Inside VBS Technology: detailed explanation of CreateObject function

Time:2021-11-27

Once I didn’t understand why passing different strings in the CreateObject function can create a variety of powerful objects. Later, I accidentally saw the [umu WSH tutorial] (9) CreateObject process of umu, and learned that the CreateObject function creates a COM object, and the first parameter is the progid of the COM object. Later, I read Jeff Glatt’s COM in plain C and learned how to write COM components in pure C language.

Com (component object model) is a very complex concept. It needs a book as thick as a brick to make it clear, and it is difficult to understand without the background of C + + and object-oriented programming. The classic books include com principle and application, inside COM technology and com essence, but they seem to be out of print.

Of course, as vbser, we don’t need to understand the principle or essence of com. In short, com is a module written by others. All we have to do is call it without caring about its internal implementation, which is also an original intention of COM technology. Progid can be regarded as a name given by the developer for the COM object. We pass the name of the COM object to the CreateObject function, tell it that we want to create the object, and the CreateObject function will return the pointer of the object to you.

For example, I can (of course, you can) use VB to write a COM component, and then give it the name demon.tw. After registering the COM component, I can use the CreateObject function to create it:

?
1
2
Set blog = CreateObject("demon.tw")
blog.Open 'suppose my COM object implements the open method

The commonly used scripting. Filesystembobject, wsscript. Shell, ADODB. Stream, etc. are just the names of COM objects that come with the system developed by Microsoft.

So how does the CreateObject function create objects? Following with OllyDbg, the core code can be divided into four steps:

Inside VBS Technology: detailed explanation of CreateObject function

The first step is to call clsidfromprogidex to obtain the corresponding CLSID from progid. If the corresponding CLSID cannot be found, the error “ActiveX part cannot create object” will be reported.

We can manually find the CLSID using the registry editor. For example, to get the CLSID of wscript.shell, use the registry editor to find HKEY_ CLASSES_ The value of root \ Wscript. Shell \ CLSID is sufficient. It should be noted that [umu WSH tutorial] (9) CreateObject process says:

1. The CreateObject function checks the registry HKEY first_ CLASSES_ The default value of the sub key curver under root \ wscript.shell is wsscript. Shell. 1, so we know that the latest version is wsscript. Shell. 1;

2. Read HKEY_ CLASSES_ Root \ Wscript. Shell. 1. There is a sub key CLSID below. The default value is {72c24dd5-d70a-438b-8a42-98424b88afb8};

This is an error. The CreateObject function (to be exact, the clsidfromprogidex function called internally) checks the registry subkey HKEY first_ CLASSES_ Root \ Wscript. Shell \ whether the CLSID exists. As long as the subkey exists, the subkey curver will not be checked even if the default value is empty or not a class identifier. The subkey curver will be checked only if the CLSID subkey does not exist.

Inside VBS Technology: detailed explanation of CreateObject function

Step 2: call the cogetclassobject function to obtain the pointer of the iclassfactory interface. If it cannot be obtained, the error “ActiveX part cannot create an object” or “the class does not support automation operation” will be reported. It may also be other error messages, depending on the implementation of com.

Inside VBS Technology: detailed explanation of CreateObject function

Step 3: call the createinstance method of the iclassfactory interface to obtain the IUnknown interface pointer. All com must support the IUnknown interface, so there should be no error in this step.

Inside VBS Technology: detailed explanation of CreateObject function

Finally, calling the QueryInterface method of the IUnknown interface to query that the COM is not supporting the IDispatch interface. Only the COM class that supports the IDispatch interface can create objects with CreateObject. If you get the pointer of the IDispatch interface, you can assign a value to the variant variable; If the IDispatch interface is not supported, the error “the class does not support automation operation” or other error messages may be reported, depending on the specific implementation.

After talking for a long time, I still didn’t mention a key question: what objects can VBS call? Or, which strings can be used as the first parameter of the CreateObject function? For the answer to the question, please listen to the next chapter.

VBS deep CreateObject function

This article is about the creation of objects, which belongs to the content of com. You can’t say too much here. You can find some com books and other articles about COM in umu: ATL experience, research notes on new applications based on WebBrowser, reasons for learning ATL, several conceptual problems about com Several conceptual questions about COM (2). The most common objects are wsscript.shell, scripting.filesystemobject, scripting.dictionary, etc. here, take wsscript.shell as an example.


Let’s take a look at the object creation process. The statement set objwsh = CreateObject (“Wscript. Shell”):

1. The CreateObject function checks the registry HKEY first_ CLASSES_ The default value of the sub key curver under root \ wscript.shell is wsscript. Shell. 1, so we know that the latest version is wsscript. Shell. 1;

2. Read HKEY_ CLASSES_ Root \ Wscript. Shell. 1. There is a sub key CLSID below. The default value is {72c24dd5-d70a-438b-8a42-98424b88afb8};

3. Found HKEY_ CLASSES_ Root \ CLSID \ {72c24dd5-d70a-438b-8a42-98424b88afb8}. The default value of the subkey inprocserver32 indicates that the service program is C: \ windows \ system32 \ wshom.ocx.

4. For COM objects that can be called by scripts, it is necessary to use the method typelib in the object. HKEY_ CLASSES_ Root \ CLSID \ {72c24dd5-d70a-438b-8a42-98424b88afb8} \ the default value of typelib is {f935dc20-1cf0-11d0-adb9-00c04fd58a0b}, HKEY_ CLASSES_ The default value of root \ typelib \ {f935dc20-1cf0-11d0-adb9-00c04fd58a0b} \ 1.0 \ 0 \ Win32 indicates that the type library is C: \ windows \ system32 \ wshom.ocx.

COM objects that support script calls must implement the IDispatch interface. You can see from the “resource – typelib” of C: \ windows \ system32 \ wshom.ocx that the first seven functions of each object are queryinterface, AddRef, release, gettypeinfocount, gettypeinfo, getidsofnames and invoke. The first three are functions of IUnknown interface. The typelib resource in the PE file is the binary data of the type library compiled from the *. IDL source file, which can be decompiled back. However, umu recommends using exescope to view, that is, use exescope to open C: \ windows \ system32 \ wshom.ocx and view “resource – typelib”. You can see the parameter and return value definitions of each interface function.

This is how VB development environment knows what functions are in the object. Therefore, if we know the name of an object but don’t know what function is in the object, we can get it by the above method.

Xuejinglan asked umu at 11:40 on Saturday, March 31, 2007: “what objects exist in the system and what functions can be called by objects? How to know?” this question has been answered in the second half, and the first half is answered below.

Object’s registration information HKEY_ CLASSES_ There may be some subkeys under root \ CLSID \ {guid}: control indicates that the component is an ActiveX control, programmable indicates that the component supports automation, and insertable indicates that the component can be embedded into an OLE document container. Programmable can be found, indicating that it supports automation, that is, it supports IDispatch interface, so it can be used by scripting language. However, this method is relatively old. Now it has been replaced by a component class, that is, the subkey in the form of guid under the subkey of implemented categories. For example, HKEY_ CLASSES_ Root \ CLSID \ {72c24dd5-d70a-438b-8a42-98424b88afb8} \ implemented categories \ {40fc6ed5-2438-11cf-a3db-080036f12502}, take a look at HKEY_ CLASSES_ The 409 string value under root \ component categories \ {40fc6ed5-2438-11cf-a3db-080036f12502} is automation objects, that is, “automation objects”.

To find “automation object”, you can use the tool oleview.exe with VS, which is specially used to view the registration information of OLE / COM objects. The interface is as follows:

The people may be a little dizzy. To sum up, all objects with a component class of {40fc6ed5-2438-11cf-a3db-080036f12502} (Automation objects) support script calls.

The next creation process does not belong to the scope that scripts should consider. If you are interested in learning com, you can study it. It is a good mechanism and worth learning. Title: VBS technology insider: CreateObject function
Author: Demon
Link: http://demon.tw/reverse/vbscript-internal-createobject.html