COM Hijacking

• Overview: The Component Object Model (COM) is a core Windows technology that allows software components (objects) to interact with each other, irrespective of the programming language they were written in. It's fundamental to many Windows functions, including the shell (Explorer), Internet Explorer, and numerous applications. Windows uses the Registry extensively to manage COM, storing information about each COM object, its unique Class ID (CLSID), and crucially, the location of the server (usually a DLL or sometimes an EXE) that implements the object's functionality. COM Hijacking is an evasion and persistence technique where attackers manipulate these COM-related registry entries to redirect calls intended for legitimate COM objects to malicious code instead.

• Mechanism of Evasion and Persistence:

  1. Target Identification: The attacker identifies a COM object that is frequently instantiated by legitimate, often auto-starting, processes (like explorer.exe, system services, or common applications).

  2. Registry Manipulation: The core of the hijack involves modifying specific registry keys associated with the target COM object's CLSID. A very common target is the InprocServer32 subkey, which normally points to the path of the legitimate DLL server that implements the COM object. The attacker alters the (Default) value within this key (or related keys depending on the specific hijack method) to point to their malicious DLL instead.

  3. Registry Locations: These manipulations often occur under HKEY_CLASSES_ROOT\CLSID\{Target_CLSID}\InprocServer32 or, significantly for evasion, under the user-specific hive at HKEY_CURRENT_USER\Software\Classes\CLSID\{Target_CLSID}\InprocServer32. Hijacking entries in HKCU often does not require administrator privileges, making it more accessible for malware or cheats running under user context.

  4. Code Execution: When a legitimate application makes a call to instantiate or interact with the hijacked COM object, the Windows COM runtime reads the manipulated registry entry. Instead of loading the legitimate DLL, it loads the attacker's malicious DLL into the address space of the calling application.

  5. Evasion: Because the malicious code is loaded and executed by a legitimate, often trusted, application process as part of its normal operation (instantiating a COM object), this can bypass application whitelisting solutions that focus on blocking unknown executables. The activity might appear less suspicious in basic process execution logs compared to running a standalone cheat executable.

  6. Persistence: If the hijacked COM object is one that is loaded automatically at system startup or user logon (e.g., by explorer.exe or other auto-run processes), this technique provides a persistent mechanism for the malicious code (e.g., a cheat loader or the cheat itself) to execute automatically every time the system starts or the user logs in, without needing a separate Run key entry or scheduled task.