New Code Injection/Execution – Marsh…mellow

May 14, 2020 in Code Injection

All righty… this is a cool one, because it’s so… vague.

How do you describe a generic code execution technique without showing examples?

You show le video…

Then you explain that… any windows message above WM_USER is a potential code execution massacre. Yes. The GIF you looked at is just a simple example of enumerating all windows and their children, and then running a simple loop on all the windows handles. Each iteration of that loop sends a Window Message WM_USER (up to WM_USER+1000) to these windows owned by various processes.

It sounds stupid but it’s not. It counter-marshals (pun intended) the whole system of windows message marshaling…

Common controls use WM_USER+ messages. Custom controls use WM_USER+ messages. Every app is most likely using _some_ controls that are relying on WM_USER+ message. So yeah.. you just narrow this one down that allows you to swap content of a pointer of your choice and you have your code running inside another process user space.

This is the most vague code injection post you will probably come across, but let me tell you this: it describes a whole class of shatter attacks that are either happening, or are going to happen.

Hint: a good message to start playing with is EM_SETTEXTEX (WM_USER+97).

People pointing out Brett Moore’s work are absolutely right. The above idea is identical in principle, just generalized to cover the whole WM_USER spectrum (that includes custom messages that are application-specific & may require per-app research which opens up a lot of pathways to custom code injections e.g. Nvidia, AMD, Intel, Dell etc. GUI applications that are always on).

Share this :)

Comments are closed.