Using the OLE/COM Object Viewer
It is a useful tool to understand unknown COM objects which are installed in the system. You will be able to see if an ActiveX object has an IObjectSafety interface via [Object Classes] > [All Object] view and its methods via [Type Libraries] view.COMRaider
Yet useful one to chase fuzzable COMs and to distinguish if the ActiveX objects were marked as "Safe" in the registry.Difference between embedding ActiveX object with <object> tag or creating one with new ActiveXObject()
The two ways to instantiate an ActiveX object in HTML.Safe Initialization and Scripting for ActiveX Controls
An ActiveX which is being hosted on the Internet zone (not localhost) will not be loaded into IE unless it is marked as "Safe." To mark your ActiveX as "Safe", there are two ways: registering the registry and supporting an IObjectSafety interface.Designing Secure ActiveX Controls
It can be a helpful resource to find zero-day vulnerabilities in ActiveX objects. You are able to focus on one that has been breaching those rules.Developing Safer ActiveX Controls Using the Sitelock Template
Developers should restrict the websites which ActiveX objects are able to instantiate using Sitelock Template; otherwise an attacker may host a malicious website and lead users to there to exploit them with your vulnerable ActiveX object.
The Kill-Bit FAQ: Part 1, 2, 3
Kill-Bit is definitions of evil ActiveXs which is saved in the registry. Defined ActiveX will never be loaded into the IE process unless its class id is changed or "Phoenix bit" is set to describe the ActiveX is no longer evil.The Easy Way To Determine The Implementation Address Of ActiveX Methods With IDA.
- Check the name of the methods using COMRaider.
- Open ActiveX file with IDA Pro.
- Show the [String] windows and take look at the string that is the same as the method name.
- Jump to the address of the string and reference the address that is using the string. It will be like this:
.rdata:10007A10 ; "Save" : Reference!
.rdata:10007A14 db 1
.rdata:10007A15 db 0
.rdata:10007A16 db 0
.rdata:10007A17 db 0
.rdata:10007A18 dd offset asc_10007AA8 ; "\b"
.rdata:10007A1C db 13h
.rdata:10007A1D db 0
.rdata:10007A1E db 0
.rdata:10007A1F db 0
.rdata:10007A20 dd offset sub_100015F0
.rdata:10007A24 align 10h
.rdata:10007A30 dd offset aLoad ; "Load" ; The other reference!
The address +10h should be the method that you are looking for.
.rdata:10007A10 off_10007A10 dd offset aSave ; DATA XREF: .rdata:10007B3C o
.rdata:10007A10 ; "Save"
.rdata:10007A14 dd 1
.rdata:10007A18 dd offset asc_10007AA8 ; "\b"
.rdata:10007A1C dd 13h
.rdata:10007A20 dd offset Save ; Yay!
.rdata:10007A24 align 10h
.rdata:10007A30 dd offset aLoad ; "Load"
ClassAndInterfaceToNames
A quote from the documentation:"This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name."
Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer
The initialization manner of ActiveX according to Kill-Bit, "Safe for Initialization with data” and “Safe For Scripting.”
