• Stars
    star
    198
  • Rank 196,898 (Top 4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An IDA Plugin that help analyzing module that use COM

ComIDA

An IDA Plugin that help during the analysis of modules using COM. It works by searching data references to known COM GUID (Classes or Interfaces), and for hex-ray plugin user, infers type that use :

  • CoCreateInstance function
  • CoGetCallContext function
  • QueryInterface method

BEFORE: COM No Plugin CoCreateInstance

AFTER: COM No Plugin CoCreateInstance

How To Install ?

Just put the comida.py script in plugins folder of IDA.

git clone [email protected]:Airbus-CERT/comida.git
mklink "C:\\Program Files\\IDA Pro 7.4\\plugins\\comida.py" "comida\comida.py"

Launch your IDA and press Ctrl-Shift-M to activate it.

How Does It Works ?

COM Object References

ComIDA has two main features:

  • Finding and Tracking GUID
  • Type infering for Hex-Ray plugin users

To find and track GUID, we just search direct operand menmoniques, like mov ax, GUID, where GUID matches one present in HKCR\Classes or in HKCR\Interfaces hives.

We preview the results in a table to interact and easily navigate through all COM object references.

COM reference

Just double click to go to the interesting code.

Type Infering

The main goal is to facilitate the work of the analyst. When a module uses COM services, it commonly uses:

  • Create instance using CoCreateInstance
  • Retrieve instance using CoGetCallContext
  • Cast interface using method QueryInterface from IUnknown interface, which are inherited by every COM classes

comIDA will perform type infering for these patterns.

In comIDA, the infering works as the following:

  1. Find interesting function
  2. Read GUID parameter and retrieve interface type
  3. Change type of the output variable

To find interesting function we have two kinds of heuristics, one for each type:

  • For function type, like CoCreateInstance or CoGetCallContext, we directly search into import table.
  • For method type, like QueryInterface we compute the method name thanks to the Hex-Rays AST.

After that, we use Hex-Ray hook to navigate into the function AST during decompilation step. When we spot a call to the interesting method, we perform a type change of the output parameter accordingly to the GUID parameter (GUID of the Interface). To choose the correct type, we have two heuristics to select the type:

  • We check the name in the registry hive HKCR\\Interfaces associated with Interface GUID
  • We try to cast directly into the symbol name associated with the third parameter (Mostly named IID_IWbemLocator etc... just take IWbemLocator)

And then the magic happened:

BEFORE: COM No Plugin CoCreateInstance

AFTER: COM No Plugin CoCreateInstance

BEFORE: COM No Plugin CoGetCallContext`

AFTER: COM No Plugin CoGetCallContext`

More Repositories

1

ttddbg

Time Travel Debugging IDA plugin
C++
551
star
2

Winshark

A wireshark plugin to instrument ETW
Lua
527
star
3

Yagi

Yet Another Ghidra Integration for IDA
C++
480
star
4

Invoke-Bof

Load any Beacon Object File using Powershell!
PowerShell
245
star
5

regrippy

A modern Python-3-based alternative to RegRipper
Python
184
star
6

etl-parser

Event Trace Log file parser in pure Python
Python
132
star
7

yara-ttd

Use YARA rules on Time Travel Debugging traces
C
86
star
8

vbSparkle

VBScript & VBA source-to-source deobfuscator with partial-evaluation
C#
72
star
9

ntTraceControl

Powershell Event Tracing Toolbox
PowerShell
72
star
10

CVE-2024-4040

Scanner for CVE-2024-4040
Python
50
star
11

etwbreaker

An IDA plugin to deal with Event Tracing for Windows (ETW)
Python
49
star
12

minusone

Powershell Linter
Rust
46
star
13

PSTrace

Trace ScriptBlock execution for powershell v2
C
39
star
14

tree-sitter-powershell

Powershell grammar for tree-sitter
JavaScript
36
star
15

dnYara

A multi-platform .Net wrapper library for the native Yara library.
C#
35
star
16

timeliner

A rewrite of mactime, a bodyfile reader
Go
34
star
17

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.
C#
30
star
18

cacdec

The hidden mstsc recorder player
Python
28
star
19

ttd2mdmp

Extract data of TTD trace file to a minidump
C++
28
star
20

dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847
C
27
star
21

mispy

Another MISP module for Python
Python
17
star
22

mispgo

Golang library for MISP
Go
5
star
23

usnrs

USN Journal parsing software and library
Rust
5
star
24

bodyfile

A bodyfile parsing library
Go
3
star
25

nix-forensics

Reproducible forensics environment, 100% of the time
Nix
3
star
26

skyblue.team

Our website
HTML
1
star