Browse by type
This repository contains a C++ Proof of Concept (PoC) demonstrating the exploitation of Windows Protected Process Light (PPL) using COM-to-.NET redirection and reflection techniques for code injection. The exploit bypasses code integrity checks and injects a malicious payload into highly protected processes such as LSASS.
The PoC leverages registry manipulation and the IDispatch interface, enabling code injection into a PPL process like svchost.exe or others with similar protections. This technique is inspired by James Forshaw's (a.k.a. @tiraniddo) research into exploiting .NET reflection and the bypass of signature checks on PPL processes.
I wrote a blog post about this tool:
- Blog post part: Abusing IDispatch for Trapped COM Object Access & Injecting into PPL Processes
Run the Exploit:
The following command will load the malicious payload into the svchost PPL process:
ComDotNetExploit.exe <DLL Path> <Static Class Name>
The PoC demonstrates how registry manipulation can allow COM-to-.NET redirection to execute unmanaged code in a .NET process. By enabling reflection via Assembly.Load(byte[]), we bypass the SEC_IMAGE code integrity checks that are typically enforced during image section creation in PPL processes.
The exploit showcases the following attack vectors:
Assembly.Load(byte[])), we bypass the normal image section validation that occurs in PPL processes, allowing us to load unsigned, malicious code.This PoC is largely inspired by the research conducted by James Forshaw (a.k.a. @tiraniddo). - Windows Bug Class: Accessing Trapped COM Objects with IDispatch
This PoC is intended for educational purposes only. It should not be used for any illegal or malicious activities. I do not take any responsibility for misuse or unintended consequences arising from the use of this code.
$ claude mcp add ComDotNetExploit \
-- python -m otcore.mcp_server <graph>