Component Object Model COM#

As an outsider to Windows development looking in (like me), your first reaction is probably: “What the fuck is that?” Well, according to Microsoft’s official documentation, it’s defined as:

The Microsoft Component Object Model (COM) defines a binary interoperability standard for creating reusable software libraries that interact at run time.

If that still sounds like gibberish, here’s a fun and familiar example of a COM we all use (and probably take for granted): DirectX. It’s the backbone of Windows PC gaming. Most of us just install it and forget it, but under the hood, DirectX is built on top of COM (Component Object Model) technology. It exposes a set of COM interfaces that act as an abstraction layer between software like video games and the low-level graphics drivers.

This design means game developers don’t need to worry about writing code for every individual GPU driver. Instead, they interact with DirectX’s COM interfaces, call the functions they need, and let Microsoft’s DirectX handle the hardware-specific implementations behind the scenes.

If you’re interested in the implementation details and the ABI rules involved, James Forshaw has a great talk that dives deep into all of that. But for the sake of this article, we’re going to stick to just the concepts we actually need to understand in order to visualize how the Cross-Session Relay attack works. And for that, let’s talk about the COM client-server architecture.

DCOM Activation Mechanisms#

Now that we understand what COM is, how its architecture works, the different types of COM servers, and that DCOM is essentially just a COM server extended over the network, let’s dive deeper into how it actually operates. Specifically, we’ll look at how a COM client running on Machine A can discover, request, and use interfaces exposed by a COM server running on Machine B.

For two applications to communicate over a network, they must use a shared network protocol. In the case of DCOM, Microsoft chose to use Remote Procedure Call (RPC) as the underlying protocol to enable communication between COM clients and remote COM servers. Before any actual method calls can be made, the client and server must go through an authentication process to establish trust, where the Object Exporter ID (OXID), a unique identifier for a COM object instance, is resolved to facilitate remote object location. In DCOM, this happens during a phase known as DCOM Activation, where the client requests the creation of a COM object on the remote machine, and authentication is handled as part of this initial activation sequence.

During DCOM activation, the client on Machine A initiates a request via CoCreateInstanceEx, specifying the CLSID (Class ID, unique identifier for the COM class) and remote server. The COM runtime checks the registry, then contacts Machine B’s SCM (Service Control Manager) via RPC (TCP 135), authenticating the client using NTLM/Kerberos. The SCM’s OXID Resolver maps the object’s OXID to an RPC endpoint, launching the server to create the object. The interface is marshaled on the server, transmitted, and unmarshaled on the client, returning a proxy for method calls. This process ensures secure, network-transparent object activation. And of course, I didn’t just gloss over a bunch of big terms; I wanted to give them justice by thoroughly explaining them:

• OXID Resolver: A service within the SCM that resolves the Object Exporter ID (OXID) to an RPC endpoint (IP, port), enabling the client’s proxy to locate and connect to the remote object’s stub for communication.
• Marshaling/Unmarshaling: Serializes (marshals) the object’s interface pointer on the server into a network-transmissible format and deserializes (unmarshals) it on the client, allowing seamless method invocation across machines via proxy-stub RPC communication