Skip to content

Instantly share code, notes, and snippets.

@v1stra

v1stra/wbemcomn.md

Last active December 12, 2024 13:43
Show Gist options
  • Save v1stra/7a13f2a27a1c9b97778d12e13a3d53c2 to your computer and use it in GitHub Desktop.
Save v1stra/7a13f2a27a1c9b97778d12e13a3d53c2 to your computer and use it in GitHub Desktop.
Download ZIP
wbemcomn.dll hijack
Raw
wbemcomn.md

wbemcomn.dll

wbemcomn.dll is naturally found in C:\windows\system32, however, some WMI serves run with a working directory of C:\windows\system32\wbem. This means that DLLs might load with a search order hijack by first looking in the working directory.

This DLL hijack appears to at least effect explorer.exe and the following services:

  • WMI
  • Windows Update
  • WMI Performance Adapter
  • WSL
DLL_PROCESS_ATTACH: (12024) WmiApSrv.exe    -> "C:\Windows\system32\wbem\wbemcomn.dll"
DLL_PROCESS_ATTACH: (2988)  svchost.exe     -> "C:\Windows\system32\wbem\wbemcomn.dll"
DLL_PROCESS_ATTACH: (3452)  svchost.exe     -> "c:\windows\system32\wbem\wbemcomn.dll"
DLL_PROCESS_ATTACH: (4064)  wslservice.exe  -> "C:\Windows\system32\wbem\wbemcomn.dll"
DLL_PROCESS_ATTACH: (6052)  Explorer.EXE    -> "C:\Windows\system32\wbem\wbemcomn.dll"

sc queryex wuauserv

SERVICE_NAME: wuauserv
...
        PID                : 2988
        
sc queryex winmgmt

SERVICE_NAME: winmgmt
...
        PID                : 3452
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment