{"id":7488,"date":"2020-10-22T22:02:42","date_gmt":"2020-10-22T22:02:42","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7488"},"modified":"2020-10-22T22:02:42","modified_gmt":"2020-10-22T22:02:42","slug":"manifest-comclass-curiosity","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/10\/22\/manifest-comclass-curiosity\/","title":{"rendered":"manifest comclass curiosity"},"content":{"rendered":"\n

At the time I looked at certutil<\/a> I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’. <\/p>\n\n\n\n

<file name = \"certadm.dll\">\n    <comClass description = \"ICertAdmin2\"\n        clsid = \"{f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39}\"\n        threadingModel = \"Both\"\/>\n    <comClass description = \"CCertAdmin\"\n        clsid = \"{37eabaf0-7fb6-11d0-8817-00a0c903b83c}\"\n        threadingModel = \"Both\"\/>\n    <comClass description = \"ICertView2\"\n        clsid = \"{d594b282-8851-4b61-9c66-3edadf848863}\"\n        threadingModel = \"Both\"\/>\n    <comClass description = \"CCertView\"\n        clsid = \"{a12d0f7a-1e84-11d1-9bd6-00c04fb683fa}\"\n        threadingModel = \"Both\"\/>\n<\/file><\/code><\/pre>\n\n\n\n
Once I spotted it I immediately jumped hoping that this is yet another rare persistence\/side-loading opportunity. Not only ‘certadm.dll’ is not present on new OS versions (phantom DLL!), the `comClass` suggests we could be able to load some COM DLLs when some events happen related to a given application that leverages this loading mechanism which in COM documentation is referenced as a Side by Side registrationless COM.<\/p>\n\n\n\n
Another interesting bit is that certutil.exe is an orphan when it comes to manifests with comclass. Yes, this is the only native OS executable I could find that has a manifest actually referencing ComClass!<\/p>\n\n\n\n
Sadly, in the end I was not able to side-load anything or instantiate anything, but the idea sticks. Perhaps people more accustomed with COM can shed some light how to use it?<\/p>\n","protected":false},"excerpt":{"rendered":"
At the time I looked at certutil I spotted one interesting bit – its manifest included a reference to ‘certadm.dll’ and ‘comClass’. Once I spotted it I immediately jumped hoping that this is yet another rare persistence\/side-loading opportunity. Not only … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7488"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7488"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7488\/revisions"}],"predecessor-version":[{"id":7490,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7488\/revisions\/7490"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}