ITSEC Newsletter 2025-06-05

Here, we will direct our attention to the exploitation of hive-based memory corruption bugs, i.e., those that allow an attacker to overwrite data within an active hive mapping in memory. This is a class of issues characteristic of the Windows registry, but universal enough that the techniques described here are applicable to 17 of my past vulnerabilities, as well as likely any similar bugs in the future. As we know, hives exhibit a very special behavior in terms of low-level memory management (how and where they are mapped in memory), handling of allocated and freed memory chunks by a custom allocator, and the nature of data stored there. All this makes exploiting this type of vulnerability especially interesting from the offensive security perspective, which is why I would like to describe it here in detail.

In this blog, I’m going to walk through a persistence technique I use frequently during red team operations: Component Object Model (COM) hijacking. It’s a method that strikes a good balance between stealth and reliability and, as a bonus, you can use it for more than just persistence. I’ll show how I identify opportunities for this technique, as well as how you can use it to load a callback into a process of interest such as Chrome or Edge.