Added function to get the COM proxy information.

tyranid · tyranid · commit ecf1ab0e8172 · 2018-05-01T22:41:58.000+01:00
diff --git a/NtObjectManager/NtObjectManager.psd1 b/NtObjectManager/NtObjectManager.psd1
@@ -60,7 +60,7 @@ FunctionsToExport = 'Get-AccessibleAlpcPort', 'Set-NtTokenPrivilege',
           'Resolve-NtObjectAddress', 'Invoke-NtToken', 'Get-NtFilteredToken', 'Get-NtLowBoxToken', 'Get-NtSecurityDescriptor',
           'Set-NtSecurityDescriptor', 'Add-NtVirtualMemory', 'Get-NtVirtualMemory', 'Remove-NtVirtualMemory', 'Set-NtVirtualMemory',
           'Read-NtVirtualMemory', 'Write-NtVirtualMemory', 'Get-EmbeddedAuthenticodeSignature', 'Get-NtSidName', 'New-SymbolResolver', 
-          'New-NdrParser', 'Format-NdrComplexType', 'Format-NdrProcedure', 'Format-NdrComProxy'
+          'New-NdrParser', 'Format-NdrComplexType', 'Format-NdrProcedure', 'Format-NdrComProxy', 'Get-NdrComProxy'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Add-NtKey', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile', 
diff --git a/NtObjectManager/NtObjectManager.psm1 b/NtObjectManager/NtObjectManager.psm1
@@ -2001,8 +2001,8 @@ NtApiDotNet.Ndr.NdrParser - The NDR parser.
 $ndr = New-NdrParser
 Get an NDR parser for the current process.
 .EXAMPLE
-New-NdrParserNew -Process $p -SymbolResolver $resolver
-Get an NDR parser for a specific process with a know resolver.
+New-NdrParser -Process $p -SymbolResolver $resolver
+Get an NDR parser for a specific process with a known resolver.
 #>
 function New-NdrParser {
     Param(
@@ -2014,7 +2014,8 @@ function New-NdrParser {
 
 function Convert-HashTableToIidNames {
     Param(
-        [Hashtable]$IidToName
+        [Hashtable]$IidToName,
+        [NtApiDotNet.Ndr.NdrComProxyDefinition[]]$Proxy
     )
     $dict = [System.Collections.Generic.Dictionary[Guid, string]]::new()
     if ($IidToName -ne $null) {
@@ -2024,6 +2025,12 @@ function Convert-HashTableToIidNames {
         }
     }
 
+    if ($Proxy -ne $null) {
+        foreach($p in $Proxy) {
+            $dict.Add($p.Iid, $p.Name)
+        }
+    }
+
     if (!$dict.ContainsKey("00000000-0000-0000-C000-000000000046")) {
         $dict.Add("00000000-0000-0000-C000-000000000046", "IUnknown")
     }
@@ -2035,6 +2042,45 @@ function Convert-HashTableToIidNames {
     return $dict
 }
 
+<#
+.SYNOPSIS
+Parses COM proxy information from a DLL.
+.DESCRIPTION
+This cmdlet parses the COM proxy information from a specified DLL.
+.PARAMETER Path
+The path to the DLL containing the COM proxy information.
+.PARAMETER Clsid
+Optional CLSID for the object used to find the proxy information.
+.OUTPUTS
+The parsed proxy information and complex types.
+.EXAMPLE
+$p = Get-NdrComProxy c:\path\to\proxy.dll
+Parse the proxy information from c:\path\to\proxy.dll
+.EXAMPLE
+$p = Get-NdrComProxy $env:SystemRoot\system32\combase.dll -Clsid "00000320-0000-0000-C000-000000000046"
+Parse the proxy information from combase.dll with a specific proxy CLSID.
+#>
+function Get-NdrComProxy {
+    Param(
+        [parameter(Mandatory, Position=0)]
+        [string]$Path,
+        [Guid]$Clsid = [Guid]::Empty,
+        [NtApiDotNet.Win32.ISymbolResolver]$SymbolResolver
+    )
+    $Path = Resolve-Path $Path -ErrorAction Stop
+    Use-NtObject($parser = New-NdrParser -SymbolResolver $SymbolResolver) {
+        $proxies = $parser.ReadFromComProxyFile($Path, $Clsid)
+        $props = @{
+            Path=$Path;
+            Proxies=$proxies;
+            ComplexTypes=$parser.ComplexTypes;
+            IidToNames=Convert-HashTableToIidNames -Proxy $proxies;
+        }
+        $obj = New-Object –TypeName PSObject –Prop $props
+        Write-Output $obj
+    }
+}
+
 <#
 .SYNOPSIS
 Format an NDR procedure.
@@ -2060,7 +2106,7 @@ function Format-NdrProcedure {
   [CmdletBinding()]
     Param(
     [parameter(Mandatory, Position=0, ValueFromPipeline = $true)]
-        [NtApiDotNet.Ndr.NdrProcedureDefinition]$Procedure,
+    [NtApiDotNet.Ndr.NdrProcedureDefinition]$Procedure,
     [Hashtable]$IidToName
     )
 
@@ -2099,8 +2145,8 @@ Format a complex type with a known IID to name mapping.
 function Format-NdrComplexType {
   [CmdletBinding()]
     Param(
-    [parameter(Mandatory, Position=0, ValueFromPipeline = $true)]
-        [NtApiDotNet.Ndr.NdrComplexTypeReference]$ComplexType,
+    [parameter(Mandatory, Position=0, ValueFromPipeline)]
+    [NtApiDotNet.Ndr.NdrComplexTypeReference]$ComplexType,
     [Hashtable]$IidToName
     )
 
@@ -2141,7 +2187,7 @@ Format a COM proxy with a known IID to name mapping.
 function Format-NdrComProxy {
     [CmdletBinding()]
     Param(
-        [parameter(Mandatory, Position=0, ValueFromPipeline = $true)]
+        [parameter(Mandatory, Position=0, ValueFromPipeline)]
         [NtApiDotNet.Ndr.NdrComProxyDefinition]$Proxy,
         [Hashtable]$IidToName,
         [ScriptBlock]$DemangleComName
