{"id":5274,"date":"2018-08-17T22:49:34","date_gmt":"2018-08-17T22:49:34","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5274"},"modified":"2018-08-17T22:49:34","modified_gmt":"2018-08-17T22:49:34","slug":"beyond-good-ol-run-key-part-84","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/08\/17\/beyond-good-ol-run-key-part-84\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 84"},"content":{"rendered":"<p>This is just a blurb to include this particular technique in the series. It&#8217;s not new at all, and it has been covered in the past by others e.g. recent &#8216;Windows Operating System Archaeology&#8217; <a href=\"https:\/\/www.slideshare.net\/enigma0x3\/windows-operating-system-archaeology\">preso<\/a> by <a href=\"https:\/\/twitter.com\/enigma0x3\">@enigma0x3<\/a> and <a href=\"https:\/\/twitter.com\/subTee\">@subTee<\/a>. IMHO it&#8217;s still worth documenting it anyway.<\/p>\n<p>COM Objects are created when the program calls one of the instantiation APIs e.g. CoCreateInstance. The API takes the CLSID, finds its entry in the Registry (under CLSID node) and loads the DLL or EXE associated with it (it&#8217;s a bit more complex than that, but that&#8217;s the gist of it).<\/p>\n<p>Now, if the CLSID\u00a0 entry contains the key &#8216;TreatAs&#8217; the instantiation process will change &#8211; the API will pick up a CLSID that &#8216;TreatAs&#8217; points to and instantiate this object instead. This allows anyone to hook all the instantiation events of a particular COM object and as a result load anytime that object is istantiated. Which sounds like a nice persistence trick&#8230;<\/p>\n<p>This is actually a documented feature and it&#8217;s described on MSDN in a help for the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/objbase\/nf-objbase-cotreatasclass\">CoTreatAsClass<\/a> API and the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/com\/treatas\">TreatAs<\/a> key itself; the internals were also described in <a href=\"http:\/\/blogs.microsoft.co.il\/pavely\/2017\/08\/07\/hooking-com-classes\/\">this<\/a> Microsoft blog post.<\/p>\n<p>So&#8230; anytime you see &#8216;TreatAs&#8217; key, ensure it&#8217;s not a COM hijack \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is just a blurb to include this particular technique in the series. It&#8217;s not new at all, and it has been covered in the past by others e.g. recent &#8216;Windows Operating System Archaeology&#8217; preso by @enigma0x3 and @subTee. IMHO &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/17\/beyond-good-ol-run-key-part-84\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5274"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5274"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5274\/revisions"}],"predecessor-version":[{"id":5276,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5274\/revisions\/5276"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}