How to debug a com hijack

cherry · December 14, 2020, 2:22pm

Hi.
I am trying to get this working: https://github.com/nccgroup/acCOMplice
I compiled the dll and did the com hijacking by hand (I tried the tools too but I want to understand the whole thing a bit more and they did not do the job anyways…).
So as far as I understood the Code the whole thing works the following way:
I look for a HKCR key which has no corresponding HKCU key. And write my own dll into the HKCU key I created (with the same CLSID). The dll i used is taken from the github page I linked above.
But no matter which key I hijack the neither the key nor the COM directory (which is created by the dll code to contain the log file) show up. Since The new HKCU key seems to break the explorer.exe I am assuming that it is at least recognised by windows.
My question is: Is there a way to debug (e.g. in windbg) the calls of explorer.exe to my dll? And what am I doing wrong in the process I explained above?

greetings

CQR.ADS · March 22, 2021, 12:51pm

Setup and launch virtual machine with windows under native windows.
Download necessary files to virtual windows.
Install system explorer at virtual windows.
Open tab “events” at system explorer.
Compile and launch your code, if see unusual behavior at events tab, log and analyze it.

system · April 15, 2021, 6:22am

This topic was automatically closed after 121 days. New replies are no longer allowed.