# COM (Component Object Model)
## What is COM
**COM (Component Object Model)** is a Microsoft-developed framework that allows different software components to interact and communicate with each other within the Windows operating system. It enables inter-process communication and dynamic object creation in various programming languages For example, a program can use COM to control another application or access system features
Think of it as a **bridge** that lets software reuse code (e.g., DLLs) instead of rewriting everything from scratch
* **Library Perspective:**
* COM objects (the components) are often implemented as **DLL files**.
* These DLLs are loaded and used by processes at runtime, so in this sense, COM provides reusable libraries.
* **API Perspective:**
* COM provides a way for software to interact with these components using **well-defined interfaces** (APIs).
* Developers write code that calls COM interfaces, making it act like an API to the application
* **Who Needs COM?**
* **Processes:** Applications or system services that need to interact with external components, such as a shared library or another program.
* **Developers:** To create modular and reusable components that can be used across multiple programs.
* When an application needs to COM :
* **Reuse existing functionality**: For example, a Word document can be embedded into a PowerPoint slide via a COM object.
* **Interact with system-level features**: For example, PowerShell scripts can use COM to interact with file dialogs, Windows Explorer, or other Windows features.
* **Achieve modularity**: COM allows different components to work together seamlessly, even if they're written in different programming languages.
## **Key Components of** COM
1- **Object** :
* is the central **component of COM**. It is what makes the COM framework functional
* **Object Purpose**: Each object provides a set of methods (functions) that can be called
\
For example:
* The **`Excel.Application` COM object** provides an interface for creating or manipulating Excel spreadsheets.
* The **`Shell.Application` COM object** allows interaction with Windows
* **`The cripting.FileSystemObject`**: Manages files and directories
* **method :** \
\
in a COM object is a **function** or **action** that the object exposes for use by other applications or processes. Methods define **what the object can do**, such as creating files, running scripts, opening a dialog, or interacting with a specific part of the system
\
For example:
* The **`Shell.Application`** COM object has a method called `ShellExecute()`, which allows an application to execute commands or open files.
* The **`Excel.Application`** COM object has methods like `Workbooks.Open()` to open an Excel file.
* How to Discover Methods in a COM Object
* PowerShell can be used to discover methods dynamically.
* Example:
```
$shell = New-Object -ComObject Shell.Application
$shell | Get-Member
```
#### **2- CLSID (Class Identifier):**
* A unique identifier for a COM class, stored in the Windows Registry.
* Example: `{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}`
* It's like a **phone number** for a specific COM object so Windows knows where to find it.
**Where is it Stored ?**
* CLSIDs are stored in the Windows Registry under:
```
HKLM\SOFTWARE\Classes\CLSID\{CLSID}
```
#### **3- ProgID (Programmatic Identifier):**
* A readable alias for a CLSID, such as `Word.Application`. Windows translates this to the CLSID
**4- InProcServer32:**
* A **registry key** under the CLSID entry that tells Windows:
* **Where to find the DLL** for the COM component.
* For example:
```
HKLM\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32
```
This key might contain:
```
C:\Windows\System32\example.dll
```
Here’s a list of **popular COM objects** and their **methods**, along with examples of how they are used. This will help you understand the **real-world importance of these COM objects**.
#### **1. Shell.Application**
* This COM object is used to interact with the Windows shell, including Explorer windows and file management.
#### **Common Methods:**
* **`Open(path)`**: Opens a folder in Windows Explorer.
* **`Explore(path)`**: Opens a folder in "explore" mode.
* **`ShellExecute(file, params, directory, operation, show)`**: Executes a program or file.
* **`BrowseForFolder(hwnd, title, options, root)`**: Opens a folder-browsing dialog.
### **2. WScript.Shell**
This COM object is often used in scripting for running commands, setting environment variables, or interacting with the Windows desktop.
#### **Common Methods:**
* **`Run(command, windowStyle, waitOnReturn)`**: Runs a command or application.
* **`Popup(message, timeout, title, type)`**: Displays a popup message box.
* **`RegRead(key)`**: Reads a registry value.
* **`RegWrite(key, value, type)`**: Writes a value to the registry.
* **`RegDelete(key)`**: Deletes a registry key.
### **3. MMC20.Application**
This COM object is associated with the **Microsoft Management Console (MMC)**, used to manage administrative tools.
#### **Common Methods:**
* **`ExecuteShellCommand(command, args, directory, options)`**: Executes a shell command.
* **`Document.Save()`**: Saves the current MMC document.
#### Classes, Objects, and Methods in COM
* **Class:**\
In COM, a class is defined by a CLSID (Class Identifier), which uniquely identifies the functionality or service provided by the component. Think of it as a "blueprint" for creating objects.
* **Object:**\
An object is an instance of a class, created when a program requests a specific COM class via its CLSID or ProgID. This is what the application interacts with to use the functionality provided by the class.
* **Method:**\
Methods are the functions provided by a COM object that allow interaction. For example, if you use a COM object for Microsoft Excel, it may provide methods like `OpenWorkbook` or `SaveWorkbook`. These are the actions you can perform on or with the object.
#### Comparison to Python
**Python Class:**
```
class MyClass:
def my_method(self):
print("Method called")
```
**Python Object:**
```
obj = MyClass() # Creating an instance
obj.my_method() # Calling a method
```
#### **Example of COM Objects and Methods**
**1.COM Object for Internet Explorer (`Shell.Application`):**
* **Purpose:** Automates shell interactions (like opening a folder or file).
* **Methods:**
* `Open`: Opens a folder.
* `ShellExecute`: Executes a file.
```
$shell = New-Object -ComObject Shell.Application
$shell.ShellExecute('notepad.exe')
```
**2.Microsoft Excel COM Object (`Excel.Application`):**
* **Purpose:** Interacts with Excel, creating spreadsheets programmatically.
* **Methods:**
* `Add`: Creates a new workbook.
* `SaveAs`: Saves the workbook.
```
$excel = New-Object -ComObject Excel.Application
$workbook = $excel.Workbooks.Add()
$workbook.SaveAs("C:\temp\example.xlsx")
$excel.Quit()
```
#### **3.Internet Explorer Automation**
* **COM Object:** `InternetExplorer.Application`
* **Purpose:** Automates interactions with Internet Explorer.
* **Methods:**
* `Navigate`: Loads a webpage.
* `Quit`: Closes the Internet Explorer instance.
**Example:**\
Open a webpage and automate browsing.
```
# Create an Internet Explorer COM object
$ie = New-Object -ComObject InternetExplorer.Application
# Set it to visible
$ie.Visible = $true
# Navigate to a website
$ie.Navigate("https://example.com")
# Wait for the page to load completely
while ($ie.Busy) { Start-Sleep -Seconds 1 }
# Close the browser
$ie.Quit()
```
### When Does a Process Use COM Methods or Objects ?
**Two Common Scenarios:**
1. **Explicit Usage by Applications:**
* An application explicitly creates a COM object and calls its methods. This is typically triggered by **user actions** or automated scripts.
* Example: A macro in Excel uses the `Excel.Application` COM object to manipulate spreadsheets
2. **System Processes or Services:**
* System processes (e.g., `dllhost.exe`, `svchost.exe`) automatically interact with COM objects when needed. This is often part of Windows' internal operations.
* Example: `ShellWindows` is invoked by the system to manage file explorer windows
### **Who Triggers the Usage ?**
* **User**: If a user runs a script or program that calls a COM object.
* **Process**: If a process requires a COM object to function (e.g., an antivirus program calling `WMI` to gather system information).
### How it works
* **The Setup:**
* During installation, an application registers its COM objects with the Windows Registry.
* For each COM object, the system stores its **CLSID** (unique ID) and the path to the associated DLL in the registry.
* When a COM object is requested or a Process Needs a COM Object for opening a file dialog or execute command as example **:**\
\
1- Windows looks up the CLSID in the registry.\
2- Finds the InProcServer32 key.\
3- Loads the DLL specified in InProcServer32 into memory and gives the process access to the COM object’s functionality.
for another example
* **Program Needs a COM Object**:
1- A program says, "I need COM object X" (using the CLSID).
* **Windows Finds the CLSID**:
2- Windows searches the registry for the CLSID.
* **Windows Loads the DLL**:
3- It reads the `InProcServer32` key under the CLSID to find the DLL file.
4- Loads that DLL into memory so the program can use it.
#### **Example (Real-World Analogy)**
* **COM**: A library where books (tools) are stored.
* **CLSID**: The unique ID number for a book in the library catalog.
* **InProcServer32**: The shelf location in the library where the book is kept.
#### **Key Points:**
* The **process/user doesn’t directly load the DLL**; it only asks for the COM object.
* **Windows handles the DLL loading** by referencing the `InProcServer32` registry key.
* The process interacts with the **COM object’s methods** once the DLL is loaded
### **How Attackers Abuse COM**
#### Attackers exploit COM’s integration with Windows to gain persistence, escalate privileges, and evade detection.
**1. Persistence and privilege escalation and Evasion of Detection Through COM Hijacking**
* **What Happens:**
* Attackers change the `InProcServer32` registry key for a CLSID to point to a malicious DLL instead of legitimate DLL
* When the COM object is used, the malicious DLL executes.
* **Example:**
* Original key: `C:\Windows\System32\legit.dll`
* Changed to: `C:\Users\Attacker\evil.dll`
explanation : when `InProcServer32` locate the location of Original key: `C:\Windows\System32\legit.dll ,` it will find the malicious DLL in the location of legitimate DLL when the malicious DLL loaded into the process therefore the attacker will get shell over the system
Here a real example , that is the legitimate DLL under the `InProcServer32 subkey`
Here the attacker **Hijack the DLL by** putting the malicious DLL
### **Real Example: Automating Microsoft Excel with COM**
**Scenario:**
A script or program wants to open an Excel file, edit its contents, and save it without requiring user interaction.
#### **Step-by-Step Process**
1. **The Process Requests the Object:** A script (e.g., PowerShell) requests the `Excel.Application` COM object.
2. **Registry Lookup:** Windows looks for the `Excel.Application` ProgID in the Registry to find the CLSID.
* **ProgID:** `Excel.Application`
* **CLSID:** `{00024500-0000-0000-C000-000000000046}`
3. **Load the DLL:** The CLSID registry entry contains the `InProcServer32` key, which points to the DLL implementing the Excel COM object.
* **InProcServer32 Path:**\
`C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE`
4. **Excel Application Loads:** The requested COM object is instantiated, allowing the script to control Excel.
5. **Interaction with the Object’s Methods:** The script uses methods like `Workbooks.Open`, `Cells.Value`, and `Save` to interact with Excel.
**PowerShell Script Example:**
```
# Create the Excel COM object
$excel = New-Object -ComObject Excel.Application
# Make Excel visible (optional)
$excel.Visible = $true
# Open an existing workbook
$workbook = $excel.Workbooks.Open("C:\Temp\example.xlsx")
# Write data to a specific cell
$worksheet = $workbook.Sheets.Item(1)
$worksheet.Cells.Item(1, 1).Value = "Hello, COM!"
# Save and close the workbook
$workbook.Save()
$workbook.Close()
# Quit the Excel application
$excel.Quit()
Write-Host "Excel automation completed successfully!"
```
#### **What Happens Under the Hood:**
1. **Excel Process Starts:** The `Excel.Application` COM object launches `EXCEL.EXE` in the background (or foreground, if visible).
2. **The Script Controls Excel:**
* **Object:** The `Excel.Application` object is the main entry point.
* **Methods:** Methods like `Workbooks.Open` and `Cells.Value` are used to perform actions.
3. **DLL is Used for Functionality:** The `InProcServer32` DLL for Excel handles all interactions
#### **Attackers’ Abuse:**
Attackers might:
1. **Hijack the COM Object:** Modify the `InProcServer32` registry key for `Excel.Application` to load a malicious DLL.
2. **Execute Malicious Code:** When a legitimate program or user tries to automate Excel, the malicious DLL executes instead.
3. **Persistence Mechanism:** Use Excel COM objects in startup scripts to maintain access.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/com-component-object-model.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.