SHLoadInProc – The Non-Working Code Injection trick from the past

April 30, 2019 in Archaeology, Code Injection

The SHLoadInProc function is no longer supported, but it’s a little funny code that is a legacy of good old days and it’s just worth mentioning even if just for the fun of it.

With this function you could literally instantiate a COM object in a context of Windows Explorer!

It would take the GUID passed to the function as a parameter, then find ‘Shell_TrayWnd’ window, and finally send the GUID to it via WM_COPYDATA message. The Tray window procedure would then instantiate the COM object. As the docs say, the function is disabled now, and not only as an import, but also the instantiation handling message is no longer handled by the tray icon procedure either (at least as far as I can tell as I checked it a few years ago and it was on Win7).

There is not much to add really, it was just a nice little backdoor. You can also read Geoff Chappell’s article about it.

Share this :)

Comments are closed.