The missing verclsid.exe documentation

TL;DR: Command line parameters of verclsid.exe are documented in this blog. Expect more posts about verclsid.exe on how to abuse and detect it.

Verclsid.exe is one of the binaries that pops-up every now and then in the logs when I’m doing detection engineering. Details on this binary are scarce, while googling, I found:

In summary, what the internet told me was that verclsid.exe is a “guinea pig” binary meant to test COM shell extensions before they’re being launched in explorer.exe. It can activate arbitrary COM objects — which also showed from the LOLBAS project entry. However, when looking through logfiles, I noticed that verclsid.exe has way more command line options than mentioned in the above posts.

It sparked my interest as I was wondering if there would be ways to execute code using verclsid.exe which are undocumented or hard to detect.

First attempts of getting the “help” with “/?”, “-h”, “-?”, etc. came up empty, so I posted the question on Twitter hoping somebody already figured this out. No response unfortunately…So only one option left, fire up IDA and Ghidra and get cracking. Luckily the binary was fairly small and simple to reverse and within an hour or so, I managed to extract the meaning of all command line parameters.

Activates a COM object and uses a watchguard thread to check if the COM object passes a few simple functional checks. If the COM object doesn't exit properly or hangs, the COM object is killed by the watchguard thread.
/C {clsid}  The CLSID, passed as first parameter to CoCreateInstance
[/S] Optional: Sets the COINIT_APARTMENTTHREADED in the call to CoInitializeEx
[/M] Optional: Accepted, but ignored.
[/I {iid}] The IID, passed as fourth parameter to CoCreateInstance
[/X {ctx}] The execution context, passed as third parameter to CoCreateInstance
The COM initialization call is:
CoInitializeEx(NULL, COINIT_SPEED_OVER_MEMORY);
if /S is specified, the COM initialization call is:
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_SPEED_OVER_MEMORY);
The COM object creation call is:
CoCreateInstance(clsid, NULL, ctx | CLSCTX_NO_CODE_DOWNLOAD, iid, &ppv);

The most interesting parameter to manipulate is /X . Based on the documentation, it provides quite some flexibility on how you want to create and run your (malicious 😈) COM objects.

Knowledge center

Other articles

FalconHound, attack path management for blue teams

FalconHound, attack path management for blue teams

[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...

Together. Secure. Today.

Stay in the loop and sign up to our newsletter

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.

Energieweg 3
3542 DZ Utrecht
The Netherlands

FalconForce B.V.
[email protected]
(+31) 85 044 93 34

KVK 76682307
BTW NL860745314B01