3 (4) new code injection tricks

Posted on by

Update

After I published it I got a few updates; a couple of guys successfully implemented POCs for some of the techniques in this series, this post itself was updated a few times as well. Finally, Alex Ionescu also chipped in to say that he used this technique as early as 2008 (or 2011?) and presented it at Recon that year. Unfortunately link to/slides are not available online at the time of writing this update. Also, important to note that in my older post about WordWarper I included an update about that technique being known as early as 2003!

Old Post

I was planning to blog about various (Rich) Edit callback functions for a long time. Why? Because these callbacks allow us to remotely execute code inside processes that host these controls (sometimes these controls need to meet additional criteria).

I eventually started describing them yesterday.

At first I planned to have a few posts, each dedicated to one callback (with a new cheezy ‘code injection’ name included), but then Csaba discovered EM_SETAUTOCORRECTPROC and then I felt that it’s just easier to wrap it up with a short post, and introduce them all in one go 🙂

So… why does it work? (Rich) edit includes a number of CallBack functions that can be modified from a different program thanks to windows messaging mechanism. These callbacks are simple pointers to functions and are called by the control windows procedure in response to various events.

Below are the techniques I wanted to walk through – each one describes a message (or a pair of messages) that need(s) to be sent & a prototype for a callback procedure that will be executed by the (Rich) Edit windows procedure.

Due to its nature it should work across 32- and 64- boundary same as Propagate. Since the cat is out of the bag, I lost interest and have not tested it too much, but it should work.

WordWarping (if works)

EM_SETWORDBREAKPROC & EditWordBreakProc

Hyphentension (if works)

EM_SETHYPHENATEINFO & HyphenateProc

AutoCourgette (if works)

EM_SETAUTOCORRECTPROC & AutoCorrectProc

+ after I posted this Csaba discovered a super-cool ‘feature’ that allows to actually call the AutoCorrectProc in a remote process — via EM_CALLAUTOCORRECTPROC. This is a great find and simplifies execution (that otherwise requires GUI instrumentation).

Streamception (if works)

EM_STREAMIN or EM_STREAMOUT & EditStreamCallback

Update:

After I posted this, I found one more callback function. So the title should be probably ‘4 more code injection tricks’ 😉

Oleum (if works)

EM_SETOLECALLBACK and IRichEditOleCallback

Modexp shared a nice POC here.
Csaba shared a nice POC here.