turborex 0.1.1

data/lib/turborex/windows/com.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+
+unless OS.windows?
+  warn "\033[33m[-]Warning: This module doesn't currently work on non-Windows os.\033[0m"
+end
+
+module TurboRex
+  class Windows < ::Metasm::WinOS
+    module COM
+      module WellKnownIID
+        IID_IUnknown = '00000000-0000-0000-C000-000000000046'
+        IID_IClassFactory = '00000001-0000-0000-C000-000000000046'
+        IID_IStream = '0000000c-0000-0000-C000-000000000046'
+        IID_IStorage = '0000000b-0000-0000-C000-000000000046'
+        IID_IPSFactoryBuffer = 'D5F569D0-593B-101A-B569-08002B2DBF7A'
+        IID_IRpcProxyBuffer = 'D5F56A34-593B-101A-B569-08002B2DBF7A'
+        IID_IRpcStubBuffer = 'D5F56AFC-593B-101A-B569-08002B2DBF7A'
+      end
+
+      CLSCTX_INPROC_SERVER = 0x1
+      CLSCTX_INPROC_HANDLER = 0x2
+      CLSCTX_LOCAL_SERVER = 0x4
+      CLSCTX_INPROC_SERVER16 = 0x8
+      CLSCTX_REMOTE_SERVER = 0x10
+      CLSCTX_INPROC_HANDLER16 = 0x20
+      CLSCTX_RESERVED1  = 0x40
+      CLSCTX_RESERVED2  = 0x80
+      CLSCTX_RESERVED3  = 0x100
+      CLSCTX_RESERVED4  = 0x200
+      CLSCTX_NO_CODE_DOWNLOAD = 0x400
+      CLSCTX_RESERVED5 = 0x800
+      CLSCTX_NO_CUSTOM_MARSHAL = 0x1000
+      CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000
+      CLSCTX_NO_FAILURE_LOG = 0x4000
+      CLSCTX_DISABLE_AAA = 0x8000
+      CLSCTX_ENABLE_AAA = 0x10000
+      CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000
+      CLSCTX_ACTIVATE_X86_SERVER = 0x40000
+      CLSCTX_ACTIVATE_32_BIT_SERVER  = CLSCTX_ACTIVATE_X86_SERVER
+      CLSCTX_ACTIVATE_64_BIT_SERVER  = 0x80000
+      CLSCTX_ENABLE_CLOAKING = 0x100000
+      CLSCTX_APPCONTAINER = 0x400000
+      CLSCTX_ACTIVATE_AAA_AS_IU = 0x800000
+      CLSCTX_RESERVED6 = 0x1000000
+      CLSCTX_ACTIVATE_ARM32_SERVER = 0x2000000
+      CLSCTX_PS_DLL = 0x80000000
+
+      # WinVer >= NT4 && DCOM
+      if TurboRex::Windows.version.first >= 4
+        CLSCTX_ALL = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER
+        CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER
+      end
+
+      # Mashal Flag
+      MSHLFLAGS_NORMAL = 0
+      MSHLFLAGS_TABLESTRONG = 1
+      MSHLFLAGS_TABLEWEAK = 2
+      MSHLFLAGS_NOPING = 4
+      MSHLFLAGS_RESERVED1  = 8
+      MSHLFLAGS_RESERVED2  = 16
+      MSHLFLAGS_RESERVED3  = 32
+      MSHLFLAGS_RESERVED4  = 64
+
+      # Mashal Context
+      MSHCTX_LOCAL = 0
+      MSHCTX_NOSHAREDMEM = 1
+      MSHCTX_DIFFERENTMACHINE = 2
+      MSHCTX_INPROC = 3
+      MSHCTX_CROSSCTX = 4
+      MSHCTX_RESERVED1 = 5
+
+      # Object Refenrence Flags
+      OBJREF_STANDARD = 1
+      OBJREF_HANDLER = 2
+      OBJREF_CUSTOM = 4
+      OBJREF_EXTENDED = 8
+
+      # STGM Constant
+      STGM_READ = 0x00000000
+      STGM_WRITE = 0x00000001
+      STGM_READWRITE = 0x00000002
+      STGM_SHARE_DENY_NONE = 0x00000040
+      STGM_SHARE_DENY_READ = 0x00000030
+      STGM_SHARE_DENY_WRITE = 0x00000020
+      STGM_SHARE_EXCLUSIVE = 0x00000010
+      STGM_PRIORITY = 0x00040000
+      STGM_CREATE = 0x00001000
+      STGM_CONVERT = 0x00020000
+      STGM_FAILIFTHERE = 0x00000000
+      STGM_DIRECT = 0x00000000
+      STGM_TRANSACTED = 0x00010000
+      STGM_NOSCRATCH = 0x00100000
+      STGM_NOSNAPSHOT = 0x00200000
+      STGM_SIMPLE = 0x08000000
+      STGM_DIRECT_SWMR = 0x00400000
+      STGM_DELETEONRELEASE = 0x04000000
+
+      INTERNAL_APIPROXY = TurboRex::Windows::Win32API.dup
+      INTERNAL_APIPROXY.parse_c <<-EOS
+        typedef struct SHashChain
+        {
+          struct SHashChain *pNext;
+          struct SHashChain *pPrev;
+        } SHashChain;
+
+        typedef struct _CIDObject {
+          void * pVtable;
+          SHashChain _pidChain;
+          SHashChain _oidChain;
+          unsigned int _dwState;
+          unsigned int _cRefs;
+          void *_pServer;
+          void *_pServerCtx;
+          GUID _oid;
+          unsigned int _aptID;
+          void *_pStdWrapper;
+          void *_pStdID;
+          unsigned int _cCalls;
+          unsigned int _cLocks;
+          SHashChain _oidUnpinReqChain;
+          unsigned int _dwOidUnpinReqState;
+          void *_pvObjectTrackCookie;
+        } CIDObject;
+
+        typedef struct _CStdWrapper
+        {
+          void * pVtable;
+          unsigned long _dwState;
+          unsigned int _cRefs;
+          unsigned int _cCalls;
+          unsigned int _cIFaces;
+          void *_pIFaceHead;
+          void *_pCtxEntryHead;
+          void *_pCtxFreeList;
+          void *_pServer;
+          CIDObject *_pID;
+          void *_pVtableAddress;
+        }CStdWrapper;
+
+        typedef struct _tagIPIDEntry
+        {
+          void *pNextIPID;
+          unsigned int dwFlags;
+          unsigned int cStrongRefs;
+          unsigned int cWeakRefs;
+          unsigned int cPrivateRefs;
+          void *pv;
+          void *pStub;
+          void *pOXIDEntry;
+          GUID ipid;
+          GUID iid;
+          void *pChnl;
+          void *pIRCEntry;
+          void *pInterfaceName;
+          void *pOIDFLink;
+          void *pOIDBLink;
+        } tagIPIDEntry;
+
+
+        typedef struct _CStdIdentity
+        {
+          void *pVtable;
+          void *pVtable2;
+          unsigned int _dwFlags;
+          int _cIPIDs;
+          tagIPIDEntry *_pFirstIPID;
+          void *_pStdId;
+          void *_pChnl;
+          GUID _clsidHandler;
+          int _cNestedCalls;
+          int _cTableRefs;
+        } CStdIdentity;
+
+
+        typedef struct _IRpcStubBufferVtbl
+        {
+          HRESULT (__fastcall *QueryInterface)(void *, const GUID *, void **);
+          unsigned int (__fastcall *AddRef)(void *);
+          unsigned int (__fastcall *Release)(void *);
+          HRESULT (__fastcall *Connect)(void *, void *);
+          void (__fastcall *Disconnect)(void *);
+          HRESULT (__fastcall *Invoke)(void *, void *, void *);
+          void *(__fastcall *IsIIDSupported)(void *, const GUID *);
+          unsigned int (__fastcall *CountRefs)(void *);
+          HRESULT (__fastcall *DebugServerQueryInterface)(void *, void **);
+          void (__fastcall *DebugServerRelease)(void *, void *);
+        } IRpcStubBufferVtbl;
+
+        typedef struct tagCStdStubBuffer
+        {
+            const struct IRpcStubBufferVtbl *   lpVtbl;
+            LONG                                RefCount;
+            struct IUnknown *                   pvServerObject;
+
+            const struct ICallFactoryVtbl *     pCallFactoryVtbl;
+            const IID *                         pAsyncIID;
+            struct IPSFactoryBuffer *           pPSFactory;
+            const struct IReleaseMarshalBuffersVtbl *     pRMBVtbl;
+        } CStdStubBuffer;
+
+        typedef struct tagCInterfaceStubHeader
+        {
+            const IID               *   piid;
+            const void  *   pServerInfo; // MIDL_SERVER_INFO
+            ULONG               DispatchTableCount;
+            const void *  pDispatchTable;
+        } CInterfaceStubHeader;
+
+        typedef struct tagCInterfaceProxyHeader
+        {
+        #ifdef USE_STUBLESS_PROXY
+            const void *    pStublessProxyInfo;
+        #endif
+            const IID *     piid;
+        } CInterfaceProxyHeader;
+
+        typedef struct tagCInterfaceProxyVtbl
+        {
+            CInterfaceProxyHeader header;
+            void *Vtbl[1];
+        } CInterfaceProxyVtbl;
+
+        typedef struct tagCInterfaceStubVtbl
+        {
+            CInterfaceStubHeader        header;
+            IRpcStubBufferVtbl          Vtbl;
+        } CInterfaceStubVtbl;
+
+        typedef struct tagCInterfaceStubVtbl *  PCInterfaceStubVtblList;
+        typedef struct tagCInterfaceProxyVtbl *  PCInterfaceProxyVtblList;
+        typedef const char *                    PCInterfaceName;
+        typedef int __stdcall IIDLookupRtn( const IID * pIID, int * pIndex );
+        typedef IIDLookupRtn * PIIDLookup;
+
+        typedef struct tagProxyFileInfo
+        {
+            const PCInterfaceProxyVtblList *pProxyVtblList;
+            const PCInterfaceStubVtblList  *pStubVtblList;
+            const PCInterfaceName *         pNamesArray;
+            const IID **                    pDelegatedIIDs;
+            const PIIDLookup                pIIDLookupRtn;
+            unsigned short                  TableSize;
+            unsigned short                  TableVersion;
+            const IID **                    pAsyncIIDLookup;
+            LONG_PTR                        Filler2;
+            LONG_PTR                        Filler3;
+            LONG_PTR                        Filler4;
+        }ProxyFileInfo;
+
+        typedef struct tagCStdPSFactoryBuffer
+        {
+            const IPSFactoryBufferVtbl  *   lpVtbl;
+            LONG                            RefCount;
+            const ProxyFileInfo **          pProxyFileList;
+            LONG                            Filler1;  //Reserved for future use.
+        } CStdPSFactoryBuffer;
+      EOS
+
+      require 'turborex/windows/com/interface.rb'
+      require 'turborex/windows/com/utils.rb'
+      require 'turborex/windows/com/client.rb'
+      require 'turborex/windows/com/com_registry.rb'
+      require 'turborex/windows/com/com_finder.rb'
+    end
+  end
+end

data/lib/turborex/windows/com/client.rb

@@ -0,0 +1,84 @@
+module TurboRex
+  class Windows < Metasm::WinOS
+    module COM
+      class Client
+        include WellKnownIID
+
+        attr_reader :clsid
+        attr_reader :api_proxy
+        attr_reader :iunknown
+
+        def initialize(clsid, opts = {})
+          @clsid = clsid
+          @context = opts[:cls_context] || CLSCTX_ALL
+          @iunknown = Interface::IUnknown.new
+          @apartment = opts[:apartment] || 0
+          @api_proxy = Win32API.dup
+          @cp = @api_proxy.cp
+
+          Win32API.coinitializeex(0, @apartment)
+        end
+
+        # Binding to class implementation
+        def create_instance(opts={})
+          interface = opts[:interface] || @iunknown
+          iid = interface.iid
+          cls_context = opts[:cls_context] || @context
+          ppv = @api_proxy.alloc_c_ptr('PVOID')
+          pclsid = Utils.clsid_to_raw(@clsid)
+          piid = Utils.clsid_to_raw(iid)
+
+          hr = @api_proxy.cocreateinstance(pclsid, 0, cls_context, piid, ppv)
+          raise "Failed to call CoCreateInstance: #{TinySDK.format_hex_ntstatus(hr, hex_str: true)}" unless TinySDK.nt_success?(hr)
+          pthis = ppv[0]
+          interface.this = pthis
+          @iunknown = interface if interface.kind_of?(Interface::IUnknown)
+          interface
+        end
+
+        # Binding to class object(class factory)
+        def get_class_object(opts={})
+          interface = Interface::IClassFactory.new
+          iid = interface.iid
+          cls_context = opts[:cls_context] || @context
+          server_info = opts[:server_info]
+          ppv = @api_proxy.alloc_c_ptr('LPVOID')
+          pclsid = Utils.clsid_to_raw(@clsid)
+          piid = Utils.clsid_to_raw(iid)
+
+          hr = @api_proxy.cogetclassobject(pclsid, cls_context, server_info, piid, ppv)
+          raise "Failed to call CoGetClassObject: #{TinySDK.format_hex_ntstatus(hr, hex_str: true)}" unless TinySDK.nt_success?(hr)
+
+          pthis = ppv[0]
+          interface.this = pthis
+          interface
+        end
+
+        def query_interface(iid_or_iface)
+          interface = nil
+          if iid_or_iface.is_a?(Interface)
+            interface = iid_or_iface
+            iid = interface.iid
+          elsif iid_or_iface.is_a?(String)
+            iid = iid_or_iface
+          end
+
+          create_instance unless @iunknown.this
+          iid = Utils.clsid_to_raw(iid)
+          ppv = @api_proxy.alloc_c_ptr('PVOID')
+
+          if @iunknown.QueryInterface(iid, ppv).nil?
+            if interface
+              interface.this = ppv[0]
+              return interface
+            else
+              return ppv[0]
+            end
+          end
+
+          false
+        end
+      end
+    end
+  end
+end

data/lib/turborex/windows/com/com_finder.rb

@@ -0,0 +1,330 @@
+# frozen_string_literal: true
+require 'turborex/pefile/scanner'
+
+module TurboRex
+  class Windows < Metasm::WinOS
+    module COM
+      class Finder
+        include TurboRex::Utils::DisassemblerHelper
+        include TurboRex::PEFile::Scanner
+
+        def initialize(clsid)
+          @clsid = clsid
+        end
+      end
+
+      class InProcFinder < Finder
+        attr_reader :clsid
+        attr_reader :server_path
+
+        include Utils
+
+        def initialize(clsid)
+          @clsid = clsid
+          @process = TurboRex::Windows::Process.new(nil, -1)
+          @memory = @process.memory
+          @ptr_len = @process.cpusz / 8
+        end
+
+        def locate_interface_methods(iid)
+          Win32::Registry::HKEY_CLASSES_ROOT.open("CLSID\\{#{@clsid}}") do |reg_clsid|
+            reg_clsid.open('InprocServer32') do |reg_inproc32|
+              @server_path = reg_inproc32.read_s_expand('')
+            end
+          end
+
+          class_factory = Utils.dll_get_class_object(@clsid, @server_path)
+          ppv = INTERNAL_APIPROXY.alloc_c_ptr('PVOID')
+          unless class_factory.CreateInstance(0, Utils.clsid_to_raw(iid), ppv)
+            # class_factory.Release
+            pvtbl = to_ptr(@memory.get_page(ppv[0], @ptr_len))
+            proxy_file_info = get_proxy_file_info(iid)
+            return false unless proxy_file_info
+
+            count = get_disptbl_count(proxy_file_info)
+
+            if count
+              methods = []
+              @memory.get_page(pvtbl, count * @ptr_len).split('').each_slice(@ptr_len) { |m| methods << to_ptr(m.join) }
+
+              first_method = methods.first
+              _module = @process.modules.find { |m| first_method > m.addr && first_method < m.addr + m.size }
+              if relative
+                return {
+                  module: _module.path,
+                  methods: methods.map.with_index { |method, i| { index: i, rva: method - _module.addr } }
+                }
+              else
+                return {
+                  module: _module.path,
+                  methods: methods.map.with_index { |method, i| { index: i, va: method } }
+                }
+              end
+             
+            end
+          end
+        end
+      end
+
+      class OutOfProcFinder < Finder
+        attr_reader :clsid
+        attr_reader :client
+        attr_reader :process
+        attr_reader :pid
+        attr_reader :handle
+
+        include Utils
+
+        def initialize(clsid, opts = {})
+          pid = opts[:pid]
+          context = opts[:context] || CLSCTX_ALL
+          @clsid = clsid
+          @client = Client.new(clsid)
+          @iunknown = @client.create_instance(cls_context: context, interface: Interface::IUnknown.new)
+          @pid = get_pid_by_std_objref(@iunknown) || pid
+
+          process = TurboRex::Windows::Process.new(@pid)
+          raise "Unable to open process #{pid}" unless process.handle
+          unless process.addrsz == (sz = Metasm::WinOS::Process.new(nil, -1).addrsz)
+            raise "The architecture of Ruby interpreter process(#{sz}-bit) is not same as target process"
+          end
+
+          @process = process
+          @handle = @process.handle
+          @ptr_len = @process.cpusz / 8
+          @memory = @process.memory
+
+          unless @process.load_symbol_table('combase.dll')
+            raise "Unable to load combase.dll's symbol"
+          end
+
+          @combase_base_addr = (@process.modules.find { |m| m.path =~ Regexp.new('combase.dll', true) }).addr
+        end
+
+        def locate_multiple_interfaces(iids, relative = true)
+          iids.map {|iid| locate_interface_methods(iid, relative)}.compact
+        end
+
+        def locate_interface_methods(iid, relative = true)
+          # Let the object exporter create IPID entry for target interface
+          tmp_interface = TurboRex::Windows::COM::Interface.define_interface(iid, {}, Interface::IUnknown)
+          ppv = INTERNAL_APIPROXY.alloc_c_ptr('PVOID')
+          raise "No such interface: #{iid}" unless @iunknown.QueryInterface(Utils.clsid_to_raw(iid), ppv).nil?
+          tmp_interface.this = ppv[0]
+          tmp_interface.marshal_to_string # For In-Proc server
+          return nil unless buckets_addr = find_oid_buckets_addr
+
+          headers = read_bucket_headers(buckets_addr)
+          walk_buckets(headers) do |_cid_obj, ipid_entry|
+            raw_iid = ipid_entry.str[ipid_entry.iid.stroff, ipid_entry.iid.sizeof]
+            _iid = TurboRex::MSRPC::Utils.raw_to_guid_str(raw_iid)
+
+            if _iid == iid
+              methods_count = iface_vtbl_count(ipid_entry)
+              return nil unless methods_count
+
+              if ipid_entry.pv
+                pvtbl = to_ptr(@memory.get_page(ipid_entry.pv, @ptr_len))
+              end
+
+              methods = []
+              @memory.get_page(pvtbl, methods_count * @ptr_len).split('').each_slice(@ptr_len) { |m| methods << to_ptr(m.join) }
+              # dasm = Metasm::Shellcode.decode(@memory, Metasm::X86_64.new).disassembler
+              # dasm.disassemble_fast_deep(methods.last)
+
+              first_method = methods.first
+              _module = @process.modules.find { |m| first_method > m.addr && first_method < m.addr + m.size }
+              if relative
+                tmp_interface.Release
+                return {
+                  module: _module.path,
+                  methods: methods.map.with_index { |method, i| { index: i, rva: method - _module.addr } }
+                }
+
+                # return methods.map.with_index do |method, i|
+                #   _module = @process.modules.find { |m| method > m.addr && method < m.addr + m.size }
+                #   _module ? {index: i, module: _module.path, rva: method - _module.addr} : nil
+                # end
+              else
+                tmp_interface.Release
+                return {
+                  module: _module.path,
+                  methods: methods.map.with_index { |method, i| { index: i, va: method } }
+                }
+              end
+            end
+          end
+
+          # Should decrease reference count
+          tmp_interface.Release
+          nil
+        end
+
+        def walk_buckets(buckets, &block)
+          buckets.each do |bucket, base_addr|
+            pNext = bucket.pNext
+            until pNext == base_addr
+              obj_addr = pNext - bucket.sizeof - @ptr_len
+              cid_obj = INTERNAL_APIPROXY.alloc_c_struct('CIDObject')
+              cid_obj.str = @memory.get_page(obj_addr, cid_obj.sizeof)
+              pNext = cid_obj._oidChain.pNext
+
+              std_ident = INTERNAL_APIPROXY.alloc_c_struct('CStdIdentity')
+              std_ident.str = @memory.get_page(cid_obj._pStdID, std_ident.sizeof)
+              walk_ipid_entries(std_ident._pFirstIPID) do |ipid_entry|
+                yield(cid_obj, ipid_entry) if block_given?
+              end
+            end
+          end
+        end
+
+
+        def walk_ipid_entries(pfirst_entry)
+          ipid_entries = []
+          pNext = pfirst_entry
+
+          # TODO: stdid.cIPIDs
+          until pNext.nil?
+            ipid_entry = INTERNAL_APIPROXY.alloc_c_struct('tagIPIDEntry')
+            ipid_entry.str = @memory.get_page(pNext, ipid_entry.sizeof)
+            yield(ipid_entry) if block_given?
+            ipid_entries << ipid_entry
+            pNext = ipid_entry.pNextIPID
+          end
+
+          ipid_entries
+        end
+
+        def find_oid_buckets_addr
+          buffer = INTERNAL_APIPROXY.alloc_c_ary('BYTE', 300)
+          sym_info = INTERNAL_APIPROXY.alloc_c_struct('SYMBOL_INFO')
+          sym_info.SizeOfStruct = sym_info.sizeof
+          sym_info.MaxNameLen = 150
+          buffer[0, sym_info.sizeof] = sym_info.str
+
+          if INTERNAL_APIPROXY.symfromname(@handle, 'COIDTable::s_OIDBuckets', buffer) == 1
+            sym_info.str = buffer[0, sym_info.sizeof]
+            sym_info.Address
+          end
+        end
+
+        def read_bucket_headers(address)
+          headers = []
+
+          TurboRex::Windows::Constants::MAX_BUCKETS_NUM.times do |i|
+            header = INTERNAL_APIPROXY.alloc_c_struct('SHashChain')
+            header_addr = address + i * header.sizeof
+            header.str = @memory.get_page(header_addr, header.sizeof)
+            next if header.pNext == header_addr
+
+            headers << [header, header_addr]
+          end
+
+          headers
+        end
+
+        def close
+          # TODO: Unload symbols
+          if @process
+            @process.close_handle
+            @handle = nil
+          end
+        end
+
+        private
+
+        def iface_vtbl_count(ipid_entry)
+          if ipid_entry.pStub # Standard interface stub
+            pstub_vtbl = @memory.get_page(ipid_entry.pStub, @ptr_len)
+            if_stub_vtbl = INTERNAL_APIPROXY.alloc_c_struct('CInterfaceStubVtbl')
+            if_stub_vtbl.str = @memory.get_page(to_ptr(pstub_vtbl) - if_stub_vtbl.Vtbl.stroff, if_stub_vtbl.sizeof)
+            if_stub_vtbl.header.DispatchTableCount
+          else
+            # Get ProxyFileInfo->pStubVtblList->header->DispatchTableCount
+            raw_iid = ipid_entry.str[ipid_entry.iid.stroff, ipid_entry.iid.sizeof]
+            iid = TurboRex::MSRPC::Utils.raw_to_guid_str(raw_iid)
+            proxy_file_info = get_proxy_file_info(iid)
+            raise unless proxy_file_info
+
+            # pcif_stub_vtbl_list = to_ptr(@memory.get_page(proxy_file_info.pStubVtblList, @ptr_len))
+            # if_stub_vtbl = TurboRex::Windows::COM::INTERNAL_APIPROXY.alloc_c_struct('CInterfaceStubVtbl')
+            # if_stub_vtbl.str = @memory.get_page(pcif_stub_vtbl_list, if_stub_vtbl.sizeof)
+            # return if_stub_vtbl.header.DispatchTableCount
+            get_disptbl_count(proxy_file_info)
+          end
+        end
+      end
+
+      class ClientFinder
+        include TurboRex::Utils::COMApiBacktraceHelper
+
+        BACKTRACE_PROC = {
+          'CoCreateInstance' => :bt_cocreateinstance
+        }
+
+        def initialize(fname_or_dasm)
+          if fname_or_dasm.is_a?(String)
+            pe = Metasm::PE.decode_file(fname_or_dasm)
+            @dasm = _disassemble_executable_sections(pe)
+          elsif fname_or_dasm.is_a?(::Metasm::Disassembler)
+            @dasm = dasm
+          end
+        end
+
+        def find_client_call(dis=nil)
+          res = []
+
+          BACKTRACE_PROC.each do |k, v|
+            @dasm.call_sites(::Metasm::Expression[k]).each do |c|
+              bt_result = v.to_proc.call(self, @dasm, c)
+              pv = bt_result[:pv]
+              clsid = bt_result[:rclsid]
+              iid = bt_result[:riid]
+              context = bt_result[:context]
+
+              unless pv == :unknown
+                func_start = @dasm.find_function_start(c)
+                func_end = @dasm.function_including(c).return_address
+                return unless func_end
+                func_end = func_end.first
+                dis ||= @dasm.decoded.values.select  {|di| di.address >= func_start && di.address <= func_end}
+                dis.select {|di| di.opcode.props[:saveip]}.each do |di_call|
+                  if (obj, vtbl, index = solve_cppobj_call(@dasm, di_call))
+                    if obj.reduce_rec.to_s == pv.to_s
+                      res << {
+                        clsid: clsid,
+                        iid: iid,
+                        context: context,
+                        method_index: index,
+                        call_site: di_call.address
+                      }
+                    end
+                  elsif fptr = solve_guard_icall(@dasm, di_call) # TODO: check Guard Flags to detect whether cfg is enabled
+                    if fptr.is_a?(::Metasm::Indirection)
+                      if fptr.pointer.op == :+ && 
+                          fptr.pointer.rexpr.is_a?(Integer) &&
+                          fptr.pointer.lexpr.is_a?(::Metasm::Indirection)
+
+                        if fptr.pointer.lexpr.pointer.reduce_rec.to_s == pv.to_s
+                          res << {
+                            clsid: clsid,
+                            iid: iid,
+                            context: context,
+                            method_index: fptr.pointer.rexpr / (@dasm.cpu.size / 8),
+                            call_site: di_call.address
+                          }
+                        end
+                      end
+                    end
+                  end                  
+                end
+              end
+            end
+          end
+
+          res
+        end
+      end
+    end
+  end
+end