Notice : In all the following we are going to use COM as a generic term for COM OLE and ActiveX
- Monitoring Interface Library
- Hooked COM Objects Interaction
- Show Methods Addresses
- Show Computer known CLSID
- Class ID (CLSID) ProgID converter
- Interface ID (IID) Interface Name converter
Monitoring Interface Library allows to quickly edit and/or select methods of interfaces of auto monitoring files.
Notice : these files must be in the "monitoring files\COM" directory.
This dialog is the same as API monitoring library. So refer to API monitoring library for more explanation. The only difference is that you don't have to select interfaces, because the monitoring files are automaticaly loaded when COM auto hooking is enabled.
COM Interaction tool allows you to call methods of interfaces of hooked COM objects,
and to display object property page (only if object support the ISpecifyPropertyPages interface).
Notice : COM Interaction is avalaible only if "COM Auto Hooking" is enabled.
Object Address : display object pointer to selected interface
Property Page button : Display property page of currently selected object
Interface Selection : allow to switch from an interface to another for selected object
Query New Interface : allow to ask for a new interface, with a view to interact with this new interface next. Can be IID or Interface name (like IDispatch). Warning when using interface name, because a single interface name can have more than one matching IID (use Interface ID Interface Name converter to get all IID for a specified interface name)
Use Function Name/ Use VTBL Index: if a COM monitoring file exists for currently selected interface, or IDispatch parsing has been done, this allow to easely select an interface name, else you must specify VTBL index
Don't auto add object pointer as first parameter : if unchecked, object pointer will be passed as first parameter of any called function. This is interesting for all virtual functions, because it's avoid to add object pointer manualy. But for STATIC functions, object pointer musn't be passed, so you have to check this option (only in this case)
Parameters : The syntax is the same as the remote call one
Do call in thread owner : if your function call works with this option unchecked, continue without checking it; else check it. It allows to bypass some COM single threaded object support by switching context of thread owning COM object
Registers Before Call : asm registers set before calling method.
Show after call registers and floating result : display these information after the function call
Call : do the call of selected function with specified parameters
Example:
In the screen shot, as "Don't auto add object pointer" is unchecked,
the method IAgentCharacterEx::MoveTo is being to be called like
IAgentCharacterEx::MoveTo(0x5388DBC,500,400,1000,&OutValue)
which is the same as pIAgentCharacterEx->MoveTo(500,400,1000,&OutValue); you are used to put in your c++ code (where pIAgentCharacterEx is an IAgentCharacterEx*)
After the call, you will get a result dialog
This window shows you VTBL addresses and methods addresses (VA, RVA, and RAW) of COM object, which can be very usefull for static analysis.
The first displayed address is the address of the function. The "Address In VTBL" gives the address of the function pointer address stored in vtbl.
The IDispatch parsing gives you some interesting information on methods (like parameters, calling convention) if the component doesn't provide Type library (tlb), else you can use a tlb browser.
CLSID or ProgID : CLSID or Prog Id of class you want to display methods addresses.
IID or Interface Name : IID or Interface name of a specified interface you want to display methods address (put nothing for IUnknown interface)
Warning when using interface name, because a single interface name can have more than one matching IID (use Interface ID Interface Name converter to get all IID for a specified interface name).
| Notice : you can use |  |
to edit file associated to Interface |
Try IDispatch Parsing : do a parsing of IDispatch interface (if supported by the class), to display published methods addresses without requiring a monitoring file to be defined.
You can do search on CLSID, ProgId or Name.
Search support standard jokers '?' and '*'.
Notice: As a single interface name can have more than one matching IID this tool find all associated IID(s)