How is icolordataproxyvtbl structure generated?

hfiref0x / UACME

Defeating Windows User Account Control

BSD 2-Clause "Simplified" License

6.08k stars 1.3k forks source link

How is icolordataproxyvtbl structure generated? #136

Closed secxue closed 1 year ago

secxue commented 1 year ago

Hi bro, how is icolordataproxyvtbl structure generated?

I use OleViewDotNet, but the result is different from yours

hfiref0x commented 1 year ago

With ida pro

secxue commented 1 year ago

With ida pro

Thanks for you reply. Hava any articles on this? I want to learn "just use ida pro to find these structures"

secxue commented 1 year ago

With ida pro

What I want to ask is how to do this through ida pro, plugin? Is it the original function of IDA

hfiref0x commented 1 year ago

Open designated dll in the IDA Pro.

secxue commented 1 year ago

在 IDA Pro 中打开指定的 dll。

After open dll in ida pro, is it generated manually or can it be automated then struct? Do want to construct manually?

hfiref0x commented 1 year ago

Load file into disassembler, enable symbols otherwise this won't work. Find a corresponding class by name in functions view, look where it vtable located. Done. Specific parameter names maybe not listed in symbols and you have to figure out what they do by analyzing method body.

secxue commented 1 year ago

将文件加载到反汇编程序中，启用符号，否则这将不起作用。在函数视图中按名称查找相应的类，查看它的 vtable 所在的位置。完毕。具体的参数名称可能没有在符号中列出，您必须通过分析方法体来弄清楚它们的作用。

Thanks for you reply. At first, I thought it could be done automatically :)

secxue commented 1 year ago

将反加载函数视图显示到，而不是这个程序中将显示的参数。出来的方法，必须通过您的分析体来的作用。

谢谢你的回复。起初，我认为它可以自动完成:)

Now I know that it is my imagination that does evil.