View Single Post
09 May 2011  

Windows 7 Ultimate x64 SP1
Silently Pwning Protected-Mode IE9 and Innocent Windows Applications

This blog post sets up the stage for our Hack in the box presentation in Amsterdam on May 19.

Those familiar with Windows COM servers know that they come in two types, in-process and out-of-process. For this post, the former type is of interest: an in-process COM server is a dynamic link library (DLL) that a COM client instantiates when needed, usually by calling the CoCreateInstance function with the class identifier (CLSID) of the said COM server. What happens then is the COM server initialization code looks up the provided CLSID in local registry under key HKEY_CLASSES_ROOT\CLSID, and finds the path to the DLL under the InProcServer32 subkey. It then expands eventual environment strings in the obtained DLL path and calls LoadLibrary with the resulting path. Whatever happens afterwards is of no interest to us here.
Read more at Acros Security Lab Blog
My System SpecsSystem Spec