Transparent COM instrumentation for malware analysis is a significant challenge due to the complexity and dynamic nature of IDispatch interfaces used by modern script-based malware. Cisco Talos has developed DispatchLogger, an open-source tool that addresses this gap by providing deep visibility into these interactions.
DispatchLogger works through API hooking at the COM instantiation boundary, ensuring comprehensive logging without altering malware behavior. It hooks functions like CoCreateInstance and CoGetClassObject to intercept object creations and return transparent proxies. This approach is crucial for covering a wide range of script types, including VBScript, PowerShell, and AutoIT.
The analysis reveals that traditional dynamic tools often miss the semantic meaning behind high-level COM interactions, such as WMI operations. DispatchLogger addresses this by offering detailed logging, enabling analysts to gain critical context during behavioral monitoring. For example, it can help identify who launched a process, which is essential for understanding the attack vector.
The implementation of DispatchLogger involves several key steps and challenges. Initially, the tool only hooked CoCreateInstance but found that many VBScript CreateObject calls were not being intercepted due to internal safety checks. This led to the development of a minimal ActiveX library with a MsgBox in Class_Initialize, which helped diagnose the issue.
The solution involved hooking both CoGetClassObject and CoGetObject/MkParseDisplayName to ensure comprehensive coverage regardless of the initial interface requested by the script engine. The DispatchProxy class implements IDispatch, forwarding calls and logging parameters while maintaining proper reference counting and handling QueryInterface correctly.