OleView, I am unable to get similar datasets.

And I get a different error when trying to use the legacy OleViewer:

Few notes:

I have Windows 10 SDK and I'm using the dbghelp.dll from that install. Here is a snapshot of my settings:

Is this an issue of Ole Viewer(s) not being able to parse the COM Object itself? Or is it something where we have to go deeper because of how the COM object is being instantiated?

I came across some errors when compiling OleViewDotNet.Main from main branch commit e454c15.

1>------ Build started: Project: OleViewDotNet.Main, Configuration: Debug Any CPU ------
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMIELowRightsElevationPolicy.cs(105,51,105,54): error CS1003: Syntax error, ',' expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs(380,48,380,59): error CS1026: ) expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs(380,59,380,60): error CS1002: ; expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs(380,59,380,60): error CS1513: } expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs(804,58,804,63): error CS1003: Syntax error, ',' expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs(995,55,995,56): error CS1003: Syntax error, ',' expected
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMUtilities.cs(675,53,675,56): error CS1525: Invalid expression term 'int'
1>C:\Git\oleviewdotnet\OleViewDotNet.Main\COMUtilities.cs(675,57,675,64): error CS1003: Syntax error, ',' expected
2>------ Build started: Project: OleViewDotNet, Configuration: Debug Any CPU ------
3>------ Build started: Project: OleViewDotNet.PowerShell, Configuration: Debug Any CPU ------
2>CSC : error CS0006: Metadata file 'C:\Git\oleviewdotnet\OleViewDotNet.Main\bin\Debug\OleViewDotNet.Main.dll' could not be found
3>CSC : error CS0006: Metadata file 'C:\Git\oleviewdotnet\OleViewDotNet.Main\bin\Debug\OleViewDotNet.Main.dll' could not be found
========== Build: 0 succeeded, 3 failed, 0 up-to-date, 0 skipped ==========

Apparently my C# version does not like

int.TryParse(parts[0], out int address)

or the likes. Nor does it like

            if (dict is SortedDictionary<S, T> sorted_dict)
            {
                return sorted_dict.Comparer;
            }

complaining sorted_dict does not exist in this context.
I'm using Visual Studio 2015 Version 14.0.25431.01 Update 3.
Any ideas on what went wrong?

Precise build number is 22621.1.

Exception is thrown here in COMUtilities - apparently it's being passed null instead of a mangled WinRT name.

If it helps: I was trying to view the proxy definition of IVirtualDisplayManager (GUID {DBADADFC-454C-44C9-9648-F2A0827AD279}).

Nice app... I'm looking at the long list of DLLs under "CLSIDs by Server"... I would love the ability to register / unregister these (via regsvr32) with the click of a button.

c:\windows\system32\mshtml.tlb

Just noticed that I can't open a process from the marshal view anymore.
Under the hood it seems latest Microsoft has stripped the CIPIDTable::_palloc symbol out of their builds?
Are you aware of this? Is there a workaround?

i use oleview to open stdole2.tlb , i can found Modules->StdFunction->Functions->LoadPicture

but oleviewdotnet can not found it.

Assembly typelib = COMUtilities.LoadTypeLib(Tlbfile,null);
I can not found StdFunction in typelib

any ideas?

Error occurs in 32b version in \oleviewdotnet-master\OleViewDotNet.Main\Database\COMIELowRightsElevationPolicy.cs - when policyValue is empty:

object policyValue = key.GetValue("Policy", 0);

I am going to send a pull request to resolve this.

Any way you can offer a compiled binary release for this fine tool?

Why don't show the proc name?

For example, here are their real function names:

Hello,

this tool is amazing. I like it very much, congratulations.

I have an issue when I try to view the default interface of an in a COM Service (.exe): the methods are not shown (so I can't invoke them of course).
It works great with another interface in the same object.
None of the interfaces/methods have a "special" attribute.
All the interfaces I'm talking implement IDispatch.
Here is an example of how the object and its interfaces are declared (in case it can be useful):

	public CComObjectRootEx<CComMultiThreadModel>,
	public CComCoClass<CMyServerTools, &CLSID_MyServerToolsX>,
	public ISupportErrorInfo,
	public IDispatchImpl<IMyServerTools2, &IID_IMyServerTools, &LIBID_MYSERVERLib>,
{
...
	BEGIN_COM_MAP(CMyServerTools)
		COM_INTERFACE_ENTRY(IMyServerTools)
		COM_INTERFACE_ENTRY(IMyServerTools2)
		COM_INTERFACE_ENTRY2(IDispatch, IMyServerTools)
		COM_INTERFACE_ENTRY(ISupportErrorInfo)
	END_COM_MAP()
...
};

For this object, I have the "problem" with IMyServerTools; The IMyServerTools2 methods are properly displayed and I can test (invoke) them.

I got the same behavior with several some (actually all) other objects within this COM Service and also with other COM Services (these COM services were all built using the MS ATL library).

Do you think it might be fixed someday please ?
Thank you,
Olivier gg.

for example:
the Mode property of Session(IID 000c109e-0000-0000-c000-000000000046)
in oleview

[id(0x00000004), propget, helpcontext(0x000025e8)]
VARIANT_BOOL Mode([in] MsiRunMode Flag);

in vs2015(add %windir%\system32\msi.dll to project reference)

in oleviewdotnet

bool Mode { get; set; }

Very impressive tool! I'm looking for this for a long time.
But when I open type library of some entry which can be opened by oleview.exe, I got this exception.

Did I miss something? Thanks in advance.

While working on a bunch of new lightweight features for this awesome tool (expect a PR soon), I noticed "query all interfaces" skips populating interfaces of some of the COM servers in the Local Services view. The COM servers where the interfaces are not populated are random (missing ones are different every time I execute it) and changing the number of threads to 1 does not workaround the issue, I assume this has something to do with the background job accessing the TreeNode control on the UI thread.

Reproducing steps: run OVDN as an admin, open Local Services view, invoke Query all interfaces, then after it has completed, inspect some of the COM servers randomly. Around 20% of them will be empty (IUnknown only), even though they do have some interfaces defined.

(One of the new features I implemented is exporting the local services view to a csv file so it can be opened in Excel later on to have a table like view. As a quick and ugly workaround I decided to automate expanding the treenode on the UI thread; this approach indeed workarounds the issue)

Crash of release 1.5 with multiple of my interfaces in COMUtilities.cs in Line 2566 because p.GetMethod == null.
Misses verfication if getter only or setter only is implemented.

This is more a question because I don't know how to contact you. Is there any way to retrieve COM object's instance of some other process and use it in a separate process? In oleviewdotnet there's process object browser and I wonder if I could somehow use those already existing instances.

It's an excellent tool, but I want to ask why there is no support for exporting the vtable address of an interface when it doesn't support InprocServer Activation. What is the difficulty?
Recently I have been working on the COM, and can anyone tell me is it possible to locate the module name and vtable address of any interfaces?

Hi,

Running as 64-bit I get an error:

 System.ArgumentException
  HResult=0x80070057
  Message=Illegal characters in path.
  Source=mscorlib
  StackTrace:
   at System.IO.Path.CheckInvalidPathChars(String path, Boolean checkAdditional)
   at System.IO.Path.GetFileName(String path)
   at OleViewDotNet.COMCLSIDEntry.LoadFromKey(RegistryKey key) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMCLSIDEntry.cs:line 590
   at OleViewDotNet.COMCLSIDEntry..ctor(COMRegistry registry, Guid clsid, RegistryKey rootKey) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMCLSIDEntry.cs:line 659
   at OleViewDotNet.COMRegistry.LoadCLSIDs(RegistryKey rootKey) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs:line 848
   at OleViewDotNet.COMRegistry..ctor(COMRegistryMode mode, Sid user, IProgress`1 progress) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs:line 689
   at OleViewDotNet.COMRegistry.Load(COMRegistryMode mode, Sid user, IProgress`1 progress) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMRegistry.cs:line 304
   at OleViewDotNet.COMUtilities.<>c__DisplayClass104_0.<LoadRegistry>b__0(IProgress`1 progress, CancellationToken token) in d:\github\oleviewdotnet\OleViewDotNet.Main\COMUtilities.cs:line 1786
   at OleViewDotNet.WaitingDialog.<>c__DisplayClass4_1.<.ctor>b__1(Object sender, DoWorkEventArgs e) in d:\github\oleviewdotnet\OleViewDotNet.Main\WaitingDialog.cs:line 60
   at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
   at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)

I debugged it and what happens is for some reason, I have a weird registry key value, here is a screenshot of it:

The value (in PSDispatch CLSID) is read by the standard Microsoft classes, and as you can see, it contains zero characters after the valid path. I can assure you my machine is working fine though :-).

I don't know if it's a bug in Registry classes or a problem in my registry, but anyway, I suggest to change the code that reads server_string and RawServer in COMCLSIDEntry.cs line 365 to handle those weird cases, otherwise, I can't use the tool at all, because it stops at the very beginning. If you're prefer, I can build a PR.

Oh and BTW, thanks for this great tool I just discovered today!

The regex looks to be too open and validates anything which has the required number of numbers and dashes but doesn't check for additional data in the string, so things like the following would all pass validation:

"{{00000000-0000-0000-0000-000000000000}}"
"blah{00000000-0000-0000-0000-000000000000}"
"00000000-0000-0000-0000-000000000000n"

If it was changed to the following it might validate better:

m_guidRegex = new Regex("^\\{[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}\\}$");

or

m_guidRegex = new Regex("^\\{{0,1}[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}\\}{0,1}$");

if there was a need to pass as valid a string which wasn't bounded by curly braces.

The v1.4 release won't run on Windows 7, I got the following error

Would be cool to list all CLSID that implements a given interface-id.

Seems like this is a NtApiDotNet issue, but it's manifesting in OVDN so filing here. When attempting to view a proxy definition, I get the following:

(23f0.1c3c): CLR exception - code e0434352 (first chance)
(23f0.1c3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02580234 ecx=02580234 edx=00000000 esi=02580234 edi=008fe6f8
eip=638c4a42 esp=008fe6e0 ebp=008fe704 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mscorlib_ni+0x3f4a42:
638c4a42 8b01            mov     eax,dword ptr [ecx]  ds:002b:02580234=????????
0:000> !clrstack
OS Thread Id: 0x1c3c (0)
Child SP       IP Call Site
008fe6e0 638c4a42 System.Runtime.InteropServices.Marshal.ReadInt32(IntPtr, Int32)
008fe70c 00957f71 NtApiDotNet.Ndr.CurrentProcessMemoryReader.ReadIntPtr(IntPtr)
008fe718 0095896f NtApiDotNet.Ndr.NdrNativeUtils.ReadPointerArray[[System.__Canon, mscorlib]](NtApiDotNet.Ndr.IMemoryReader, IntPtr, Int32, System.Func`2<IntPtr,System.__Canon>)
008fe740 009588f2 NtApiDotNet.Ndr.ProxyFileInfo.GetNames(NtApiDotNet.Ndr.IMemoryReader)
008fe758 009586dc NtApiDotNet.Ndr.NdrParser.InitFromProxyFileInfo(NtApiDotNet.Ndr.ProxyFileInfo, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.HashSet`1<System.Guid>)
008fe7c4 009577ef NtApiDotNet.Ndr.NdrParser.InitFromProxyFileInfoArray(IntPtr, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.HashSet`1<System.Guid>)
008fe804 0095681c NtApiDotNet.Ndr.NdrParser.InitFromFile(System.String, System.Guid, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.IEnumerable`1<System.Guid>)
008fe858 00956734 NtApiDotNet.Ndr.NdrParser+c__DisplayClass26_0.b__0()
008fe864 009566a4 NtApiDotNet.Ndr.NdrParser.RunWithAccessCatch[[System.Boolean, mscorlib]](System.Func`1)
008fe884 009565d3 NtApiDotNet.Ndr.NdrParser.ReadFromComProxyFile(System.String, System.Guid, System.Collections.Generic.IEnumerable`1<System.Guid>)
008fe8b0 00956273 OleViewDotNet.COMProxyInstance..ctor(System.String, System.Guid, NtApiDotNet.Win32.ISymbolResolver, OleViewDotNet.Database.COMRegistry)
008fe8f4 00955d7d OleViewDotNet.COMProxyInstance.GetFromCLSID(OleViewDotNet.Database.COMCLSIDEntry, NtApiDotNet.Win32.ISymbolResolver)

Under OVDN 1.4 this crashed, but it seems to be caught in 1.8 and error out. Can't provide the hosting DLL, but can provide any further information you may need.

Both app and PS scripts run with admin rights

I have a small dll that I generate a tlb for. When I attempt to open the tlb I get an error.

It's a 'private' type library, so it's not registered system-wide.

I don't know if it's related or not, but I also can't open the dll file. I only see an option to open a 'proxy dll', so maybe plain dlls aren't supported and I'm doing this wrong? Possibly related to #16.

I've attached both files.

LCDHardwareMonitor PluginLoader CLR.zip

Thanks for your ole view tool!

I have a question. In ProgIDs tab, I find the InternetExplorer.Application , right-click it and View TypeLibrary, now in the Microsoft Internet Controls tab, then click the IWebBrowser interface, in the right pane, there're Methods/Properties, but sometimes returned object, like object Document { get; } in the image.

How can I know the Methods/Properties of the returned Document object?

I'm a rookie and sincerely looking forward to your reply.