COM (Component Object Model)
What is COM
COM (Component Object Model) is a Microsoft-developed framework that allows different software components to interact and communicate with each other within the Windows operating system. It enables inter-process communication and dynamic object creation in various programming languages For example, a program can use COM to control another application or access system features
Think of it as a bridge that lets software reuse code (e.g., DLLs) instead of rewriting everything from scratch
Library Perspective:
COM objects (the components) are often implemented as DLL files.
These DLLs are loaded and used by processes at runtime, so in this sense, COM provides reusable libraries.
API Perspective:
COM provides a way for software to interact with these components using well-defined interfaces (APIs).
Developers write code that calls COM interfaces, making it act like an API to the application
Who Needs COM?
Processes: Applications or system services that need to interact with external components, such as a shared library or another program.
Developers: To create modular and reusable components that can be used across multiple programs.
When an application needs to COM :
Reuse existing functionality: For example, a Word document can be embedded into a PowerPoint slide via a COM object.
Interact with system-level features: For example, PowerShell scripts can use COM to interact with file dialogs, Windows Explorer, or other Windows features.
Achieve modularity: COM allows different components to work together seamlessly, even if they're written in different programming languages.
Key Components of COM
1- Object :
is the central component of COM. It is what makes the COM framework functional
Object Purpose: Each object provides a set of methods (functions) that can be called
For example:
The
Excel.ApplicationCOM object provides an interface for creating or manipulating Excel spreadsheets.The
Shell.ApplicationCOM object allows interaction with WindowsThe cripting.FileSystemObject: Manages files and directories
method : in a COM object is a function or action that the object exposes for use by other applications or processes. Methods define what the object can do, such as creating files, running scripts, opening a dialog, or interacting with a specific part of the system
For example:
The
Shell.ApplicationCOM object has a method calledShellExecute(), which allows an application to execute commands or open files.The
Excel.ApplicationCOM object has methods likeWorkbooks.Open()to open an Excel file.
How to Discover Methods in a COM Object
PowerShell can be used to discover methods dynamically.
Example:
$shell = New-Object -ComObject Shell.Application $shell | Get-Member
2- CLSID (Class Identifier):
A unique identifier for a COM class, stored in the Windows Registry.
Example:
{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}It's like a phone number for a specific COM object so Windows knows where to find it.
Where is it Stored ?
CLSIDs are stored in the Windows Registry under:
HKLM\SOFTWARE\Classes\CLSID\{CLSID}
3- ProgID (Programmatic Identifier):
A readable alias for a CLSID, such as
Word.Application. Windows translates this to the CLSID
4- InProcServer32:
A registry key under the CLSID entry that tells Windows:
Where to find the DLL for the COM component.
For example:
HKLM\SOFTWARE\Classes\CLSID\{CLSID}\InProcServer32
This key might contain:
C:\Windows\System32\example.dllHere’s a list of popular COM objects and their methods, along with examples of how they are used. This will help you understand the real-world importance of these COM objects.
1. Shell.Application
This COM object is used to interact with the Windows shell, including Explorer windows and file management.
Common Methods:
Open(path): Opens a folder in Windows Explorer.Explore(path): Opens a folder in "explore" mode.ShellExecute(file, params, directory, operation, show): Executes a program or file.BrowseForFolder(hwnd, title, options, root): Opens a folder-browsing dialog.
2. WScript.Shell
This COM object is often used in scripting for running commands, setting environment variables, or interacting with the Windows desktop.
Common Methods:
Run(command, windowStyle, waitOnReturn): Runs a command or application.Popup(message, timeout, title, type): Displays a popup message box.RegRead(key): Reads a registry value.RegWrite(key, value, type): Writes a value to the registry.RegDelete(key): Deletes a registry key.
3. MMC20.Application
This COM object is associated with the Microsoft Management Console (MMC), used to manage administrative tools.
Common Methods:
ExecuteShellCommand(command, args, directory, options): Executes a shell command.Document.Save(): Saves the current MMC document.
Classes, Objects, and Methods in COM
Class: In COM, a class is defined by a CLSID (Class Identifier), which uniquely identifies the functionality or service provided by the component. Think of it as a "blueprint" for creating objects.
Object: An object is an instance of a class, created when a program requests a specific COM class via its CLSID or ProgID. This is what the application interacts with to use the functionality provided by the class.
Method: Methods are the functions provided by a COM object that allow interaction. For example, if you use a COM object for Microsoft Excel, it may provide methods like
OpenWorkbookorSaveWorkbook. These are the actions you can perform on or with the object.
Comparison to Python
Python Class:
class MyClass:
def my_method(self):
print("Method called")Python Object:
obj = MyClass() # Creating an instance
obj.my_method() # Calling a methodExample of COM Objects and Methods
1.COM Object for Internet Explorer (Shell.Application):
Purpose: Automates shell interactions (like opening a folder or file).
Methods:
Open: Opens a folder.ShellExecute: Executes a file.
$shell = New-Object -ComObject Shell.Application
$shell.ShellExecute('notepad.exe')2.Microsoft Excel COM Object (Excel.Application):
Purpose: Interacts with Excel, creating spreadsheets programmatically.
Methods:
Add: Creates a new workbook.SaveAs: Saves the workbook.
$excel = New-Object -ComObject Excel.Application
$workbook = $excel.Workbooks.Add()
$workbook.SaveAs("C:\temp\example.xlsx")
$excel.Quit()3.Internet Explorer Automation
COM Object:
InternetExplorer.ApplicationPurpose: Automates interactions with Internet Explorer.
Methods:
Navigate: Loads a webpage.Quit: Closes the Internet Explorer instance.
Example: Open a webpage and automate browsing.
# Create an Internet Explorer COM object
$ie = New-Object -ComObject InternetExplorer.Application
# Set it to visible
$ie.Visible = $true
# Navigate to a website
$ie.Navigate("https://example.com")
# Wait for the page to load completely
while ($ie.Busy) { Start-Sleep -Seconds 1 }
# Close the browser
$ie.Quit()When Does a Process Use COM Methods or Objects ?
Two Common Scenarios:
Explicit Usage by Applications:
An application explicitly creates a COM object and calls its methods. This is typically triggered by user actions or automated scripts.
Example: A macro in Excel uses the
Excel.ApplicationCOM object to manipulate spreadsheets
System Processes or Services:
System processes (e.g.,
dllhost.exe,svchost.exe) automatically interact with COM objects when needed. This is often part of Windows' internal operations.Example:
ShellWindowsis invoked by the system to manage file explorer windows
Who Triggers the Usage ?
User: If a user runs a script or program that calls a COM object.
Process: If a process requires a COM object to function (e.g., an antivirus program calling
WMIto gather system information).
How it works
The Setup:
During installation, an application registers its COM objects with the Windows Registry.
For each COM object, the system stores its CLSID (unique ID) and the path to the associated DLL in the registry.
When a COM object is requested or a Process Needs a COM Object for opening a file dialog or execute command as example : 1- Windows looks up the CLSID in the registry. 2- Finds the InProcServer32 key. 3- Loads the DLL specified in InProcServer32 into memory and gives the process access to the COM object’s functionality.
for another example
Program Needs a COM Object:
1- A program says, "I need COM object X" (using the CLSID).
Windows Finds the CLSID:
2- Windows searches the registry for the CLSID.
Windows Loads the DLL:
3- It reads the
InProcServer32key under the CLSID to find the DLL file.4- Loads that DLL into memory so the program can use it.
Example (Real-World Analogy)
COM: A library where books (tools) are stored.
CLSID: The unique ID number for a book in the library catalog.
InProcServer32: The shelf location in the library where the book is kept.
Key Points:
The process/user doesn’t directly load the DLL; it only asks for the COM object.
Windows handles the DLL loading by referencing the
InProcServer32registry key.The process interacts with the COM object’s methods once the DLL is loaded
How Attackers Abuse COM
Attackers exploit COM’s integration with Windows to gain persistence, escalate privileges, and evade detection.
1. Persistence and privilege escalation and Evasion of Detection Through COM Hijacking
What Happens:
Attackers change the
InProcServer32registry key for a CLSID to point to a malicious DLL instead of legitimate DLLWhen the COM object is used, the malicious DLL executes.
Example:
Original key:
C:\Windows\System32\legit.dllChanged to:
C:\Users\Attacker\evil.dll
explanation : when InProcServer32 locate the location of Original key: C:\Windows\System32\legit.dll , it will find the malicious DLL in the location of legitimate DLL when the malicious DLL loaded into the process therefore the attacker will get shell over the system
Here a real example , that is the legitimate DLL under the InProcServer32 subkey
Here the attacker Hijack the DLL by putting the malicious DLL
Real Example: Automating Microsoft Excel with COM
Scenario:
A script or program wants to open an Excel file, edit its contents, and save it without requiring user interaction.
Step-by-Step Process
The Process Requests the Object: A script (e.g., PowerShell) requests the
Excel.ApplicationCOM object.Registry Lookup: Windows looks for the
Excel.ApplicationProgID in the Registry to find the CLSID.ProgID:
Excel.ApplicationCLSID:
{00024500-0000-0000-C000-000000000046}
Load the DLL: The CLSID registry entry contains the
InProcServer32key, which points to the DLL implementing the Excel COM object.InProcServer32 Path:
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Excel Application Loads: The requested COM object is instantiated, allowing the script to control Excel.
Interaction with the Object’s Methods: The script uses methods like
Workbooks.Open,Cells.Value, andSaveto interact with Excel.
PowerShell Script Example:
# Create the Excel COM object
$excel = New-Object -ComObject Excel.Application
# Make Excel visible (optional)
$excel.Visible = $true
# Open an existing workbook
$workbook = $excel.Workbooks.Open("C:\Temp\example.xlsx")
# Write data to a specific cell
$worksheet = $workbook.Sheets.Item(1)
$worksheet.Cells.Item(1, 1).Value = "Hello, COM!"
# Save and close the workbook
$workbook.Save()
$workbook.Close()
# Quit the Excel application
$excel.Quit()
Write-Host "Excel automation completed successfully!"
What Happens Under the Hood:
Excel Process Starts: The
Excel.ApplicationCOM object launchesEXCEL.EXEin the background (or foreground, if visible).The Script Controls Excel:
Object: The
Excel.Applicationobject is the main entry point.Methods: Methods like
Workbooks.OpenandCells.Valueare used to perform actions.
DLL is Used for Functionality: The
InProcServer32DLL for Excel handles all interactions
Attackers’ Abuse:
Attackers might:
Hijack the COM Object: Modify the
InProcServer32registry key forExcel.Applicationto load a malicious DLL.Execute Malicious Code: When a legitimate program or user tries to automate Excel, the malicious DLL executes instead.
Persistence Mechanism: Use Excel COM objects in startup scripts to maintain access.
Last updated