COM Hijacking
COM
The Microsoft Component Object Model (COM) is an interface standard that allows the software components to interact and communicate with each other’s code without knowledge of their internal implementation.
In simple words, COM is a system that helps developers build libraries which can co-operate with other apps developed with other languages.
OM objects are identified by their globally unique identifiers (GUIDs) known as class identifiers (CLSIDs) and interface identifiers (IIDs) and they are registered in registry hives.
The merged registry hive HKCR contains the combined information of HKCU and HKLM.
When COM is present as a DLL, the process of COM loading looks like this:
When COM is a EXE file the process will look like this:
and if the COM object is on a remote machine:
COM Hijacking
One way to hijack the COM is by modifying the registry key in HKEY_CUTRRENT_USER
.
HKEY_CUTRRENT_USER
.
to find hijackable COM objects we can look in scheduled tasks:
we are looking for 2 things, in the <Exec>
section there should be something called <ComHandler>
instead of a binary path and in the <Triggers>
section we want a <LogonTrigger>
.
look for <ComHandler>
in the output file, this will point to a specific class ID.
after finding a suitable handler:
query this ID in registry:
so the key is in local machine hive, if we put something in current user we can hijack that COM object.
we can export the target registry key as 64 bit :
the output is something like this:
then use this template for COM hijacking:
compile it with:
now the DLL is ready, we should implant it in the registry.
change the original key to CURRENT_USER
and change the path to DLL:
save the new registry then import it to the hive.
check out:
now we have to wait for the user to relogin or reboot the machine.
Resources
Last updated