tags:

views:

187

answers:

3

I need to write a stub module which, when given a PE (DLL/EXE) as input, will determine whether it is a normal Win32 DLL/EXE or COM DLL/EXE. I need to determine this programatically.

Are there any Windows APIs for this purpose?

A: 

For traditional COM DLL, you can look for the wellknown exported methods (search on msdn for these methods)

  1. DllGetClassObject
  2. DllRegisterServer
  3. DllUnregisterServer
  4. DllCanUnloadNow

I am not sure about EXE COM servers though because they generally use command line parameters for registration/unregistration and for class object usually calls CoRegisterClassObject when the EXE starts.

Most of the COM servers traditionally also registered in the Registry but you can create registration free servers now.

Are you also looking for a .NET assembly with some COM visible classes?

byte
I have some PE's(COM EXE's, COM DLL's, Win32 EXE's, Win32 DLL's) from which I need to extract all exported functions and exposed Interface methods(in case of COM). Now this requires to check whether its WIN32 DLL/EXE or COM DLL/EXE. So that If its COM EXE we can traverse its vtable to get all exposed methods or interfaces and if its WIN 32 DLL/EXE , we need to read its export table for extracting exported symbols.
Usman
Usman, COM servers are simply Win32 binaries that follow COM specification as part of implementation. The PE format doesn't store information about whether the PE is COM or plain Win32. You can always parse the PE file (I think there was a sample on msdn) but there is no special 'COM' signature. For your functionality, I would recommend you read about COM specification and what the minimal requirements are for a DLL or EXE to be a COM server. As I mentioned earlier, the minimal requirements for COM DLL servers are to export known functions as per COM specification.
byte
A: 

I suspect that this is something that would be very hard to do with near 100% accuracy. Some thoughts though:

  • A COM DLL will export functions like DllRegisterServer and DllUnregisterServer. You could use LoadLibrary() to load the Dll, and then GetProcAddress() to check for the presence of these functions. If they're there then its highly likely that its a COM dll.

  • A plain win32 Dll will export DllMain. You could use the same technique to check for that. If you find it then its very likely that its win32.

  • I'm not aware of a way to discover if an exe is a COM server. Servers written using ATL often have a registration script embedded in their resource table, but they don't have to. And you don't need to use ATL to write a COM server. Services using "registry-less com" will similarly have an embedded manifest. You could scan the registry (below HKLM/Classes/Software/) to see if the exe is registered, but it may be that the exe is using registry-less com or just hasn't been regisered yet.

Hope that helps.

Andy Johnson
A: 

I have made my own PE Parser for this kind of purposes! See PeStudio. I would be happy if it helps you.

marc ochsenmeier