WhoHasTlb? : Extracting TypeLib data from COM Objects

Posted on September 16, 2010 by

4


whohas_usage

So let’s say that you’re sitting down to a project (perhaps a malware analysis gig, fuzzing something, or just reversing) and you realize that most of the target is implemented in COM/ActiveX Objects. What would really help you starting off on this project is a human readable version (IDL) of the TypeLib associated with the COM Object. This way you can quickly begin to see what the COM Object exports, and you can then begin to map out the rest of your project (choosing fuzzing targets, etc). But unfortunately the .tlb file didn’t come with it (for whatever reason). There are no known Microsoft public APIs for extracting typelib data directly from a PE. You also think it’s “sloppy” to register the COM Object just so tools like OLEView, and the code you ripped from AxMan ;-) can find it. Furthermore, if you did chose the “register it” method, you’d have more asspain cuz’ you’d have to snapshot the registry before and after, and then diff to just to identify what changed after you regsrv32‘d the COM Object. Blah blah blah blah. BORING. Get to the point Stephen.

Ok. So (as you may already know), compiled TLB data is stored in the resource section of the PE file it is associated with. Here is what I used to do:

1. Observe the section in the resource section of the target PE using PEView.

2. Find out the length of that specific section using the PE Header data.

3. Do some basic math to find where the TLB data begins inside the PE file (using the TLB magic bytes to identify the beginning).

4. Open the target PE file in a Hex Editor and manually extract the TLB file data into a new file (or otherwise extract it using file offsets calculated from PE Header values).

5. Open the newly created TLB file (that we extracted from the PE) in OLEView so that we can convert it back to IDL form.

Well, this process obviously got tedious for every single binary I encountered, so I wrote a tool called WhoHasTLB? (using Ero Carrera’s extremely useful PeFile) to automate steps 1-4. I also compiled it into a standalone executable so it was a bit more portable and easier to use (especially moving between VMs).

I then also wrapped the TLB extraction routines in something that will search a directory recursively for PE files containing TypeLib data. This is useful on those large build directories that you get from customers with lots of binaries in them.

After the TLB files have been extracted automatically by WhoHasTLB? you can then just open them in OleView to have them converted to human readable IDL’s.

I hope this is useful!

GitHub Repository and download is here.

Posted in: fuzzing, reversing, tools