MCPcopy Create free account
hub / github.com/T3nb3w/ComDotNetExploit

github.com/T3nb3w/ComDotNetExploit @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
28 symbols 32 edges 8 files 0 documented · 0% updated 16mo ago★ 337

Browse by type

Functions 23 Types & classes 5
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

PPL Exploit PoC (Proof of Concept)

This repository contains a C++ Proof of Concept (PoC) demonstrating the exploitation of Windows Protected Process Light (PPL) using COM-to-.NET redirection and reflection techniques for code injection. The exploit bypasses code integrity checks and injects a malicious payload into highly protected processes such as LSASS.

The PoC leverages registry manipulation and the IDispatch interface, enabling code injection into a PPL process like svchost.exe or others with similar protections. This technique is inspired by James Forshaw's (a.k.a. @tiraniddo) research into exploiting .NET reflection and the bypass of signature checks on PPL processes. I wrote a blog post about this tool: - Blog post part: Abusing IDispatch for Trapped COM Object Access & Injecting into PPL Processes


Usage

Run the Exploit:

The following command will load the malicious payload into the svchost PPL process:

ComDotNetExploit.exe <DLL Path> <Static Class Name>

Analysis

The PoC demonstrates how registry manipulation can allow COM-to-.NET redirection to execute unmanaged code in a .NET process. By enabling reflection via Assembly.Load(byte[]), we bypass the SEC_IMAGE code integrity checks that are typically enforced during image section creation in PPL processes.

The exploit showcases the following attack vectors:

  • COM-to-.NET redirection: By manipulating registry keys, we can redirect COM activation to a .NET object, which allows us to load and execute .NET assemblies in a protected process context.
  • Bypassing code integrity checks: Using .NET Reflection (Assembly.Load(byte[])), we bypass the normal image section validation that occurs in PPL processes, allowing us to load unsigned, malicious code.

Credit

This PoC is largely inspired by the research conducted by James Forshaw (a.k.a. @tiraniddo). - Windows Bug Class: Accessing Trapped COM Objects with IDispatch


Disclaimer

This PoC is intended for educational purposes only. It should not be used for any illegal or malicious activities. I do not take any responsibility for misuse or unintended consequences arising from the use of this code.

Core symbols most depended-on inside this repo

Shape

Method 19
Class 5
Function 4

Languages

C++100%

Modules by API surface

Bypass_COM_PPL/com_utils.h7 symbols
Bypass_COM_PPL/registry_utils.cpp6 symbols
Bypass_COM_PPL/trustinstaller_utils.cpp5 symbols
Bypass_COM_PPL/main.cpp3 symbols
Bypass_COM_PPL/dotnet_interop.cpp3 symbols
Bypass_COM_PPL/dotnet_interop.h2 symbols
Bypass_COM_PPL/trustinstaller_utils.h1 symbols
Bypass_COM_PPL/registry_utils.h1 symbols

For agents

$ claude mcp add ComDotNetExploit \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page