COM (Component Object Model)

PreviousLiving off the Land Binaries (LOLBins)NextKey Email Headers for SOC Analysts and DFIR

Last updated 5 months ago

COM (Component Object Model)

What is COM

COM (Component Object Model) is a Microsoft-developed framework that allows different software components to interact and communicate with each other within the Windows operating system. It enables inter-process communication and dynamic object creation in various programming languages For example, a program can use COM to control another application or access system features

Think of it as a bridge that lets software reuse code (e.g., DLLs) instead of rewriting everything from scratch

Library Perspective:
- COM objects (the components) are often implemented as DLL files.
- These DLLs are loaded and used by processes at runtime, so in this sense, COM provides reusable libraries.
API Perspective:
- COM provides a way for software to interact with these components using well-defined interfaces (APIs).
- Developers write code that calls COM interfaces, making it act like an API to the application
Who Needs COM?
- Processes: Applications or system services that need to interact with external components, such as a shared library or another program.
- Developers: To create modular and reusable components that can be used across multiple programs.
When an application needs to COM :
- Reuse existing functionality: For example, a Word document can be embedded into a PowerPoint slide via a COM object.
- Interact with system-level features: For example, PowerShell scripts can use COM to interact with file dialogs, Windows Explorer, or other Windows features.
- Achieve modularity: COM allows different components to work together seamlessly, even if they're written in different programming languages.

Key Components of COM

1- Object :

is the central component of COM. It is what makes the COM framework functional
Object Purpose: Each object provides a set of methods (functions) that can be called
For example:
- The Excel.Application COM object provides an interface for creating or manipulating Excel spreadsheets.
- The Shell.Application COM object allows interaction with Windows
- The cripting.FileSystemObject: Manages files and directories
method : in a COM object is a function or action that the object exposes for use by other applications or processes. Methods define what the object can do, such as creating files, running scripts, opening a dialog, or interacting with a specific part of the system
For example:
- The Shell.Application COM object has a method called ShellExecute(), which allows an application to execute commands or open files.
- The Excel.Application COM object has methods like Workbooks.Open() to open an Excel file.
How to Discover Methods in a COM Object
- PowerShell can be used to discover methods dynamically.
- Example:
  $shell = New-Object -ComObject Shell.Application $shell | Get-Member

2- CLSID (Class Identifier):

A unique identifier for a COM class, stored in the Windows Registry.
Example: {D2E7041B-2927-42FB-8E9F-7CE93B6DC937}
It's like a phone number for a specific COM object so Windows knows where to find it.
Where is it Stored ?
- CLSIDs are stored in the Windows Registry under:
  HKLM\SOFTWARE\Classes\CLSID\{CLSID}

3- ProgID (Programmatic Identifier):

A readable alias for a CLSID, such as Word.Application. Windows translates this to the CLSID

4- InProcServer32:

A registry key under the CLSID entry that tells Windows:
- Where to find the DLL for the COM component.
- For example:
  HKLM\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32

This key might contain:

C:\Windows\System32\example.dll

Here’s a list of popular COM objects and their methods, along with examples of how they are used. This will help you understand the real-world importance of these COM objects.

1. Shell.Application

This COM object is used to interact with the Windows shell, including Explorer windows and file management.

Common Methods:

Open(path): Opens a folder in Windows Explorer.
Explore(path): Opens a folder in "explore" mode.
ShellExecute(file, params, directory, operation, show): Executes a program or file.
BrowseForFolder(hwnd, title, options, root): Opens a folder-browsing dialog.

2. WScript.Shell

This COM object is often used in scripting for running commands, setting environment variables, or interacting with the Windows desktop.

Common Methods:

Run(command, windowStyle, waitOnReturn): Runs a command or application.
Popup(message, timeout, title, type): Displays a popup message box.
RegRead(key): Reads a registry value.
RegWrite(key, value, type): Writes a value to the registry.
RegDelete(key): Deletes a registry key.

3. MMC20.Application

This COM object is associated with the Microsoft Management Console (MMC), used to manage administrative tools.

Common Methods:

ExecuteShellCommand(command, args, directory, options): Executes a shell command.
Document.Save(): Saves the current MMC document.

Classes, Objects, and Methods in COM

Class: In COM, a class is defined by a CLSID (Class Identifier), which uniquely identifies the functionality or service provided by the component. Think of it as a "blueprint" for creating objects.
Object: An object is an instance of a class, created when a program requests a specific COM class via its CLSID or ProgID. This is what the application interacts with to use the functionality provided by the class.
Method: Methods are the functions provided by a COM object that allow interaction. For example, if you use a COM object for Microsoft Excel, it may provide methods like OpenWorkbook or SaveWorkbook. These are the actions you can perform on or with the object.

Comparison to Python

Python Class:

class MyClass:
    def my_method(self):
        print("Method called")

Python Object:

obj = MyClass()  # Creating an instance
obj.my_method()  # Calling a method

Example of COM Objects and Methods

1.COM Object for Internet Explorer (Shell.Application):

Purpose: Automates shell interactions (like opening a folder or file).
Methods:
- Open: Opens a folder.
- ShellExecute: Executes a file.

$shell = New-Object -ComObject Shell.Application
$shell.ShellExecute('notepad.exe')

2.Microsoft Excel COM Object (Excel.Application):

Purpose: Interacts with Excel, creating spreadsheets programmatically.
Methods:
- Add: Creates a new workbook.
- SaveAs: Saves the workbook.

$excel = New-Object -ComObject Excel.Application
$workbook = $excel.Workbooks.Add()
$workbook.SaveAs("C:\temp\example.xlsx")
$excel.Quit()

3.Internet Explorer Automation

COM Object: InternetExplorer.Application
Purpose: Automates interactions with Internet Explorer.
Methods:
- Navigate: Loads a webpage.
- Quit: Closes the Internet Explorer instance.

Example: Open a webpage and automate browsing.

# Create an Internet Explorer COM object
$ie = New-Object -ComObject InternetExplorer.Application

# Set it to visible
$ie.Visible = $true

# Navigate to a website
$ie.Navigate("https://example.com")

# Wait for the page to load completely
while ($ie.Busy) { Start-Sleep -Seconds 1 }

# Close the browser
$ie.Quit()

When Does a Process Use COM Methods or Objects ?

Two Common Scenarios:

Explicit Usage by Applications:
- An application explicitly creates a COM object and calls its methods. This is typically triggered by user actions or automated scripts.
- Example: A macro in Excel uses the Excel.Application COM object to manipulate spreadsheets
System Processes or Services:
- System processes (e.g., dllhost.exe, svchost.exe) automatically interact with COM objects when needed. This is often part of Windows' internal operations.
- Example: ShellWindows is invoked by the system to manage file explorer windows

Who Triggers the Usage ?

User: If a user runs a script or program that calls a COM object.
Process: If a process requires a COM object to function (e.g., an antivirus program calling WMI to gather system information).

How it works

The Setup:
- During installation, an application registers its COM objects with the Windows Registry.
- For each COM object, the system stores its CLSID (unique ID) and the path to the associated DLL in the registry.
When a COM object is requested or a Process Needs a COM Object for opening a file dialog or execute command as example : 1- Windows looks up the CLSID in the registry. 2- Finds the InProcServer32 key. 3- Loads the DLL specified in InProcServer32 into memory and gives the process access to the COM object’s functionality.

for another example

Program Needs a COM Object:
1- A program says, "I need COM object X" (using the CLSID).
Windows Finds the CLSID:
2- Windows searches the registry for the CLSID.
Windows Loads the DLL:
3- It reads the InProcServer32 key under the CLSID to find the DLL file.
4- Loads that DLL into memory so the program can use it.

Example (Real-World Analogy)

COM: A library where books (tools) are stored.
CLSID: The unique ID number for a book in the library catalog.
InProcServer32: The shelf location in the library where the book is kept.

Key Points:

The process/user doesn’t directly load the DLL; it only asks for the COM object.
Windows handles the DLL loading by referencing the InProcServer32 registry key.
The process interacts with the COM object’s methods once the DLL is loaded

How Attackers Abuse COM

Attackers exploit COM’s integration with Windows to gain persistence, escalate privileges, and evade detection.

1. Persistence and privilege escalation and Evasion of Detection Through COM Hijacking

What Happens:
- Attackers change the InProcServer32 registry key for a CLSID to point to a malicious DLL instead of legitimate DLL
- When the COM object is used, the malicious DLL executes.
Example:
- Original key: C:\Windows\System32\legit.dll
- Changed to: C:\Users\Attacker\evil.dll

explanation : when InProcServer32 locate the location of Original key: C:\Windows\System32\legit.dll , it will find the malicious DLL in the location of legitimate DLL when the malicious DLL loaded into the process therefore the attacker will get shell over the system

Here a real example , that is the legitimate DLL under the InProcServer32 subkey

Here the attacker Hijack the DLL by putting the malicious DLL

Real Example: Automating Microsoft Excel with COM

Scenario:

A script or program wants to open an Excel file, edit its contents, and save it without requiring user interaction.

Step-by-Step Process

The Process Requests the Object: A script (e.g., PowerShell) requests the Excel.Application COM object.
Registry Lookup: Windows looks for the Excel.Application ProgID in the Registry to find the CLSID.
- ProgID: Excel.Application
- CLSID: {00024500-0000-0000-C000-000000000046}
Load the DLL: The CLSID registry entry contains the InProcServer32 key, which points to the DLL implementing the Excel COM object.
- InProcServer32 Path: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Excel Application Loads: The requested COM object is instantiated, allowing the script to control Excel.
Interaction with the Object’s Methods: The script uses methods like Workbooks.Open, Cells.Value, and Save to interact with Excel.

PowerShell Script Example:

# Create the Excel COM object
$excel = New-Object -ComObject Excel.Application

# Make Excel visible (optional)
$excel.Visible = $true

# Open an existing workbook
$workbook = $excel.Workbooks.Open("C:\Temp\example.xlsx")

# Write data to a specific cell
$worksheet = $workbook.Sheets.Item(1)
$worksheet.Cells.Item(1, 1).Value = "Hello, COM!"

# Save and close the workbook
$workbook.Save()
$workbook.Close()

# Quit the Excel application
$excel.Quit()

Write-Host "Excel automation completed successfully!"

What Happens Under the Hood:

Excel Process Starts: The Excel.Application COM object launches EXCEL.EXE in the background (or foreground, if visible).
The Script Controls Excel:
- Object: The Excel.Application object is the main entry point.
- Methods: Methods like Workbooks.Open and Cells.Value are used to perform actions.
DLL is Used for Functionality: The InProcServer32 DLL for Excel handles all interactions

Attackers’ Abuse:

Attackers might:

Hijack the COM Object: Modify the InProcServer32 registry key for Excel.Application to load a malicious DLL.
Execute Malicious Code: When a legitimate program or user tries to automate Excel, the malicious DLL executes instead.
Persistence Mechanism: Use Excel COM objects in startup scripts to maintain access.

PreviousLiving off the Land Binaries (LOLBins)NextKey Email Headers for SOC Analysts and DFIR

Last updated 5 months ago

What is COM

Think of it as a bridge that lets software reuse code (e.g., DLLs) instead of rewriting everything from scratch

Library Perspective:
- COM objects (the components) are often implemented as DLL files.
- These DLLs are loaded and used by processes at runtime, so in this sense, COM provides reusable libraries.
API Perspective:
- COM provides a way for software to interact with these components using well-defined interfaces (APIs).
- Developers write code that calls COM interfaces, making it act like an API to the application
Who Needs COM?
- Processes: Applications or system services that need to interact with external components, such as a shared library or another program.
- Developers: To create modular and reusable components that can be used across multiple programs.
When an application needs to COM :
- Reuse existing functionality: For example, a Word document can be embedded into a PowerPoint slide via a COM object.
- Interact with system-level features: For example, PowerShell scripts can use COM to interact with file dialogs, Windows Explorer, or other Windows features.
- Achieve modularity: COM allows different components to work together seamlessly, even if they're written in different programming languages.

Key Components of COM

1- Object :

is the central component of COM. It is what makes the COM framework functional
Object Purpose: Each object provides a set of methods (functions) that can be called
For example:
- The Excel.Application COM object provides an interface for creating or manipulating Excel spreadsheets.
- The Shell.Application COM object allows interaction with Windows
- The cripting.FileSystemObject: Manages files and directories
method : in a COM object is a function or action that the object exposes for use by other applications or processes. Methods define what the object can do, such as creating files, running scripts, opening a dialog, or interacting with a specific part of the system
For example:
- The Shell.Application COM object has a method called ShellExecute(), which allows an application to execute commands or open files.
- The Excel.Application COM object has methods like Workbooks.Open() to open an Excel file.
How to Discover Methods in a COM Object
- PowerShell can be used to discover methods dynamically.
- Example:
  $shell = New-Object -ComObject Shell.Application $shell | Get-Member

2- CLSID (Class Identifier):

A unique identifier for a COM class, stored in the Windows Registry.
Example: {D2E7041B-2927-42FB-8E9F-7CE93B6DC937}
It's like a phone number for a specific COM object so Windows knows where to find it.
Where is it Stored ?
- CLSIDs are stored in the Windows Registry under:
  HKLM\SOFTWARE\Classes\CLSID\{CLSID}

3- ProgID (Programmatic Identifier):

A readable alias for a CLSID, such as Word.Application. Windows translates this to the CLSID

4- InProcServer32:

A registry key under the CLSID entry that tells Windows:
- Where to find the DLL for the COM component.
- For example:
  HKLM\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32

This key might contain:

C:\Windows\System32\example.dll

Here’s a list of popular COM objects and their methods, along with examples of how they are used. This will help you understand the real-world importance of these COM objects.

1. Shell.Application

This COM object is used to interact with the Windows shell, including Explorer windows and file management.

Common Methods:

Open(path): Opens a folder in Windows Explorer.
Explore(path): Opens a folder in "explore" mode.
ShellExecute(file, params, directory, operation, show): Executes a program or file.
BrowseForFolder(hwnd, title, options, root): Opens a folder-browsing dialog.

2. WScript.Shell

This COM object is often used in scripting for running commands, setting environment variables, or interacting with the Windows desktop.

Common Methods:

Run(command, windowStyle, waitOnReturn): Runs a command or application.
Popup(message, timeout, title, type): Displays a popup message box.
RegRead(key): Reads a registry value.
RegWrite(key, value, type): Writes a value to the registry.
RegDelete(key): Deletes a registry key.

3. MMC20.Application

This COM object is associated with the Microsoft Management Console (MMC), used to manage administrative tools.

Common Methods:

ExecuteShellCommand(command, args, directory, options): Executes a shell command.
Document.Save(): Saves the current MMC document.

Classes, Objects, and Methods in COM

Class: In COM, a class is defined by a CLSID (Class Identifier), which uniquely identifies the functionality or service provided by the component. Think of it as a "blueprint" for creating objects.
Object: An object is an instance of a class, created when a program requests a specific COM class via its CLSID or ProgID. This is what the application interacts with to use the functionality provided by the class.
Method: Methods are the functions provided by a COM object that allow interaction. For example, if you use a COM object for Microsoft Excel, it may provide methods like OpenWorkbook or SaveWorkbook. These are the actions you can perform on or with the object.

Comparison to Python

Python Class:

class MyClass:
    def my_method(self):
        print("Method called")

Python Object:

obj = MyClass()  # Creating an instance
obj.my_method()  # Calling a method

Example of COM Objects and Methods

1.COM Object for Internet Explorer (Shell.Application):

Purpose: Automates shell interactions (like opening a folder or file).
Methods:
- Open: Opens a folder.
- ShellExecute: Executes a file.

$shell = New-Object -ComObject Shell.Application
$shell.ShellExecute('notepad.exe')

2.Microsoft Excel COM Object (Excel.Application):

Purpose: Interacts with Excel, creating spreadsheets programmatically.
Methods:
- Add: Creates a new workbook.
- SaveAs: Saves the workbook.

$excel = New-Object -ComObject Excel.Application
$workbook = $excel.Workbooks.Add()
$workbook.SaveAs("C:\temp\example.xlsx")
$excel.Quit()

3.Internet Explorer Automation

COM Object: InternetExplorer.Application
Purpose: Automates interactions with Internet Explorer.
Methods:
- Navigate: Loads a webpage.
- Quit: Closes the Internet Explorer instance.

Example: Open a webpage and automate browsing.

# Create an Internet Explorer COM object
$ie = New-Object -ComObject InternetExplorer.Application

# Set it to visible
$ie.Visible = $true

# Navigate to a website
$ie.Navigate("https://example.com")

# Wait for the page to load completely
while ($ie.Busy) { Start-Sleep -Seconds 1 }

# Close the browser
$ie.Quit()

When Does a Process Use COM Methods or Objects ?

Two Common Scenarios:

Explicit Usage by Applications:
- An application explicitly creates a COM object and calls its methods. This is typically triggered by user actions or automated scripts.
- Example: A macro in Excel uses the Excel.Application COM object to manipulate spreadsheets
System Processes or Services:
- System processes (e.g., dllhost.exe, svchost.exe) automatically interact with COM objects when needed. This is often part of Windows' internal operations.
- Example: ShellWindows is invoked by the system to manage file explorer windows

Who Triggers the Usage ?

User: If a user runs a script or program that calls a COM object.
Process: If a process requires a COM object to function (e.g., an antivirus program calling WMI to gather system information).

How it works

The Setup:
- During installation, an application registers its COM objects with the Windows Registry.
- For each COM object, the system stores its CLSID (unique ID) and the path to the associated DLL in the registry.
When a COM object is requested or a Process Needs a COM Object for opening a file dialog or execute command as example : 1- Windows looks up the CLSID in the registry. 2- Finds the InProcServer32 key. 3- Loads the DLL specified in InProcServer32 into memory and gives the process access to the COM object’s functionality.

for another example

Program Needs a COM Object:
1- A program says, "I need COM object X" (using the CLSID).
Windows Finds the CLSID:
2- Windows searches the registry for the CLSID.
Windows Loads the DLL:
3- It reads the InProcServer32 key under the CLSID to find the DLL file.
4- Loads that DLL into memory so the program can use it.

Example (Real-World Analogy)

COM: A library where books (tools) are stored.
CLSID: The unique ID number for a book in the library catalog.
InProcServer32: The shelf location in the library where the book is kept.

Key Points:

The process/user doesn’t directly load the DLL; it only asks for the COM object.
Windows handles the DLL loading by referencing the InProcServer32 registry key.
The process interacts with the COM object’s methods once the DLL is loaded

How Attackers Abuse COM

Attackers exploit COM’s integration with Windows to gain persistence, escalate privileges, and evade detection.

1. Persistence and privilege escalation and Evasion of Detection Through COM Hijacking

What Happens:
- Attackers change the InProcServer32 registry key for a CLSID to point to a malicious DLL instead of legitimate DLL
- When the COM object is used, the malicious DLL executes.
Example:
- Original key: C:\Windows\System32\legit.dll
- Changed to: C:\Users\Attacker\evil.dll

Here a real example , that is the legitimate DLL under the InProcServer32 subkey

Here the attacker Hijack the DLL by putting the malicious DLL

Real Example: Automating Microsoft Excel with COM

Scenario:

A script or program wants to open an Excel file, edit its contents, and save it without requiring user interaction.

Step-by-Step Process

The Process Requests the Object: A script (e.g., PowerShell) requests the Excel.Application COM object.
Registry Lookup: Windows looks for the Excel.Application ProgID in the Registry to find the CLSID.
- ProgID: Excel.Application
- CLSID: {00024500-0000-0000-C000-000000000046}
Load the DLL: The CLSID registry entry contains the InProcServer32 key, which points to the DLL implementing the Excel COM object.
- InProcServer32 Path: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Excel Application Loads: The requested COM object is instantiated, allowing the script to control Excel.
Interaction with the Object’s Methods: The script uses methods like Workbooks.Open, Cells.Value, and Save to interact with Excel.

PowerShell Script Example:

# Create the Excel COM object
$excel = New-Object -ComObject Excel.Application

# Make Excel visible (optional)
$excel.Visible = $true

# Open an existing workbook
$workbook = $excel.Workbooks.Open("C:\Temp\example.xlsx")

# Write data to a specific cell
$worksheet = $workbook.Sheets.Item(1)
$worksheet.Cells.Item(1, 1).Value = "Hello, COM!"

# Save and close the workbook
$workbook.Save()
$workbook.Close()

# Quit the Excel application
$excel.Quit()

Write-Host "Excel automation completed successfully!"

What Happens Under the Hood:

Excel Process Starts: The Excel.Application COM object launches EXCEL.EXE in the background (or foreground, if visible).
The Script Controls Excel:
- Object: The Excel.Application object is the main entry point.
- Methods: Methods like Workbooks.Open and Cells.Value are used to perform actions.
DLL is Used for Functionality: The InProcServer32 DLL for Excel handles all interactions

Attackers’ Abuse:

Attackers might:

Hijack the COM Object: Modify the InProcServer32 registry key for Excel.Application to load a malicious DLL.
Execute Malicious Code: When a legitimate program or user tries to automate Excel, the malicious DLL executes instead.
Persistence Mechanism: Use Excel COM objects in startup scripts to maintain access.