[Win32utils-devel] Fwd: IUnknown COM from Ruby

Heesob Park phasis at gmail.com
Wed Oct 20 01:53:26 EDT 2010


Hi,

2010/10/20 Daniel Berger <djberg96 at gmail.com>

> ---------- Forwarded message ----------
> From: Ben Nagy <ben at research.coseinc.com>
> Date: Tue, Oct 19, 2010 at 2:42 AM
> Subject: IUnknown COM from Ruby
> To: djberg96 at gmail.com
>
>
> Hi Daniel,
>
> Sorry to email you direct, but I've struck out on google and
> #ruby-lang and nobody can tell me which mailing lists are still alive,
> plus you're one of the few people I know doing deep Windows stuff. :)
>
> I was just wondering if you had any hints at all for how to go about
> using COM interfaces to a DLL. Specifically, I want to wrap dbgeng.dll
> (starting with the DebugCreate method) in a similar manner to
> PyDbgEng. I can't find any Ruby stuff which lets me deal with raw COM
> as opposed to application OLE though - which could just be because I
> don't understand it. If I need IDL definitions, I can steal that from
> the python code...
>
> If you happen to have done anything like this, an example or a link
> would be very much appreciated.
>
> Cheers,
>
> ben
>
> PS
>
> If you're interested, other stuff I looked at:
>
> - Using the raw win32api and WaitForDebugEvent. Ragweed does this, but
> it doesn't use dbgeng, and there are some extensions like !exploitable
> I need to use.
> - Using mdbg (a managed .NET wrapper) and then IronRuby to talk to the
> CLR. IronRuby's fate is uncertain and it's 1.8 whereas all my other
> stuff is 1.9
> - Wrapping PyDbgEng with xmlrpc and then wrapping that with Ruby. Made
> me throw up in my mouth.
> - FFI etc - same problem, don't know how to get the actual COM
> Interface classes created, no examples
>
>
Because DbgEng is not a registered COM server, we cannot use WIN32OLE module
for this case.
And there is no easy way to do this using ruby.

Anyway, here is a first trial:

require 'win32/api'

IID_IDebugClient = [0x27fe5639, 0x8407, 0x4f47, 0x83, 0x64, 0xee, 0x11,
0x8f, 0xb0, 0x8a, 0xc8].pack('LSSC8')
IID_IDebugControl = [0x5182e668,0x105e,0x416e,0xad, 0x92, 0x24, 0xef, 0x80,
0x04, 0x24, 0xba].pack('LSSC8')
DEBUG_ONLY_THIS_PROCESS = 2
DEBUG_WAIT_DEFAULT = 0

debugCreate = Win32::API.new('DebugCreate', 'PP', 'L','dbgeng')
memcpy = Win32::API.new('memcpy', 'PLL', 'L','msvcrt')

ptr = 0.chr*4
debugCreate.call(IID_IDebugClient,ptr)
debug_client = ptr.unpack('L').first

lpVtbl = 0.chr * 4
table = 0.chr * 80
memcpy.call(lpVtbl,debug_client,4)
memcpy.call(table,lpVtbl.unpack('L').first,80)
table = table.unpack('L*')
queryInterface = Win32::API::Function.new(table[0],'PPP','L')
createProcess = Win32::API::Function.new(table[13],'PLLSL','L')

p = 0.chr * 4
hr = queryInterface.call(debug_client,IID_IDebugControl,p)
debug_control = p.unpack('L').first

lpVtbl = 0.chr * 4
table = 0.chr * 4*94
memcpy.call(lpVtbl,debug_control,4)
memcpy.call(table,lpVtbl.unpack('L').first,4*94)
table = table.unpack('L*')
waitForEvent = Win32::API::Function.new(table[93],'PLL','L')

createProcess.call(debug_client,0,0,"c:\\windows\\system32\\notepad.exe",DEBUG_ONLY_THIS_PROCESS)
waitForEvent.call(debug_control,DEBUG_WAIT_DEFAULT, -1)


Regards,
Park Heesob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/win32utils-devel/attachments/20101020/b34248f3/attachment.html>


More information about the win32utils-devel mailing list