4 COM/DCOM Basics - Terms COM Interface A set of methods with defined binary layout COM Object An instance of a COM Class COM Component (COM Server) PE file with one or more COM Classes DLL Class Class Instance COM Class Implements one or more COM Interfaces
5 COM/DCOM Basics – IN- and OUT-of-process COM Server IN-process OUT-OF-process DLL Class Instance 1 Instance 2 Client Process Server Process Proxy to Instance 1 Instance 1 Stub marshal unmarshal
7 COM/DCOM Basics – Invocation same host Client Application SCM 1. Request with CLSID Registry 2. Lookup in registry COM Object Server process 3. Instantiates COM Object 4. Passes pointer to Object 5. Call COM Method (default) %SystemRoot%\System32\RtCOM64.dll
11 COM/DCOM Tools & API – Instance Creation CoInitializeEx() CoCreateInstance() Initialize COM for the thread (put it into the apartment of given type) Create an instance of a given class and return a requested interface pointer to the new object. CoGetClassObject() CLSCTX_INPROC_SERVER CLSCTX_LOCAL_SERVER CLSCTX_REMOTE_SERVER Context Trying to get a pointer to IClassFactory interface ClassFactoryObject -> CreateInstance()
12 COM/DCOM Tools & API – Instance Creation CoGetClassObject(rclsid, dwClsContext, pServerInfo, riid, ppv) DLL EXE Service 1. Locate CLSID in HKEY_CLASSES_ROOT 2. Load DLL from InprocServer32 key CoLoadLibrary() 3. Call GetProcAddress() for DllGetClassObject() 4. Call DllGetClassObject() 5. Return Class Factory to caller 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from LocalServer32 key where Command Line is stored. DCOMLaunch uses CreateProcess() 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory 1. Locate CLSID in a global table that maps CLSID to its associated Class Factory. This map is managed by DCOMLaunch (hosted in svchost.exe) 2. If not found, locate CLSID in HKEY_CLASSES_ROOT 3. Launch executable from AppID key where Launch permissions and service name is stored. DCOMLaunch contacts SCM 4. Created process registers itself in the DCOMLaunch table by calling CoRegisterClassObject() 5. Once registered, client receives a proxy object to the class factory
The per-user class registration data in HKCU\SOFTWARE\Classes mapped to %SYSTEMROOT%\AppData\Local\Microsoft\Windows\Usrclass.dat 19 COM/DCOM – Attacks: COM Hijacking HKEY_CLASSES_ROOT Systemwide class registration data in HKLM\SOFTWARE\Classes = +
kitachan_black
kentaroy47
javiergs
yumulab
hidetoshimatsui
niryuu
tomoyanonymous
ssryuki
icttitech
lndata01
scottboms
frogandcode
jrom
jennybc
tammielis
cromwellryan
bcantrill
eileencodes
palkan
jasonvnalue
ammeep
dotmariusz