win32 relative
80000000+ - system
00400000+ - application
0006FFFC- - stack growing down
in what address range fit value 003F7XXX? small pieces heap.
It reserved by OS, COM?
COM places its objects near that adresses.
used slightly modified usecom example
; Component Object Model usage demonstration
format PE GUI 4.0
entry start
include 'win32a.inc'
struc GUID def
{
match d1-d2-d3-d4-d5, def
\{
.Data1 dd 0x\#d1
.Data2 dw 0x\#d2
.Data3 dw 0x\#d3
.Data4 db 0x\#d4 shr 8,0x\#d4 and 0FFh
.Data5 db 0x\#d5 shr 40,0x\#d5 shr 32 and 0FFh,0x\#d5 shr 24 and 0FFh,0x\#d5 shr 16 and 0FFh,0x\#d5 shr 8 and 0FFh,0x\#d5 and 0FFh
\}
}
interface IUnknown,\
QueryInterface,\
AddRef,\
Release
CLSCTX_INPROC_SERVER = 0x1
CLSCTX_INPROC_HANDLER = 0x2
CLSCTX_LOCAL_SERVER = 0x4
CLSCTX_INPROC_SERVER16 = 0x8
CLSCTX_REMOTE_SERVER = 0x10
CLSCTX_INPROC_HANDLER16 = 0x20
CLSCTX_INPROC_SERVERX86 = 0x40
CLSCTX_INPROC_HANDLERX86 = 0x80
CLSCTX_ESERVER_HANDLER = 0x100
CLSCTX_NO_CODE_DOWNLOAD = 0x400
CLSCTX_NO_CUSTOM_MARSHAL = 0x1000
CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000
CLSCTX_NO_FAILURE_LOG = 0x4000
CLSCTX_DISABLE_AAA = 0x8000
CLSCTX_ENABLE_AAA = 0x10000
CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000
section '.text' code readable executable
start:
invoke CoInitialize,NULL
invoke CoCreateInstance,CLSID_ShimLayerPropertyPage,NULL,CLSCTX_INPROC_SERVER,IID_IUnknown,_test
mov eax,_test
mov eax,[eax]
mov eax,[eax-24]
cominvk _test,Release
cinvoke wsprintfA,_buf,_format,eax
invoke MessageBoxA,0,_buf,_format,MB_OK
invoke ExitProcess,0
section '.data' data readable writeable
CLSID_ShimLayerPropertyPage GUID 513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8
IID_IUnknown GUID 00000000-0000-0000-C000-000000000046
IID_IClassFactory GUID 00000001-0000-0000-C000-000000000046
IID_IPersistFile GUID 0000010B-0000-0000-C000-000000000046
IID_IShellExtInit GUID 000214E8-0000-0000-C000-000000000046
IID_IShellPropSheetExt GUID 000214E9-0000-0000-C000-000000000046
IID_IShellLinkW GUID 000214F9-0000-0000-C000-000000000046
IID_IShellLinkDataList GUID 45E2B4AE-B1C3-11D0-B92F-00A0C90312E1
_test IUnknown
_format db 'eax:', $9, '0x%X', 0
_buf rb $100
section '.idata' import data readable
library kernel,'KERNEL32.DLL',\
user,'USER32.DLL',\
ole,'OLE32.DLL'
import kernel,\
ExitProcess,'ExitProcess'
import user,\
MessageBoxA,'MessageBoxA',\
wsprintfA,'wsprintfA'
import ole,\
CoInitialize,'CoInitialize',\
CoCreateInstance,'CoCreateInstance'
What information gained
slayerxp.dll = $5C280000
IShellPropSheetExt@Vtbl = $11DC
IShellExtInit@Vtbl = $11F0
CLayerUIPropPage.CreateInstance = $24DC;CLayerUIPropPage.CreateInstance(CLayerUIPropPage *this, const struct _GUID *riid, void **ppv)
case IID in [CoCreateInstance,CLSID_ShimLayerPropertyPage,NULL,CLSCTX_INPROC_SERVER,IID,_test] of
IID_IUnknown,IID_IShellExtInit: [_test]=$003F73F0
IID_IShellPropSheetExt: [_test]=$003F73F4
default: [_test]=0 ; that is logicaly CLSID_ShimLayerPropertyPage supports only 2 interfaces (3 with IUnknown)
what located in $003F73F0 and around of that address
003F73DC: 00000000
003F73E0: 00000001
003F73E4: 5C2824DC = slayerxp.dll.CLayerUIPropPage.CreateInstance
003F73E8: 00060044
003F73EC: 00080101
;that our COM object
003F73F0: 5C2811F0 = slayerxp.dll.IShellExtInit@Vtbl ; tested,proved
003F73F4: 5C2811DC = slayerxp.dll.IShellPropSheetExt@Vtbl ;tested,proved
003F73F8: 00000001 ; sadly it is not a counter((((( I created multyinstances used this COM (within single proccess and within different processes) resultat same - it is allways 1
003F73F8: 00000000 = array(MAXPATH=260) of WCHAR(0) ;tested,proved - used as full path filename holder
;COM object end
003F7608: 0044013F
003F760C: 00001000
003F7610: 003F0178
003F7614: 003F0178
003F7618: 00000000
003F761C: 00000000
So CoCreateInstance by CLSID_ShimLayerPropertyPage find dll - slayerxp.dll.
runned its GetClassObject, that runned its IClassFactory.CreateInstance "slayerxp.dll.CLayerUIPropPage.CreateInstance" and formed in 003F7XXX range COMobject with 2 vtbls, 1 field always valued with 1, and with field WCHAR[MAXPATH]. looks like IClassFactory sho;d be omited, because from it we need only forming of our COMobject and filtering supported IIDs - nothing more.
in case of shelltaskbar as in official example USECOM.ASM
virtual at $00402020
dd $0015E450 ;[ShellTaskBar]=$0015E450
dd $0015E498 ;[ShellTaskBar2]=$0015E498 ; within single process I create it twice
end virtual
virtual at $0015E450
dd $77988680
dd $00000001
dd $00000000
dd $0000C02A
dd $00030003
dd $000C0109
dd $00000000
dd $01000000
end virtual
virtual at $0015E498
dd $77988680
dd $00000001
dd $00000000
dd $0000C02A
dd $00030005
dd $000801A0
dd $00000000
dd $76235184
end virtual
virtual at $77988680
dd $779C5654 ;QueryInterface :8B FF 55 8B EC FF 75 10 FF 75 0C 68 70 56 9C 77
dd $779B03B1 ;AddRef :8B FF 55 8B EC 8B 45 08 FF 40 04 8B 40 04 5D C2
dd $779C5604 ;Release :8B FF 55 8B EC 8B 4D 08 FF 49 04 8B 41 04 74 04
dd $779C5596 ;HrInit :8B FF 55 8B EC 8B 4D 08 E8 17 00 00 00 F7 D8 1B
dd $779C5775 ;AddTab
dd $779C552E ;DeleteTab
dd $779C5706 ;ActivateTab
dd $779C5748 ;SetActiveAlt
end virtual