{"id":20068276,"url":"https://github.com/nickvourd/com-hunter","last_synced_at":"2025-05-16T14:07:06.089Z","repository":{"id":37654981,"uuid":"496749086","full_name":"nickvourd/COM-Hunter","owner":"nickvourd","description":"COM Hijacking VOODOO","archived":false,"fork":false,"pushed_at":"2025-03-11T04:49:55.000Z","size":479,"stargazers_count":295,"open_issues_count":0,"forks_count":48,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-15T18:58:53.558Z","etag":null,"topics":["clsid","com","com-object","comhijacking","csharp","inprocserver32","localserver32","microsoft","pentest","pentest-tool","persistence","redteam","redteam-tools","redteaming","taskscheduler","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nickvourd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-05-26T19:34:59.000Z","updated_at":"2025-05-15T09:45:43.000Z","dependencies_parsed_at":"2025-04-12T14:58:00.090Z","dependency_job_id":"b0bbf664-3f53-4628-8b35-c9a67f729d44","html_url":"https://github.com/nickvourd/COM-Hunter","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FCOM-Hunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FCOM-Hunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FCOM-Hunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickvourd%2FCOM-Hunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nickvourd","download_url":"https://codeload.github.com/nickvourd/COM-Hunter/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254544146,"owners_count":22088807,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clsid","com","com-object","comhijacking","csharp","inprocserver32","localserver32","microsoft","pentest","pentest-tool","persistence","redteam","redteam-tools","redteaming","taskscheduler","windows"],"created_at":"2024-11-13T14:05:58.931Z","updated_at":"2025-05-16T14:07:06.067Z","avatar_url":"https://github.com/nickvourd.png","language":"C#","readme":"# COM-Hunter\n\nCOM Hijacking VOODOO\n\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"500\" height=\"400\" src=\"/Pictures/logo2.png\"\u003e\u003cbr /\u003e\u003cbr /\u003e\n  \u003cimg alt=\"GitHub License\" src=\"https://img.shields.io/github/license/nickvourd/COM-Hunter?style=social\u0026logo=GitHub\u0026logoColor=purple\"\u003e\n  \u003cimg alt=\"GitHub Repo stars\" src=\"https://img.shields.io/github/stars/nickvourd/COM-Hunter?logoColor=yellow\"\u003e\u003cbr /\u003e\n  \u003cimg alt=\"GitHub forks\" src=\"https://img.shields.io/github/forks/nickvourd/COM-Hunter?logoColor=red\"\u003e\n  \u003cimg alt=\"GitHub watchers\" src=\"https://img.shields.io/github/watchers/nickvourd/COM-Hunter?logoColor=blue\"\u003e\n  \u003cimg alt=\"GitHub contributors\" src=\"https://img.shields.io/github/contributors/nickvourd/COM-Hunter?style=social\u0026logo=GitHub\u0026logoColor=green\"\u003e\n\u003c/p\u003e\n\n## Description\n\nCOM-Hunter is a COM Hijacking persistnce tool written in C#.\n\n![Static Badge](https://img.shields.io/badge/.NET-4.8-blue?style=flat\u0026logoSize=auto)\n![Static Badge](https://img.shields.io/badge/Version-2.0%20-red?link=https%3A%2F%2Fgithub.com%2Fnickvourd%2FCOM-Hunter%2Freleases)\n\nThe following list explains the available modes:\n\n- **Search Mode**: Searches for CLSIDs based on `LocalServer32`, `InprocServer32`, and registry hives `HKLM` and `HKCU`.\n- **Classic Persist Mode**: Performs classic COM hijacking persistence using `LocalServer32` or `InprocServer32`.\n- **Task Scheduler Mode**: Automatically establishes COM hijacking persistence via Task Scheduler using `LocalServer32` or `InprocServer32`.\n- **TreatAs Mode**: Performs COM hijacking persistence via the TreatAs registry key and a fake (forwardable) CLSID using `LocalServer32` or `InprocServer32`.\n\n\u003e If you find any bugs, don’t hesitate to [report them](https://github.com/nickvourd/COM-Hunter/issues). Your feedback is valuable in improving the quality of this project!\n\n## Disclaimer\n\nThe authors and contributors of this project are not liable for any illegal use of the tool. It is intended for educational purposes only. Users are responsible for ensuring lawful usage.\n\n## Table of Contents\n\n- [COM-Hunter](#com-hunter)\n    - [Description](#description)\n    - [Disclaimer](#disclaimer)\n    - [Table of Contents](#table-of-contents)\n    - [Acknowledgement](#acknowledgement)\n    - [Usage](#usage)\n    - [Examples](#examples)\n    - [References](#references)\n\n## Acknowledgement\n \nThis project created with :heart: by [@nickvourd](https://x.com/nickvourd) \u0026\u0026 [@S1ckB0y1337](https://x.com/S1ckB0y1337).\n\nSpecial thanks to my friend [Marios Gyftos](https://www.linkedin.com/in/marios-gyftos-a6b62122/) for his invaluable assistance during the beta testing phase of this tool.\n\nInspired by the [RTO course](https://courses.zeropointsecurity.co.uk/courses/red-team-ops) from [@zeropointsecltd](https://x.com/zeropointsecltd).\n\n## Usage\n\n```\n ██████╗ ██████╗ ███╗   ███╗      ██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗\n██╔════╝██╔═══██╗████╗ ████║      ██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗\n██║     ██║   ██║██╔████╔██║█████╗███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝\n██║     ██║   ██║██║╚██╔╝██║╚════╝██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗\n╚██████╗╚██████╔╝██║ ╚═╝ ██║      ██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║\n ╚═════╝ ╚═════╝ ╚═╝     ╚═╝      ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝\n\n                                   Version: 2.0\n                             @nickvourd \u0026\u0026 @S1ckB0y1337\n                  ~ Inspired during the RTO course by @zeropointsecltd ~\n\nUsage: COM-Hunter.exe \u003cmode\u003e \u003coptions\u003e\n\n[+] Available Modes:\n    search             Search Mode\n    persist            Classic Persist Mode\n    tasksch            Task Scheduler Mode\n    treatas            TreatAs Mode\n\n[+] Search Mode:\nUsage:  COM-Hunter.exe search \u003cCLSID\u003e \u003coptions\u003e\n    -a, --all                   Search DLL and EXE implementations in HKLM and HKCU\n    -i, --inprocserver32        Search DLL implementations in HKLM and HKCU\n    -l, --localserver32         Search EXE implementations in HKLM and HKCU\n    -m, --machine               Search DLL and EXE implementations in HKLM\n    -u, --user                  Search DLL and EXE implementations in HKCU\n\n[+] Classic Persist Mode:\nUsage:  COM-Hunter.exe persist \u003cCLSID\u003e \u003cbinary_path\u003e \u003coption\u003e\n    -i, --inprocserver32        Set DLL implementation\n    -l, --localserver32         Set EXE implementation\n\n[+] Task Scheduler Mode:\nUsage:  COM-Hunter.exe tasksch \u003cbinary_path\u003e \u003coption\u003e\n    -i, --inprocserver32        Set DLL implementation\n    -l, --localserver32         Set EXE implementation\n\n[+] TreatAs Mode:\nUsage:  COM-Hunter.exe treatas \u003cCLSID\u003e \u003cfake_CLSID\u003e \u003cbinary_path\u003e \u003coption\u003e\n    -i, --inprocserver32        Set DLL implementation\n    -l, --localserver32         Set EXE implementation\n```\n\n## Examples\n\n:information_source: Search DLL and EXE implementations in HKLM and HKCU:\n\n```\n.\\COM-Hunter.exe search 01575CFE-9A55-4003-A5E1-F38D1EBDCBE1 -a\n```\n\n:information_source: Search EXE implementations in HKLM and HKCU:\n\n```\n.\\COM-Hunter.exe search \"{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\" -l\n```\n\n:information_source: Advanced search EXE implementations in HKLM:\n\n```\n.\\COM-Hunter.exe search \"{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\" -l --machine\n```\n\n:information_source: Search EXE and DLL implementations in HKCU:\n\n```\n.\\COM-Hunter.exe search AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 --user\n```\n\n:information_source: Perform classic persistence using DLL implementation:\n\n```\n.\\COM-Hunter.exe persist AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 C:\\Users\\victim\\Desktop\\implant.dll -i\n```\n\n:information_source: Perform classic persistence using EXE implementation:\n\n```\n.\\COM-Hunter.exe persist \"{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\" C:\\Users\\victim\\Desktop\\implant.exe --localserver32\n```\n\n:information_source: Perform persistence via Task Scheduler using DLL implementation:\n\n```\n.\\COM-Hunter.exe tasksch C:\\Users\\victim\\Desktop\\implant.dll --inprocserver32\n```\n\n:information_source: Perform persistence via the TreatAs registry key and a fake (forwardable) CLSID using DLL implementation:\n\n```\n.\\COM-Hunter.exe treatas AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 \"{00000012-1312-1997-2605-F38D1EBDCBE1}\" C:\\Users\\victim\\Desktop\\implant.dll -i\n```\n\n## References\n\n- [Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking by MDSec](https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/)\n- [Abusing the COM Registry Structure (Part 2): Hijacking \u0026 Loading Techniques by BOHOPS](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)\n- [Userland Persistence with Scheduled Tasks and COM Handler Hijacking by Enigma0x3](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)\n- [COM Objects Hijacking by Virus Total](https://blog.virustotal.com/2024/03/com-objects-hijacking.html)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickvourd%2Fcom-hunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnickvourd%2Fcom-hunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickvourd%2Fcom-hunter/lists"}