Talking to, and handling (edit) boxes

In my older posts I mentioned that data injection techniques are as important as code execution. If you can sneak in some data into another process’ address space w/o being caught… you get a foot in a door for a stealth code execution/evasion.

Writing data to other processes is quite easy, but finding where it is actually stored is much harder. Nowadays, aggressive enumeration / scanning of memory regions of other processes’ address space will surely trigger some alerts (it’s a technique known as RAM Scraping and some security solutions detect it).

Luckily, windows messages come to the rescue again – they are still benefiting from a very unrestricted access to memory of other processes while providing a convenient interface to access this goodness (an the interface itself is kinda hard to monitor).

EM_GETHANDLE and EM_SETHANDLE messages are used by Edit Controls. When you send the first of these messages you will get an address to a buffer where the edit control stores its text (i.e. whatever you e.g. type in Notepad). When you send the second – you can actually change the address of this buffer to whatever you want, even if temporarily.

You could therefore launch Notepad, send keystrokes to it to ‘type’ a set of characters – a cleverly crafted shellcode – or simply launch the program to open your payload file as text, and then find the memory of the address where this data is stored via EM_GETHANDLE message, and then finally use one of the known code execution techniques to run this code.

The shellcode itself needs to be Unicode-compatible (if you use English letters only, each 8-bit character will be converted to Unicode as a 16-bit word with a leading zero; shellcode needs to take this into account). Luckily, the fact characters must be Unicode is actually beneficial, as the characters can be almost anything and these may form a nice binary shellcode (i.e. you could save the shellcode natively as UTF16 and use BOM to let Notepad know how to load the file). Notably, E9 and EB (opcodes for unconditional jumps) seem to be easy to inject w/o any tricks (both of them are Latin letters ‘e’ with accents).