https pixabay com en hong kong city urban skyscrapers
play

https://pixabay.com/en/hong-kong-city-urban-skyscrapers-1990268/ - PowerPoint PPT Presentation

May 05, 2023 •330 likes •1.17k views

https://pixabay.com/en/hong-kong-city-urban-skyscrapers-1990268/ Agenda Component Object Model (COM) Internals Attacking COM Enumerating attack surface for EoP Reverse engineering COM components Bugs and Features Well

  1. https://pixabay.com/en/hong-kong-city-urban-skyscrapers-1990268/

  2. Agenda • Component Object Model (COM) Internals • Attacking COM • Enumerating attack surface for EoP • Reverse engineering COM components • Bugs and “Features” We’ll be using my OleViewDotNet tool throughout. https://github.com/tyranid/oleviewdotnet 2

  3. 3 https://pixabay.com/en/ford-mustang-engine-hood-bonnet-1242192/

  4. “Any sufficiently complex middleware is indistinguishable from magic.” Arthur C. Clarke’s Third Law of Software Development 4

  5. In the Beginning was OLE 5

  6. Interoperability Heaven Visual Basic Visual Basic C C COM C++ C++ .NET .NET Component Consumer Component Provider 6

  7. Common ABI Object Pointer VTable Pointer Method1 Pointer Method2 Pointer Implementation Specific Data ... MethodN Pointer struct ObjectVTable { void (* SetInt )( struct Object * This, int i ); int (* GetInt )( struct Object * This); }; Object pointer is first. Arguments passed left to right struct Object { VTable Pointer at start struct ObjectVTable * Vtbl ; // Implementation specific data follows. }; struct Object * obj ; obj -> Vtbl -> SetInt ( obj , 1234 ); 7

  8. The Casting Problem struct Interface1 { virtual void A () = 0 ; Define a }; pure virtual “Interface” struct Interface2 { virtual void B () = 0 ; }; Derive from Interface and class Object : public Interface1 , implement public Interface2 { void A () {} void B () {} }; // Okay (mostly). Interface1 * intf1 = new Object ; No no no!!! // Incredibly bad idea. Interface2 * intf2 = ( Interface2 *) intf1 ; 8

  9. IUnknown, the Root of all COM Evil DEFINE_GUID ( IID_IUnknown , 00000000-0000-0000-C000-000000000046" ); struct IUnknown { HRESULT QueryInterface ( GUID & iid , void ** ppv ); LONG AddRef (); Used to Interfaces defined using a LONG Release (); reference count 128 bit Globally Unique ID. }; the object. struct Interface1 : public IUnknown {}; struct Interface2 : public IUnknown {}; Interface2 * intf2 ; if ( intf1 -> QueryInterface ( IID_Interface2 , ( void **)& intf2 ) >= 0 ) { Cast is a GIANT code // Success, we can call methods. smell! intf2 -> Release (); ¯\_( ツ )_/¯ } 9

  10. Class Registration 10

  11. Class Factories DEFINE_GUID ( IID_ClassFactory , "00000001-0000-0000-C000-000000000046" ); struct IClassFactory : public IUnknown { HRESULT CreateInstance ( IUnknown * pUnkOuter , REFIID riid , void ** ppvObject ); HRESULT LockServer ( BOOL fLock ); }; 11

  12. Creating Class Factories and Instances HRESULT CoGetClassObject ( Specifies what type of server to lookup: REFCLSID rclsid , ● CLSCTX_INPROC_SERVER DWORD dwClsContext , ● CLSCTX_INPROC_HANDLER ● CLSCTX_LOCAL_SERVER COSERVERINFO * pServerInfo , ● CLSCTX_REMOTE_SERVER REFIID riid , LPVOID * ppv HRESULT CoCreateInstanceEx ( ); REFCLSID rclsid , IUnknown * punkOuter , DWORD dwClsCtx , Specify remote server COSERVERINFO * pServerInfo , information is required (more on this later). DWORD dwCount , MULTI_QI * pResults ); 12

  13. In-Process Server Process ● DLL server filename specified in InProcServer32 key. Class Instance ● DLL loaded into process and class factory created by calling exported method: Client Class Factory HRESULT DllGetClassObject ( REFCLSID rclsid , REFIID riid , LPVOID * ppv ); server.dll 13

  14. COM Apartments Process Thread X Thread Y STA X STA Y Instance Instance Instance Instance Instance Instance Thread A Thread B MTA or NTA Instance Instance Instance HRESULT CoInitializeEx ( COINIT_APARTMENTTHREADED LPVOID pvReserved , or DWORD dwCoInit COINIT_MULTITHREADED ); 14

  15. Multi-Threaded Apartments (MTA) Process Thread X Thread Y MTA Client Y Instance Client X 15

  16. Single Threaded Apartments (STA) Process Thread X Thread Y STA X STA Y Instance Client 16

  17. Single Threaded Apartments (STA) Process Thread X Thread Y STA X STA Y Instance Client Proxy 17

  18. Single Threaded Apartments (STA) Process Thread X Thread Y STA X STA Y Instance Client Proxy Marshaling Send STA HWND Message 18

  19. Single Threaded Apartments (STA) Process Thread X Thread Y STA X STA Y Instance Client Unmarshaling Stub Proxy Send STA HWND Message 19

  20. The Mystery Window HWND hwnd = FindWindowEx ( HWND_MESSAGE , NULL, NULL, NULL); while ( hwnd ) { WCHAR name [ 256 ] = {}; if ( GetWindowText ( hwnd , name , _countof ( name )) && _wcsnicmp ( name , L"ole" , 3 ) == 0 ) { DWORD pid = 0 ; DWORD tid = GetWindowThreadProcessId ( hwnd , & pid ); printf ( "%p %5d %5d %ls\n" , hwnd , pid , tid , name ); } hwnd = GetNextWindow ( hwnd , GW_HWNDNEXT ); } “Main” STA window. Per-Thread STA window. 20

  21. Local Server Activation DCOM Activator (part of RPCSS) Server Process Client Process Instance Client Stub Proxy RPC Server RPC Client ALPC Channel 21

  22. Local Server Activation RPCSS System Activator Send Request to System Activator Client Process Client 22

  23. Local Server Activation RPCSS System Activator Create New Process Register Process Activator (if necessary) Server Process Client Process System Client Activator 23

  24. Local Server Activation RPCSS System Activator Pass Activation Properties to Get Marshaled Result In-Process Activator Server Process Client Process System Client Activator Instance 24

  25. Local Server Activation RPCSS System Activator Pass back result to client Server Process Client Process System Client Activator Connect to Instance Instance 25

  26. System Activator DEFINE_GUID ( IID_ISystemActivator , "000001a0-0000-0000-c000-000000000046" ) struct ISystemActivator : public IUnknown { HRESULT GetClassObject ( IActivationPropertiesIn * pActProperties , IActivationPropertiesOut ** ppActProperties ); HRESULT CreateInstance ( IUnknown * pUnkOuter , IActivationPropertiesIn * pActProperties , IActivationPropertiesOut ** ppActProperties ); }; 26

  27. Activation Properties In struct CustomHeader { DWORD totalSize ; DWORD headerSize ; DWORD dwReserved ; DWORD destCtx ; CustomHeader DWORD cIfs; CLSID classInfoClsid ; Property 1 CLSID *pclsid; DWORD *pSizes; Property 2 CustomOpaqueData *opaqueData; }; Property 3 Property 4 List of GUIDs and Sizes of following Property Blobs struct InstantiationInfoData { CLSID to CLSID classId ; create. enum ACTIVATION_FLAGS { DWORD classCtx ; ACTVFLAGS_DISABLE_AAA , DWORD actvflags ; ACTVFLAGS_ACTIVATE_32_BIT_SERVER , long fIsSurrogate ; ACTVFLAGS_ACTIVATE_64_BIT_SERVER , DWORD cIID ; ACTVFLAGS_NO_FAILURE_LOG , DWORD instFlag ; ACTVFLAGS_WINRT_LOCAL_SERVER , ACTVFLAGS_WINRT_PER_USER_OK , IID * pIID ; ACTVFLAGS_APPCONTAINER , DWORD thisSize ; List of IIDs to }; COMVERSION clientCOMVersion ; query for. }; 27

  28. Activation Properties Out struct PropsOutInfo { DWORD cIfs ; struct MInterfacePointer { IID * piid ; unsigned long ulCntData ; HRESULT * phresults ; byte abData []; MInterfacePointer ** ppIntfData ; }; }; 28

  29. It’s like Marshaling Cats 1 = Standard OBJREF 4 = Custom OBJREF ‘MEOW’ OBJREF Type IID (lower 64 bits) IID (upper 64 bits) Flags References CLSID (lower 64 bits) Object Exporter ID (OXID) CLSID (upper 64 bits) Object ID (OID) Reserved Data Size Interface Pointer ID (IPID) IPID (upper 64 bits) Custom Data Binding information for remote access Standard OBJREF Custom OBJREF 29

  30. Standard Unmarshaling RPCSS System Object Resolver Activator Resolve OXID Binding Server Process Client Process Object Exporter ID (OXID) Object ID (OID) Instance Interface Pointer ID (IPID) Client IPIDTable ALPC OLEXXXX 30

  31. Standard Unmarshaling RPCSS System Object Resolver Activator Server Process Client Process Object Exporter ID (OXID) Object ID (OID) Instance Interface Pointer ID (IPID) Client Server is at ncalrpc:[OLEXXXXX] IPIDTable ALPC OLEXXXX 31

  32. Standard Unmarshaling RPCSS System Object Resolver Activator Server Process Client Process Object Exporter ID (OXID) Object ID (OID) Instance Interface Pointer ID (IPID) Client RPC Client IPIDTable ALPC OLEXXXX IPID@ncalrpc:[OLEXXXX] 32

  33. Standard Unmarshaling RPCSS System Object Resolver Activator Server Process Client Process UUID ipid ; RpcBindingInqObject ( Binding , & ipid Instance ); IPIDTable :: Lookup ( ipid )-> Invoke (); Client RPC Client IPIDTable ALPC OLEXXXX 33

  34. Standard Unmarshaling RPCSS System Object Resolver Activator Server Process Client Process Instance Client RPC Client IPIDTable ALPC OLEXXXX 34

  35. Interface Proxies and Stubs 35

  36. Interface Proxy-Stub Factory DEFINE_GUID ( IID_IPSFactoryBuffer , "D5F569D0-593B-101A-B569-08002B2DBF7A" ) struct IPSFactoryBuffer : public IUnknown { HRESULT CreateProxy ( IUnknown * pUnkOuter , REFIID riid , IRpcProxyBuffer ** ppProxy , void ** ppv ); HRESULT CreateStub ( REFIID riid , IUnknown * pUnkServer , IRpcStubBuffer ** ppStub ); }; 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Route to Become a Fire Engineer Fire Engineering Projects in Hong Kong Skyscrapers in HK

Route to Become a Fire Engineer Fire Engineering Projects in Hong Kong Skyscrapers in HK

Route to Become a Fire Engineer Fire Engineering Projects in Hong Kong Skyscrapers in HK International Commerce Centre - 490m International Finance Centre - 406.9 m Central Plaza 309 m Bank of China 305 m The Center

465 views • 45 slides
Are We Smart Enough to Develop a Smart City for Hong Kong? Three policy objectives to pursue

Are We Smart Enough to Develop a Smart City for Hong Kong? Three policy objectives to pursue

Are We Smart Enough to Develop a Smart City for Hong Kong? Three policy objectives to pursue smart city (1) Make use of innovation and technology (I&T) to address urban challenges , enhance the effectiveness of city management and improve

476 views • 36 slides
CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Hong Kong as an Urban Experiment The Density Question

CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Hong Kong as an Urban Experiment The Density Question

CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Hong Kong as an Urban Experiment The Density Question Anthony Yeh Centre of Urban Studies and Urban Planning Department of Urban Planning and Design The University of Hong Kong Why is Density

687 views • 34 slides
Radicalism among Young People in Hong Kong Professor Eric Wing-hong CHUI City University of Hong

Radicalism among Young People in Hong Kong Professor Eric Wing-hong CHUI City University of Hong

Civic Engagement, Activism, and Radicalism among Young People in Hong Kong Professor Eric Wing-hong CHUI City University of Hong Kong Research Team (for GRF project 11602718, 2019-2021) Co-I: Prof. Kevin Cheng (CUHK, Law) Co-I: Dr.

309 views • 16 slides
CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Designing Health and Well-being in Hong Kong Dr

CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Designing Health and Well-being in Hong Kong Dr

CITIES, HEALTH AND WELL-BEING NOVEMBER 2011 Designing Health and Well-being in Hong Kong Dr York Chow Secretary for Food and Health Hong Kong Special Administrative Region Government Urban Age Conference, Hong Kong 16 Nov 2011 Productivity

806 views • 24 slides
Potential of Low-Impact Development for Stormwater Management in Hong Kong Kit Ming LAM, Ting

Potential of Low-Impact Development for Stormwater Management in Hong Kong Kit Ming LAM, Ting

Potential of Low-Impact Development for Stormwater Management in Hong Kong Kit Ming LAM, Ting Fong May CHUI, Ze-ying LI Department of Civil Engineering, University of Hong Kong Flooding Urban drainage demand Culprits for Urban flooding in

703 views • 49 slides
Hong Kong International AIRPORT AvRDP Phase I Progress Peter PW LI Hong Kong Observatory Hong

Hong Kong International AIRPORT AvRDP Phase I Progress Peter PW LI Hong Kong Observatory Hong

Hong Kong International AIRPORT AvRDP Phase I Progress Peter PW LI Hong Kong Observatory Hong Kong, China WMO WWRP 4 th International Symposium on Nowcasting and Very-short-range Forecast Hong Kong, China 26 July 2016 Hong Kong International

1.21k views • 31 slides
City University of Hong Kong Sustainability Summit: Pathways to a Sustainable Hong Kong

City University of Hong Kong Sustainability Summit: Pathways to a Sustainable Hong Kong

City University of Hong Kong Sustainability Summit: Pathways to a Sustainable Hong Kong Sustainability Summit: Pathways to a Sustainable Hong Kong Sustainability Summit: Pathways to a Sustainable Hong Kong Executive Director and Presidential

421 views • 5 slides
URBAN AGE CITIES LONDON LONDON BERLIN CHICAGO ISTANBUL NEW YORK SHANGHAI HONG KONG MEXICO

URBAN AGE CITIES LONDON LONDON BERLIN CHICAGO ISTANBUL NEW YORK SHANGHAI HONG KONG MEXICO

URBAN AGE CITIES LONDON LONDON BERLIN CHICAGO ISTANBUL NEW YORK SHANGHAI HONG KONG MEXICO CITY MUMBAI SAO PAULO JOHANNESBURG

417 views • 26 slides
HONG KONG RIGHT PLACE RIGHT TIME RIGHT NOW European Investment in China via Hong Kong Charles Ng

HONG KONG RIGHT PLACE RIGHT TIME RIGHT NOW European Investment in China via Hong Kong Charles Ng

HONG KONG RIGHT PLACE RIGHT TIME RIGHT NOW European Investment in China via Hong Kong Charles Ng Associate Director-General of Investment Promotion 22 May 2012 Agenda Changing Trends in the type of companies setting up in Hong Kong

470 views • 19 slides
belly buttons, absent cameras, Linda C.H. LAI moving house, The City University of Hong Kong

belly buttons, absent cameras, Linda C.H. LAI moving house, The City University of Hong Kong

Documenting Sentiments in Hong Kong 1997 Video Diaries: belly buttons, absent cameras, Linda C.H. LAI moving house, The City University of Hong Kong November 3, 2012 fooling around 1997 A relatively recent conclusion of HK's British

443 views • 32 slides
WELCOME to Hong Kong! WELCOME to Hong Kong! Main Conference: 2125 Feb 2011 @Hong Kong

WELCOME to Hong Kong! WELCOME to Hong Kong! Main Conference: 2125 Feb 2011 @Hong Kong

WELCOME to Hong Kong! WELCOME to Hong Kong! Main Conference: 2125 Feb 2011 @Hong Kong Convention and Exhibition Centre (HKCEC) APRICOT Technical Workshop: 1519 Feb 2011@Cyberport Why APRICOT Why APRICOT- -APAN.Asia 2011? APAN.Asia

579 views • 29 slides
in Urban Context Dr. Hau Chi Hang, Billy Dr. Pang Chun Chiu The University of Hong Kong

in Urban Context Dr. Hau Chi Hang, Billy Dr. Pang Chun Chiu The University of Hong Kong

Eco-Landscape Design in Urban Context Dr. Hau Chi Hang, Billy Dr. Pang Chun Chiu The University of Hong Kong Introduction Habitat fragmentation, isolation and degradation are world-wide issue for developed countries and cities. Huge

1.02k views • 45 slides
Analysis of Distributed Learning Algorithms Ding-Xuan Zhou City University of Hong Kong E-mail:

Analysis of Distributed Learning Algorithms Ding-Xuan Zhou City University of Hong Kong E-mail:

Analysis of Distributed Learning Algorithms Ding-Xuan Zhou City University of Hong Kong E-mail: mazhou@cityu.edu.hk Supported in part by Research Grants Council of Hong Kong Start November 5, 2016 Outline of the Talk I. Distributed learning

243 views • 22 slides
Action Research and Policy Change for Better Environments: Lessons from Hong Kong and Los Angeles

Action Research and Policy Change for Better Environments: Lessons from Hong Kong and Los Angeles

Action Research and Policy Change for Better Environments: Lessons from Hong Kong and Los Angeles Robert Gottlieb & Simon Ng Green Initiatives Shanghai 19 September 2017 Global Cities: Urban Environments in Los Angeles, Hong Kong, and

393 views • 23 slides
PRESENTATION: HONG KONG HONOURABLE MARGARET NG NGOI-YEE, HONG KONG 22nd July 2012 Introduction

PRESENTATION: HONG KONG HONOURABLE MARGARET NG NGOI-YEE, HONG KONG 22nd July 2012 Introduction

PRESENTATION: HONG KONG HONOURABLE MARGARET NG NGOI-YEE, HONG KONG 22nd July 2012 Introduction by John Joseph Clancey We may wonder today about the institutions that have helpedfree Hong Kong from political violence. Let me say a few wordsabout

175 views • 4 slides
Chapter 8, Object Design: Object design is the process of adding details to the requirements

Chapter 8, Object Design: Object design is the process of adding details to the requirements

Object Design Object-Oriented Software Engineering Chapter 8, Object Design: Object design is the process of adding details to the requirements analysis and making implementation decisions Reuse and Patterns I The object designer must

301 views • 15 slides
UML: Unified Modeling Language 1 Modeling Describing a system at a high level of

UML: Unified Modeling Language 1 Modeling Describing a system at a high level of

UML: Unified Modeling Language 1 Modeling Describing a system at a high level of abstraction A model of the system Used for requirements and specification Many notations over time State machines Entity-relationship

910 views • 57 slides
Component-Based Software David S. Rosenblum (ed. By Richard N. Taylor) ICS 221 Fall 2002

Component-Based Software David S. Rosenblum (ed. By Richard N. Taylor) ICS 221 Fall 2002

Component-Based Software David S. Rosenblum (ed. By Richard N. Taylor) ICS 221 Fall 2002 Components and Reuse n Develop systems of components of a reasonable size and reuse them n Repeated use of a component n Adapting components for use

719 views • 24 slides
41. Composition Filters - A Filter-Based Grey-Box Component Model Lecturer : Dr. Sebastian Gtz

41. Composition Filters - A Filter-Based Grey-Box Component Model Lecturer : Dr. Sebastian Gtz

Fakultt Informatik - Institut Software- und Multimediatechnik 41. Composition Filters - A Filter-Based Grey-Box Component Model Lecturer : Dr. Sebastian Gtz 1. Inheritance Anomaly Prof. Dr. Uwe Amann 2. Design Pattern Decorator

782 views • 33 slides
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 9:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 9:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 9: Architecting and Designing Software Lecture 12 9.1 The Process of Design Denition: Design is a problem-solving process whose objective is to

722 views • 48 slides
A System to Specify and Manage Multipolicy Access Control Models Elisa Bertino Barbara Catania

A System to Specify and Manage Multipolicy Access Control Models Elisa Bertino Barbara Catania

Policy 2002: IEEE 3rd International Workshop on Policies for Distributed Systems and Networks Hosted by the Naval Postgraduate School , Monterey, California, U.S.A. June 5-7, 2002 A System to Specify and Manage Multipolicy Access Control Models

671 views • 29 slides
On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262

On Bringing Object-Oriented Software Metrics into the Model-Based World Verifying ISO 26262 Compliance in Simulink Lukas Murer, Torben Stolte Tanja Hebecker, Michael Lipaczewski Uwe Mhrstdt, Frank Ortmeier Motivation Functional safety

589 views • 21 slides
Scalable Component Abstractions Martin Odersky Swiss Federal Institute of Technology Lausanne

Scalable Component Abstractions Martin Odersky Swiss Federal Institute of Technology Lausanne

Scalable Component Abstractions Martin Odersky Swiss Federal Institute of Technology Lausanne (EPFL) (joint work with Matthias Zenger, Google) 1 Component Software State of the Art In principle , software should be constructed from

1.03k views • 44 slides

More recommend