The best way is to use Visual Basic 6 and add a reference to the DLL or EXE. Turn on hidden items in the Object Browser and play around!

That's convenient. I wonder if pentesters/security researchers know about that.

Or use the Windows SDK and the COM type library browser.

I just ran across a COM interface in the MOST unexpected of places:

Apple's CoreMediaIO CFPlugIn video capture device plugin interface!

https://github.com/phracker/MacOSX-SDKs/blob/master/MacOSX10...

    /*
         File:       CMIOHardwarePlugIn.h

         Contains:   API for the CFPlugIn that implements an CMIO driver for the DAL from user space

         Copyright:  © 2004-2010 by Apple Inc., all rights reserved.
    */

[...]

    /*!
        @method         QueryInterface
        @abstract       The IUnknown method for finding an interface on a CFPlugIn type.
        @param          self
                            The CFPlugIn type to query.
        @param          uuid
                            The UUID of the interface to find.
        @param          interface
                            The returned interface or NULL if none was found.
        @result         An error code indicating success of failure.
    */
        HRESULT
        (STDMETHODCALLTYPE *QueryInterface)(    void*   self,
                                                REFIID  uuid,
                                                LPVOID* interface);

BUSTED!

https://github.com/lvsti/CoreMediaIO-DAL-Example/blob/0392cb...

Apple's CoreFoundation has used COM since 1.3... and CFPlugIns[0] are the ones that implement them.

[0] https://developer.apple.com/library/archive/documentation/Co...

There are a bunch of COM interfaces in CoreFoundation. My first COM tutorial came from Apple documentation!

They're probably there for iTunes on Windows or similar.

In our company we focused on edge cases where you need to intercept existing or hidden COM interfaces.

You can take a look at the following software (including source code):

RemoteBridge: https://www.nektra.com/products/remotebridge-automation-engi...

Deviare: https://www.nektra.com/products/deviare-api-hook-windows/

The API of a COM object is described in a Type Library file (.tlb suffix).

This is is not necessarily available for every COM object.

COM objects intended for use with C++ work without it, because the COM interface is based on calling C++ virtual functions, for which you just need a declaration from a header file.

To discover the API of a COM object without the .idl file or type library, you have to do binary reverse engineering: disassemble the functions linked into the object's vtable.

Old style COM is defined in tlb files.

Modern COM (UWP) uses .NET metadata and is stored in .winmd files.

C#, VB.NET, JS(Chakra), C++/CX can use them directly, while with C++/WinRT a source file generator was introduced that generates the necessary boilerplate to access the objects in a C++17 friendly way.

Microsoft now calls to COM libraries without type libraries, like DirectX, mini-COM.

Don’t forget about the proxy/stub DLLs: if the COM interface was specified using IDL, its metadata is also encoded inside those using a more descriptive format than typelibs.