flat assembler
Message board for the users of flat assembler.

Index > Windows > memory ranges

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 802
Location: Russian Federation, Sochi
ProMiNick 28 Oct 2018, 00:56
win32 relative
80000000+ - system
00400000+ - application
0006FFFC- - stack growing down

in what address range fit value 003F7XXX? small pieces heap.
It reserved by OS, COM?
COM places its objects near that adresses.

used slightly modified usecom example
Code:
; Component Object Model usage demonstration

format PE GUI 4.0
entry start

include 'win32a.inc'

struc GUID def
 {
   match d1-d2-d3-d4-d5, def
    \{
      .Data1 dd 0x\#d1
      .Data2 dw 0x\#d2
      .Data3 dw 0x\#d3
      .Data4 db 0x\#d4 shr 8,0x\#d4 and 0FFh
      .Data5 db 0x\#d5 shr 40,0x\#d5 shr 32 and 0FFh,0x\#d5 shr 24 and 0FFh,0x\#d5 shr 16 and 0FFh,0x\#d5 shr 8 and 0FFh,0x\#d5 and 0FFh
    \}
 }

interface IUnknown,\
           QueryInterface,\
           AddRef,\
           Release

CLSCTX_INPROC_SERVER        = 0x1
CLSCTX_INPROC_HANDLER       = 0x2
CLSCTX_LOCAL_SERVER         = 0x4
CLSCTX_INPROC_SERVER16      = 0x8
CLSCTX_REMOTE_SERVER        = 0x10
CLSCTX_INPROC_HANDLER16     = 0x20
CLSCTX_INPROC_SERVERX86     = 0x40
CLSCTX_INPROC_HANDLERX86    = 0x80
CLSCTX_ESERVER_HANDLER      = 0x100
CLSCTX_NO_CODE_DOWNLOAD     = 0x400
CLSCTX_NO_CUSTOM_MARSHAL    = 0x1000
CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000
CLSCTX_NO_FAILURE_LOG       = 0x4000
CLSCTX_DISABLE_AAA          = 0x8000
CLSCTX_ENABLE_AAA           = 0x10000
CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000

section '.text' code readable executable

 start:

        invoke  CoInitialize,NULL
        invoke  CoCreateInstance,CLSID_ShimLayerPropertyPage,NULL,CLSCTX_INPROC_SERVER,IID_IUnknown,_test
        mov     eax,_test
        mov     eax,[eax]
        mov     eax,[eax-24]
        cominvk _test,Release
        cinvoke wsprintfA,_buf,_format,eax
        invoke  MessageBoxA,0,_buf,_format,MB_OK
        invoke  ExitProcess,0

section '.data' data readable writeable

 CLSID_ShimLayerPropertyPage GUID 513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8
 IID_IUnknown                GUID 00000000-0000-0000-C000-000000000046
 IID_IClassFactory           GUID 00000001-0000-0000-C000-000000000046
 IID_IPersistFile            GUID 0000010B-0000-0000-C000-000000000046
 IID_IShellExtInit           GUID 000214E8-0000-0000-C000-000000000046
 IID_IShellPropSheetExt      GUID 000214E9-0000-0000-C000-000000000046
 IID_IShellLinkW             GUID 000214F9-0000-0000-C000-000000000046
 IID_IShellLinkDataList      GUID 45E2B4AE-B1C3-11D0-B92F-00A0C90312E1

 _test IUnknown
_format db 'eax:', $9, '0x%X', 0
_buf    rb $100

section '.idata' import data readable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL',\
          ole,'OLE32.DLL'

  import kernel,\
         ExitProcess,'ExitProcess'

  import user,\
         MessageBoxA,'MessageBoxA',\
         wsprintfA,'wsprintfA'

  import ole,\
         CoInitialize,'CoInitialize',\
         CoCreateInstance,'CoCreateInstance'    


What information gained
Code:
slayerxp.dll = $5C280000
IShellPropSheetExt@Vtbl = $11DC
IShellExtInit@Vtbl      = $11F0
CLayerUIPropPage.CreateInstance = $24DC;CLayerUIPropPage.CreateInstance(CLayerUIPropPage *this, const struct _GUID *riid, void **ppv)

case IID in [CoCreateInstance,CLSID_ShimLayerPropertyPage,NULL,CLSCTX_INPROC_SERVER,IID,_test] of
     IID_IUnknown,IID_IShellExtInit: [_test]=$003F73F0
     IID_IShellPropSheetExt:         [_test]=$003F73F4
     default:                        [_test]=0 ; that is logicaly CLSID_ShimLayerPropertyPage supports only 2 interfaces (3 with IUnknown)

what located in $003F73F0 and around of that address

003F73DC: 00000000
003F73E0: 00000001
003F73E4: 5C2824DC = slayerxp.dll.CLayerUIPropPage.CreateInstance
003F73E8: 00060044 
003F73EC: 00080101

;that our COM object
003F73F0: 5C2811F0 = slayerxp.dll.IShellExtInit@Vtbl ; tested,proved
003F73F4: 5C2811DC = slayerxp.dll.IShellPropSheetExt@Vtbl ;tested,proved
003F73F8: 00000001 ; sadly it is not a counter((((( I created multyinstances used this COM (within single proccess and within different processes) resultat same - it is allways 1
003F73F8: 00000000 = array(MAXPATH=260) of WCHAR(0)       ;tested,proved - used as full path filename holder
;COM object end
003F7608: 0044013F
003F760C: 00001000
003F7610: 003F0178
003F7614: 003F0178
003F7618: 00000000
003F761C: 00000000    


So CoCreateInstance by CLSID_ShimLayerPropertyPage find dll - slayerxp.dll.
runned its GetClassObject, that runned its IClassFactory.CreateInstance "slayerxp.dll.CLayerUIPropPage.CreateInstance" and formed in 003F7XXX range COMobject with 2 vtbls, 1 field always valued with 1, and with field WCHAR[MAXPATH]. looks like IClassFactory sho;d be omited, because from it we need only forming of our COMobject and filtering supported IIDs - nothing more.

in case of shelltaskbar as in official example USECOM.ASM
Code:
virtual at $00402020
        dd $0015E450 ;[ShellTaskBar]=$0015E450
        dd $0015E498 ;[ShellTaskBar2]=$0015E498 ; within single process I create it twice
end virtual

virtual at $0015E450
        dd $77988680
        dd $00000001
        dd $00000000
        dd $0000C02A
        dd $00030003
        dd $000C0109
        dd $00000000
        dd $01000000
end virtual

virtual at $0015E498
        dd $77988680
        dd $00000001
        dd $00000000
        dd $0000C02A
        dd $00030005
        dd $000801A0
        dd $00000000
        dd $76235184
end virtual


virtual at $77988680
        dd $779C5654 ;QueryInterface :8B FF 55 8B EC FF 75 10 FF 75 0C 68 70 56 9C 77
        dd $779B03B1 ;AddRef         :8B FF 55 8B EC 8B 45 08 FF 40 04 8B 40 04 5D C2
        dd $779C5604 ;Release        :8B FF 55 8B EC 8B 4D 08 FF 49 04 8B 41 04 74 04
        dd $779C5596 ;HrInit         :8B FF 55 8B EC 8B 4D 08 E8 17 00 00 00 F7 D8 1B
        dd $779C5775 ;AddTab
        dd $779C552E ;DeleteTab
        dd $779C5706 ;ActivateTab
        dd $779C5748 ;SetActiveAlt
end virtual     

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 28 Oct 2018, 00:56
View user's profile Send private message Send e-mail Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 28 Oct 2018, 09:01
ProMiNick wrote:
win32 relative
80000000+ - system
00400000+ - application
0006FFFC- - stack growing down

in what address range fit value 003F7XXX? small pieces heap.
It reserved by OS, COM?
COM places its objects near that adresses.

Not guaranteed at all. See 3GB switch, ImageBase field in PE EXE, ASLR, etc. Dynamically allocated memory and stuff from DLLs loaded into process addressing space depend on other DLLs loaded, and those change from version to version of Windows, maybe even from service pack to service pack.
Post 28 Oct 2018, 09:01
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 802
Location: Russian Federation, Sochi
ProMiNick 28 Oct 2018, 09:46
I keep trying to explore COM from all sides...
I have no courage for experiment for now (to many times I failed...) and keep searching as more information as I can.
For now I lost COM counter, field with value 1, before that post I thought it is counter. Looks like counter not awailable to process as memory cell, just as abstraction in interlocked calculations.

From library(COM server) view COM had pointer to interface table, than pointer to CLSID, than counter, than userdata. From view of application I see COM as directly interface table, followed with value 1, and than same userdata. The full path from GetClassObject to ClassFactory.CreateInstance is still mistery...
Post 28 Oct 2018, 09:46
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.