search

tyranid / oleviewdotnet

A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
GNU General Public License v3.0
1.1k stars 182 forks source link

Fix error parsing classes registered in STA in x86 process from x64 #31

Closed the-deniss closed 3 years ago

the-deniss commented 3 years ago

The 64-bit powershell cannot properly parse COM classes registered in STA apartments in the x86 process. This is due to the fact that the field ReservedForOle is important for this parsing and it is retrieved from the thread's TEB64. But registering COM class in STA apartment initializes this field in the TEB32. Steps to reproduce:

  1. Run the following commands in 32-bit powershell: 
    $c = Get-ComClass 2e7c0a19-0438-41e9-81e3-3ad3d64f55ba
$o = New-ComObject $c
(Get-ComProcess -Name OneDrive -ParseRegisteredClasses).Classes | Select ProcessId, ProcessName, Name, Clsid, Registered, Apartment | Format-Table
  2. Look at the probably correct result: 
    ProcessID ProcessName Name                                        Clsid                                Registered Apartment
 7112 OneDrive    SyncEngineStorageProviderHandlerProxy Class a3ca1cf4-5f3e-4ac0-91b9-0d3716e1eac3       True       MTA
 7112 OneDrive    SyncEngineCOMServer Class                   ab807329-7324-431b-8b36-dbd581f56e0b       True       MTA
 7112 OneDrive    BannerNotificationHandler Class             2e7c0a19-0438-41e9-81e3-3ad3d64f55ba       True       STA
 7112 OneDrive    FileSyncClient AutoPlayHandler Class        5999e1ee-711e-48d2-9884-851a709f543d       True       STA
 7112 OneDrive    ToastActivator Class                        6bb93b4e-44d8-40e2-bd97-42dbcf18a40f       True       STA
 7112 OneDrive    FileSyncClient Class                        7b37e4e2-c62f-4914-9620-8fb5062718cc       True       STA
  3. Now run the following command in 64-bit powershell.exe: (Get-ComProcess -Name OneDrive -ParseRegisteredClasses).Classes | Select ProcessId, ProcessName, Name, Clsid, Registered, Apartment | Format-Table
  4. Look at the exact wrong result - there are no COM classes registered in STA apartments: 
    ProcessID ProcessName Name Clsid                                Registered Apartment
 7112 OneDrive         a3ca1cf4-5f3e-4ac0-91b9-0d3716e1eac3      False       MTA
 7112 OneDrive         ab807329-7324-431b-8b36-dbd581f56e0b      False       MTA
tyranid commented 3 years ago

Thanks for another patch. It's good that you're willing to track this down and not just put up an issue, it's really appreciated. Interestingly Windows 10 finally has a field in the TEB which indicates the offset from the start of the TEB to the TEB32, but it's all a bit of a hack anyway so I don't think it's worth making it "correct".