-
Love for Microsoft Component Object Model, RPC and AMSI attack surface
TLDR AMSI The Component How to identify a component? The components that implement COM interfaces need to be registered as Computer\HKEY_CLASSES_ROOT\CLSID\{<GUID>} in the Windows Registry. This is a convenient way to locate the dll/exe components, so that apis like CoCreateinstance() can go and fetch components by using GUID values from library, and instantiate the interface.…
-
The Lazy Guide To Reverse RPC
This post is not going to cover in depth details of RPC implementation,for that read the resources mentioned in the Further Reading section. Also RPC programming is not in the scope of this post. We will only discuss concepts needed to reverse RPC client and a server. You might encounter RPC calls in malware code…