Reverse engineering COM (Component Object Model) objects has traditionally been a complex and time-consuming process, involving a deep understanding of interface structures, GUIDs (Globally Unique Identifiers), and the intricate relationships between COM components. With the upcoming release of Binary Ninja 4.0, this task has become significantly more manageable thanks to several enhancements that improve the reverse engineering workflow for COM objects.
Improved Representation of COM Interfaces
Binary Ninja 4.0 introduces a substantial improvement in how COM interfaces are represented within Type Libraries. COM objects now have a VTable pointer to the COM interface and the interface now correctly inherits from the proper base class.
Additionally, the type libraries have been enriched with metadata that maps COM GUIDs to their corresponding interfaces and objects. This metadata integration enables quick lookup by GUID.
Import Type from GUID
The “Import Type by GUID” action CTRL/CMD+D (or available in the Type Browser context menu.) Pops up a dialog where you can paste in a COM GUID to import that COM object. As a bonus, Binary Ninja also reads the GUID at the current location within the binary and pre-populates its value in the dialog, further simplifying the process.
DataRenderer for COM GUIDs
Binary Ninja 4.0 also adds a DataRenderer for GUIDs has been enhanced to provide a more convenient of COM GUIDs. Instead of displaying raw bytes, the DataRenderer now presents a structured format, including the GUID and the corresponding interface name. For example:
Introducing COMPanion Plugin
Binary Ninja 4.0 also introduces a new open source plugin, COMPanion, a powerful tool that significantly enhances COM reverse engineering. COMPanion automates several important tasks:
First, it searches the data sections of the binary for known COM objects and sets their types to GUID, allowing the DataRenderer to do its thing. Next, it renames the DataVariables to reflect the COM object they reference, and imports that referenced type.
Before:
After:
The plugin then identifies calls to functions like CoCreateInstance and CoGetClassObject, automatically setting the appropriate type for variables based on the COM object being referenced. Changing something ugly like this:
Into this:
When can I try it?!
This is one of the many enhancements we’re bringing to Binary Ninja 4.0. Make sure to keep an eye out for several other blog posts in the coming weeks as we go in-depth on all the other 4.0 goodies. If you’re a current customer you can always switch to the development branch to check out this feature and more right now, in advance of the upcoming 4.0 launch! If you want to wait for the stable release, you shouldn’t have to wait much longer!
Article Link: Binary Ninja - Enhancing COM Reverse Engineering in Binary Ninja 4.0