Listplanting – yet another code injection trick

April 25, 2019 in Code Injection

Okay, this is the last one in this short series, just to add the list-view control.

Same as tree-view, it accepts two interesting messages LVM_INSERTGROUPSORTED and LVM_SORTGROUPS that can help us to set up a callback pointing to LVGroupCompare function.

And same as tree-view, it’s fairly popular. Testing my quick&dirty POC I crashed a number of programs including Total Commander, and Windows Explorer.

Treepoline – new code injection technique

April 24, 2019 in Code Injection

(Rich)Edit controls are not the only ones that suffer callback overwrites. The tree-view controls are also in this category.

When a tree-view control is displaying its content it needs to sort the items it shows. This sorting routine can be controlled, and changed with a TVSORTCB structure. One of the fields in this structure is called lpfnCompare. It points to a routine that will be called anytime a comparison between tree elements is required.

We can tell any tree-view window to use our callback by sending a TVM_SORTCHILDRENCB. The moment control executes our call back routine it’s a game over.

Since tree-view controls are present in many applications, including Windows Explorer, and Regedit, it is a far more interesting technique that these affecting (Rich) Edit controls.

Here, an example of Regedit crashing when we change the address of the structure to 0x12345678: