idiotc4t's blog
搜索文档…
防御逃避
代码与进程注入
权限提升
COM组件相关的武器化开发技术
COM简介
由于网上关于直接调用windows内建com组件的编程技术比较稀少(至少我找了几天没找到),该文会简要介绍如何通过已知clsid在自定可执行文件中调用windows com接口,实现部分武器化技术。
文旨在简单介绍调用windows本身com组件的相关编程技术,由于本人非职业开发,理解可能存在一定偏差,如发现有明显错误,请务必直接联系本人(防止误人子弟略略略略略)。
阅读本文的朋友很大概率经常使用诸如atexec、wmiexec之类的横向移动工具,该类技术其实质也是对dcom(分布式com)组件的调用。
com本身是一种开发理念,旨在跨应用和语言共享二进制代码,其理念类似dll,但dll仅能被C/C++理解或遵循C调用规范的语言使用,com通过指明二进制模块必须编译成约定的结构解决了这个问题,其实现方式与c++的类相似,所以通常使用c++来实现一个com组件。
就windows中实现来看,com组件本身仍旧是标准的pe结构(dll/exe),只不过其内部包含了coclass,以及在注册表中注册了相关键值,以便我们找到并使用它。
原理
通常windows内建com已经在注册表内存储着相关信息,而自定义com需要创建注册表入口点告诉windows com组件服务器在上面位置,这个过程称之为注册(Registration),我们可以在HKEY_CLASSES_ROOT\CLSID\{clsid}位置找到所有windows已注册的com组件。
注册后com通过GUID(globally unique identifier)唯一标识符来寻找并使用这个com组件,理论上每一个GUID(有时也称UUID)都是唯一的,GUID在标识不同的对象时会有不同的称呼,标识类对象时称之为CLSID(类标识符)、标识接口时被称为IID(接口标识符)。
在每一个注册的clsid表项中都包含一个名为InprocServer32的子项,该子项内存有映射到该com二进制文件的键值对,操作系统通过该键值对将com组件载入进程或另起进程。(进程内组件和进程外组件,二进制代码的表现形式为dll(内)和exe(外))。
我们可以通过以下powershell代码遍历所有com组件和它导出的方法。
1
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
2
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > clsids.txt
3
4
$Position = 1
5
$Filename = "win10-clsid-members.txt"
6
$inputFilename = "clsids.txt"
7
ForEach($CLSID in Get-Content $inputFilename) {
8
Write-Output "$($Position) - $($CLSID)"
9
Write-Output "------------------------" | Out-File $Filename -Append
10
Write-Output $($CLSID) | Out-File $Filename -Append
11
$handle = [activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
12
$handle | Get-Member | Out-File $Filename -Append
13
$Position += 1
14
}
Copied!
通过C++实现调用
通常对com组件的利用很多文章都直接使用powershell代码调用接口,代码如下:
1
$handle = [activator]::CreateInstance([type]::GetTypeFromCLSID("xxx"))
2
$handle.shellxec('cmd.exe /c')
Copied!
在这里我会介绍一种通过c++调用的方法,在介绍之前,先看一个简单的powershell案例,Charles Hamilton发现prchauto.dll拥有一个ProcessChain的类,该类公开的start方法和commdline属性。
接下来我们通过部分工具将这个简单案例使用c艹实现,我们先使用oleview打开这个com组件的实现文件。
可以看到processchain类导出了一个名为iprocesschain的接口,我们使用这个工具将这个类导出为IDL文件,然后使用MIDL工具将这个IDL文件转换成我们需要的C++的头文件,这个文件会定义这个类和接口的使用方法。
使用MIDL,生成的processchain.h就是我们需要的。
部分代码:
1
2
EXTERN_C const IID IID_IProcessChain;
3
4
#if defined(__cplusplus) && !defined(CINTERFACE)
5
6
MIDL_INTERFACE("79ED9CB4-3A01-4ABA-AD3C-A985EE298B20")
7
IProcessChain : public IDispatch
8
{
9
public:
10
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_ExecutablePath(
11
/* [retval][out] */ BSTR *ExecutablePath) = 0;
12
13
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_ExecutablePath(
14
/* [in] */ BSTR ExecutablePath) = 0;
15
16
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_CommandLine(
17
/* [retval][out] */ BSTR *CommandLine) = 0;
18
19
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_CommandLine(
20
/* [in] */ BSTR CommandLine) = 0;
21
22
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_NonBlocking(
23
/* [retval][out] */ VARIANT_BOOL *NonBlocking) = 0;
24
25
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_NonBlocking(
26
/* [in] */ VARIANT_BOOL NonBlocking) = 0;
27
28
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_TimeoutPeriod(
29
/* [retval][out] */ long *TimeoutPeriod) = 0;
30
31
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_TimeoutPeriod(
32
/* [in] */ long TimeoutPeriod) = 0;
33
34
virtual /* [id] */ HRESULT STDMETHODCALLTYPE Start(
35
/* [out] */ VARIANT_BOOL *TimerFired) = 0;
36
37
virtual /* [id] */ HRESULT STDMETHODCALLTYPE CancelWait( void) = 0;
38
39
virtual /* [id] */ HRESULT STDMETHODCALLTYPE Terminate( void) = 0;
40
41
};
Copied!
接下来就是简单的编程实现了,如果我们能找到一个支持提权且能执行命令的com组件,那我们就又获得了一个新的bypassuac的方法。
代码
先贴实现效果:
win10的计算机有点大.jpg
processchain.h
1
2
3
/* this ALWAYS GENERATED file contains the definitions for the interfaces */
4
5
6
/* File created by MIDL compiler version 8.01.0622 */
7
/* at Tue Jan 19 11:14:07 2038
8
*/
9
/* Compiler settings for .\prchauto.IDL:
10
Oicf, W1, Zp8, env=Win32 (32b run), target_arch=X86 8.01.0622
11
protocol : dce , ms_ext, c_ext, robust
12
error checks: allocation ref bounds_check enum stub_data
13
VC __declspec() decoration level:
14
__declspec(uuid()), __declspec(selectany), __declspec(novtable)
15
DECLSPEC_UUID(), MIDL_INTERFACE()
16
*/
17
/* @@MIDL_FILE_HEADING( ) *
18
19
#pragma warning( disable: 4049 ) /* more than 64k source lines */
20
21
22
/* verify that the <rpcndr.h> version is high enough to compile this file*/
23
#ifndef __REQUIRED_RPCNDR_H_VERSION__
24
#define __REQUIRED_RPCNDR_H_VERSION__ 475
25
#endif
26
27
#include "rpc.h"
28
#include "rpcndr.h"
29
30
#ifndef __RPCNDR_H_VERSION__
31
#error this stub requires an updated version of <rpcndr.h>
32
#endif /* __RPCNDR_H_VERSION__ */
33
34
35
#ifndef __processchain_h__
36
#define __processchain_h__
37
38
#if defined(_MSC_VER) && (_MSC_VER >= 1020)
39
#pragma once
40
#endif
41
42
/* Forward Declarations */
43
44
#ifndef ___IProcessChainEvents_FWD_DEFINED__
45
#define ___IProcessChainEvents_FWD_DEFINED__
46
typedef interface _IProcessChainEvents _IProcessChainEvents;
47
48
#endif /* ___IProcessChainEvents_FWD_DEFINED__ */
49
50
51
#ifndef __IProcessChain_FWD_DEFINED__
52
#define __IProcessChain_FWD_DEFINED__
53
typedef interface IProcessChain IProcessChain;
54
55
#endif /* __IProcessChain_FWD_DEFINED__ */
56
57
58
#ifndef __ProcessChain_FWD_DEFINED__
59
#define __ProcessChain_FWD_DEFINED__
60
61
#ifdef __cplusplus
62
typedef class ProcessChain ProcessChain;
63
#else
64
typedef struct ProcessChain ProcessChain;
65
#endif /* __cplusplus */
66
67
#endif /* __ProcessChain_FWD_DEFINED__ */
68
69
70
#ifdef __cplusplus
71
extern "C"{
72
#endif
73
74
75
76
#ifndef __ProcessChainLib_LIBRARY_DEFINED__
77
#define __ProcessChainLib_LIBRARY_DEFINED__
78
79
/* library ProcessChainLib */
80
/* [version][uuid] */
81
82
83
84
85
EXTERN_C const IID LIBID_ProcessChainLib;
86
87
#ifndef ___IProcessChainEvents_DISPINTERFACE_DEFINED__
88
#define ___IProcessChainEvents_DISPINTERFACE_DEFINED__
89
90
/* dispinterface _IProcessChainEvents */
91
/* [uuid] */
92
93
94
EXTERN_C const IID DIID__IProcessChainEvents;
95
96
#if defined(__cplusplus) && !defined(CINTERFACE)
97
98
MIDL_INTERFACE("85C4AF17-4C7A-4EF0-9BE7-39B06351AFA6")
99
_IProcessChainEvents : public IDispatch
100
{
101
};
102
103
#else /* C style interface */
104
105
typedef struct _IProcessChainEventsVtbl
106
{
107
BEGIN_INTERFACE
108
109
HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
110
_IProcessChainEvents * This,
111
/* [in] */ REFIID riid,
112
/* [annotation][iid_is][out] */
113
_COM_Outptr_ void **ppvObject);
114
115
ULONG ( STDMETHODCALLTYPE *AddRef )(
116
_IProcessChainEvents * This);
117
118
ULONG ( STDMETHODCALLTYPE *Release )(
119
_IProcessChainEvents * This);
120
121
HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
122
_IProcessChainEvents * This,
123
/* [out] */ UINT *pctinfo);
124
125
HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
126
_IProcessChainEvents * This,
127
/* [in] */ UINT iTInfo,
128
/* [in] */ LCID lcid,
129
/* [out] */ ITypeInfo **ppTInfo);
130
131
HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
132
_IProcessChainEvents * This,
133
/* [in] */ REFIID riid,
134
/* [size_is][in] */ LPOLESTR *rgszNames,
135
/* [range][in] */ UINT cNames,
136
/* [in] */ LCID lcid,
137
/* [size_is][out] */ DISPID *rgDispId);
138
139
/* [local] */ HRESULT ( STDMETHODCALLTYPE *Invoke )(
140
_IProcessChainEvents * This,
141
/* [annotation][in] */
142
_In_ DISPID dispIdMember,
143
/* [annotation][in] */
144
_In_ REFIID riid,
145
/* [annotation][in] */
146
_In_ LCID lcid,
147
/* [annotation][in] */
148
_In_ WORD wFlags,
149
/* [annotation][out][in] */
150
_In_ DISPPARAMS *pDispParams,
151
/* [annotation][out] */
152
_Out_opt_ VARIANT *pVarResult,
153
/* [annotation][out] */
154
_Out_opt_ EXCEPINFO *pExcepInfo,
155
/* [annotation][out] */
156
_Out_opt_ UINT *puArgErr);
157
158
END_INTERFACE
159
} _IProcessChainEventsVtbl;
160
161
interface _IProcessChainEvents
162
{
163
CONST_VTBL struct _IProcessChainEventsVtbl *lpVtbl;
164
};
165
166
167
168
#ifdef COBJMACROS
169
170
171
#define _IProcessChainEvents_QueryInterface(This,riid,ppvObject) \
172
( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) )
173
174
#define _IProcessChainEvents_AddRef(This) \
175
( (This)->lpVtbl -> AddRef(This) )
176
177
#define _IProcessChainEvents_Release(This) \
178
( (This)->lpVtbl -> Release(This) )
179
180
181
#define _IProcessChainEvents_GetTypeInfoCount(This,pctinfo) \
182
( (This)->lpVtbl -> GetTypeInfoCount(This,pctinfo) )
183
184
#define _IProcessChainEvents_GetTypeInfo(This,iTInfo,lcid,ppTInfo) \
185
( (This)->lpVtbl -> GetTypeInfo(This,iTInfo,lcid,ppTInfo) )
186
187
#define _IProcessChainEvents_GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) \
188
( (This)->lpVtbl -> GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) )
189
190
#define _IProcessChainEvents_Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) \
191
( (This)->lpVtbl -> Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) )
192
193
#endif /* COBJMACROS */
194
195
196
#endif /* C style interface */
197
198
199
#endif /* ___IProcessChainEvents_DISPINTERFACE_DEFINED__ */
200
201
202
#ifndef __IProcessChain_INTERFACE_DEFINED__
203
#define __IProcessChain_INTERFACE_DEFINED__
204
205
/* interface IProcessChain */
206
/* [object][oleautomation][nonextensible][dual][uuid] */
207
208
209
EXTERN_C const IID IID_IProcessChain;
210
211
#if defined(__cplusplus) && !defined(CINTERFACE)
212
213
MIDL_INTERFACE("79ED9CB4-3A01-4ABA-AD3C-A985EE298B20")
214
IProcessChain : public IDispatch
215
{
216
public:
217
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_ExecutablePath(
218
/* [retval][out] */ BSTR *ExecutablePath) = 0;
219
220
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_ExecutablePath(
221
/* [in] */ BSTR ExecutablePath) = 0;
222
223
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_CommandLine(
224
/* [retval][out] */ BSTR *CommandLine) = 0;
225
226
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_CommandLine(
227
/* [in] */ BSTR CommandLine) = 0;
228
229
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_NonBlocking(
230
/* [retval][out] */ VARIANT_BOOL *NonBlocking) = 0;
231
232
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_NonBlocking(
233
/* [in] */ VARIANT_BOOL NonBlocking) = 0;
234
235
virtual /* [propget][id] */ HRESULT STDMETHODCALLTYPE get_TimeoutPeriod(
236
/* [retval][out] */ long *TimeoutPeriod) = 0;
237
238
virtual /* [propput][id] */ HRESULT STDMETHODCALLTYPE put_TimeoutPeriod(
239
/* [in] */ long TimeoutPeriod) = 0;
240
241
virtual /* [id] */ HRESULT STDMETHODCALLTYPE Start(
242
/* [out] */ VARIANT_BOOL *TimerFired) = 0;
243
244
virtual /* [id] */ HRESULT STDMETHODCALLTYPE CancelWait( void) = 0;
245
246
virtual /* [id] */ HRESULT STDMETHODCALLTYPE Terminate( void) = 0;
247
248
};
249
250
251
#else /* C style interface */
252
253
typedef struct IProcessChainVtbl
254
{
255
BEGIN_INTERFACE
256
257
HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
258
IProcessChain * This,
259
/* [in] */ REFIID riid,
260
/* [annotation][iid_is][out] */
261
_COM_Outptr_ void **ppvObject);
262
263
ULONG ( STDMETHODCALLTYPE *AddRef )(
264
IProcessChain * This);
265
266
ULONG ( STDMETHODCALLTYPE *Release )(
267
IProcessChain * This);
268
269
HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
270
IProcessChain * This,
271
/* [out] */ UINT *pctinfo);
272
273
HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
274
IProcessChain * This,
275
/* [in] */ UINT iTInfo,
276
/* [in] */ LCID lcid,
277
/* [out] */ ITypeInfo **ppTInfo);
278
279
HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
280
IProcessChain * This,
281
/* [in] */ REFIID riid,
282
/* [size_is][in] */ LPOLESTR *rgszNames,
283
/* [range][in] */ UINT cNames,
284
/* [in] */ LCID lcid,
285
/* [size_is][out] */ DISPID *rgDispId);
286
287
/* [local] */ HRESULT ( STDMETHODCALLTYPE *Invoke )(
288
IProcessChain * This,
289
/* [annotation][in] */
290
_In_ DISPID dispIdMember,
291
/* [annotation][in] */
292
_In_ REFIID riid,
293
/* [annotation][in] */
294
_In_ LCID lcid,
295
/* [annotation][in] */
296
_In_ WORD wFlags,
297
/* [annotation][out][in] */
298
_In_ DISPPARAMS *pDispParams,
299
/* [annotation][out] */
300
_Out_opt_ VARIANT *pVarResult,
301
/* [annotation][out] */
302
_Out_opt_ EXCEPINFO *pExcepInfo,
303
/* [annotation][out] */
304
_Out_opt_ UINT *puArgErr);
305
306
/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_ExecutablePath )(
307
IProcessChain * This,
308
/* [retval][out] */ BSTR *ExecutablePath);
309
310
/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_ExecutablePath )(
311
IProcessChain * This,
312
/* [in] */ BSTR ExecutablePath);
313
314
/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_CommandLine )(
315
IProcessChain * This,
316
/* [retval][out] */ BSTR *CommandLine);
317
318
/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_CommandLine )(
319
IProcessChain * This,
320
/* [in] */ BSTR CommandLine);
321
322
/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_NonBlocking )(
323
IProcessChain * This,
324
/* [retval][out] */ VARIANT_BOOL *NonBlocking);
325
326
/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_NonBlocking )(
327
IProcessChain * This,
328
/* [in] */ VARIANT_BOOL NonBlocking);
329
330
/* [propget][id] */ HRESULT ( STDMETHODCALLTYPE *get_TimeoutPeriod )(
331
IProcessChain * This,
332
/* [retval][out] */ long *TimeoutPeriod);
333
334
/* [propput][id] */ HRESULT ( STDMETHODCALLTYPE *put_TimeoutPeriod )(
335
IProcessChain * This,
336
/* [in] */ long TimeoutPeriod);
337
338
/* [id] */ HRESULT ( STDMETHODCALLTYPE *Start )(
339
IProcessChain * This,
340
/* [out] */ VARIANT_BOOL *TimerFired);
341
342
/* [id] */ HRESULT ( STDMETHODCALLTYPE *CancelWait )(
343
IProcessChain * This);
344
345
/* [id] */ HRESULT ( STDMETHODCALLTYPE *Terminate )(
346
IProcessChain * This);
347
348
END_INTERFACE
349
} IProcessChainVtbl;
350
351
interface IProcessChain
352
{
353
CONST_VTBL struct IProcessChainVtbl *lpVtbl;
354
};
355
356
357
358
#ifdef COBJMACROS
359
360
361
#define IProcessChain_QueryInterface(This,riid,ppvObject) \
362
( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) )
363
364
#define IProcessChain_AddRef(This) \
365
( (This)->lpVtbl -> AddRef(This) )
366
367
#define IProcessChain_Release(This) \
368
( (This)->lpVtbl -> Release(This) )
369
370
371
#define IProcessChain_GetTypeInfoCount(This,pctinfo) \
372
( (This)->lpVtbl -> GetTypeInfoCount(This,pctinfo) )
373
374
#define IProcessChain_GetTypeInfo(This,iTInfo,lcid,ppTInfo) \
375
( (This)->lpVtbl -> GetTypeInfo(This,iTInfo,lcid,ppTInfo) )
376
377
#define IProcessChain_GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) \
378
( (This)->lpVtbl -> GetIDsOfNames(This,riid,rgszNames,cNames,lcid,rgDispId) )
379
380
#define IProcessChain_Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) \
381
( (This)->lpVtbl -> Invoke(This,dispIdMember,riid,lcid,wFlags,pDispParams,pVarResult,pExcepInfo,puArgErr) )
382
383
384
#define IProcessChain_get_ExecutablePath(This,ExecutablePath) \
385
( (This)->lpVtbl -> get_ExecutablePath(This,ExecutablePath) )
386
387
#define IProcessChain_put_ExecutablePath(This,ExecutablePath) \
388
( (This)->lpVtbl -> put_ExecutablePath(This,ExecutablePath) )
389
390
#define IProcessChain_get_CommandLine(This,CommandLine) \
391
( (This)->lpVtbl -> get_CommandLine(This,CommandLine) )
392
393
#define IProcessChain_put_CommandLine(This,CommandLine) \
394
( (This)->lpVtbl -> put_CommandLine(This,CommandLine) )
395
396
#define IProcessChain_get_NonBlocking(This,NonBlocking) \
397
( (This)->lpVtbl -> get_NonBlocking(This,NonBlocking) )
398
399
#define IProcessChain_put_NonBlocking(This,NonBlocking) \
400
( (This)->lpVtbl -> put_NonBlocking(This,NonBlocking) )
401
402
#define IProcessChain_get_TimeoutPeriod(This,TimeoutPeriod) \
403
( (This)->lpVtbl -> get_TimeoutPeriod(This,TimeoutPeriod) )
404
405
#define IProcessChain_put_TimeoutPeriod(This,TimeoutPeriod) \
406
( (This)->lpVtbl -> put_TimeoutPeriod(This,TimeoutPeriod) )
407
408
#define IProcessChain_Start(This,TimerFired) \
409
( (This)->lpVtbl -> Start(This,TimerFired) )
410
411
#define IProcessChain_CancelWait(This) \
412
( (This)->lpVtbl -> CancelWait(This) )
413
414
#define IProcessChain_Terminate(This) \
415
( (This)->lpVtbl -> Terminate(This) )
416
417
#endif /* COBJMACROS */
418
419
420
#endif /* C style interface */
421
422
423
424
425
#endif /* __IProcessChain_INTERFACE_DEFINED__ */
426
427
428
EXTERN_C const CLSID CLSID_ProcessChain;
429
430
#ifdef __cplusplus
431
432
class DECLSPEC_UUID("E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E")
433
ProcessChain;
434
#endif
435
#endif /* __ProcessChainLib_LIBRARY_DEFINED__ */
436
437
/* Additional Prototypes for ALL interfaces */
438
439
/* end of Additional Prototypes */
440
441
#ifdef __cplusplus
442
}
443
#endif
444
445
#endif
446
447
448
Copied!
main.cpp
1
#include <Windows.h>
2
#include "processchain.h"
3
#include <objbase.h>
4
#include <stdio.h>
5
#include <strsafe.h>
6
7
//定义com组件使用的bool值,其实质是一个二short类型。
8
typedef short VARIANT_BOOL;
9
#define VARIANT_TRUE ((VARIANT_BOOL)-1)
10
#define VARIANT_FALSE ((VARIANT_BOOL)0)
11
12
13
#define CLSID_ProcessChain L"{E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E}"
14
#define IID_IProcessChain L"{79ED9CB4-3A01-4ABA-AD3C-A985EE298B20}"
15
16
17
int main(int argc, TCHAR* argv[])
18
{
19
HRESULT hr = 0;
20
CLSID clsidIProcessChain = { 0 };
21
IID iidIProcessChain = { 0 };
22
IProcessChain* ProcessChain = NULL;
23
BOOL bRet = FALSE;
24
25
CoInitialize(NULL);//初始化com环境
26
27
CLSIDFromString(CLSID_ProcessChain, &clsidIProcessChain);
28
IIDFromString(IID_IProcessChain, &iidIProcessChain);
29
//创建接口
30
hr = CoCreateInstance(clsidIProcessChain, NULL, CLSCTX_INPROC_SERVER, iidIProcessChain, (LPVOID*)&ProcessChain);
31
32
TCHAR cmd[] = L"C:\\WINDOWS\\system32\\calc.exe";
33
VARIANT_BOOL b= VARIANT_TRUE;
34
//设置参数
35
ProcessChain->put_CommandLine((BSTR)cmd);
36
//调用方法
37
hr = ProcessChain->Start(&b);
38
39
//释放
40
CoUninitialize();
41
return 0;
42
}
Copied!
LINKS
COM Objects and Interfaces - Win32 apps
docsmsft
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html
www.fireeye.com
Hunting COM Objects | Mandiant
最近更新 1yr ago