COM/COM+ are key pieces at work whenever anything moves inside Windows. But why?
In case you’ve heard of COM/COM+ this was the attempt of Microsoft at creating a standard that will content against other industry standards in the field, this didn’t went completely as expected but a HUGE part of the internal Windows infrastructure still depends and works quite well by making use of COM under the hood.
The usual example of a well known piece of infrastructure that relies heavily on COM is the SCM (Service Control Manager).
Why is COM so important and heavily relied upon?
It’s flexible, relatively easy to use (even more nowadays with all the wrappers/high level infra), provides client-server facilities, can be interacted with in many different languages and has been tested to exhaustion.
On top of that allows Microsoft as well third party developers to not only have easiness for code-reuse, but it provides all the facilities for reuse of our binaries so they can be consumed and correctly versioned by anyone with access to the interfaces in a “black-box” approach.
COM is everywhere and you use it all the time (well under the hood)
It may be really subtle or unexpected, but many many regular operations carry on a decent amount of IPC executed via COM.
Let’s say you start-restart-stop a service from any GUI or console command.
Guess what happens under the hood?
If you wrote the code, well you know that an SCM was called with one of the Microsoft documented APIs.
That API will start a communication with the SCM via COM, now the application you are using is a client connected to the SCM server and can trigger the actions you requested, if the correct set of permissions exist for your account.
Now let’s go through that last sentence, how does it the SCM knows if you/the application has the right accesses?
Well in case you’re unaware LSASS is the one who usually answers those questions.
So in order to execute that query about the user access rights, an API from LSASS will be finally invoked, which will in turn use COM to properly execute the query/action.
And this chain of COM communications between processes can be as complex as required in order to make all the proper requests/queries to all the different distributed components providing the services.
For whom this may be important?
If you like to learn about internals about Windows, this is one of the cornerstones you’ll need to tackle at some point in time.
If you’re a security researcher or o company that develops software that depends on the use of hooks, this is a hot-topic either you’ll be looking into potential issues that may arise or you could end up fighting issues (while inline-hooking) with unexpected crashes and or full system hangs.
I will dig more on this later with some dump analysis scenarios, where we can actually see the things while they are happening.