This blog post sets up the stage for our Hack in the box presentation in Amsterdam on May 19
Those familiar with Windows COM servers
know that they come in two types, in-process
. For this post, the former type is of interest: an in-process COM server is a dynamic link library (DLL) that a COM client instantiates when needed, usually by calling the CoCreateInstance
function with the class identifier (CLSID) of the said COM server. What happens then is the COM server initialization code looks up the provided CLSID in local registry under key HKEY_CLASSES_ROOT\CLSID
, and finds the path to the DLL under the InProcServer32
subkey. It then expands eventual environment strings in the obtained DLL path and calls LoadLibrary
with the resulting path. Whatever happens afterwards is of no interest to us here.