You are browsing the archive for Code Injection.

New Code Injection/Execution – Marsh…mellow

May 14, 2020 in Code Injection

All righty… this is a cool one, because it’s so… vague.

How do you describe a generic code execution technique without showing examples?

You show le video…

Then you explain that… any windows message above WM_USER is a potential code execution massacre. Yes. The GIF you looked at is just a simple example of enumerating all windows and their children, and then running a simple loop on all the windows handles. Each iteration of that loop sends a Window Message WM_USER (up to WM_USER+1000) to these windows owned by various processes.

It sounds stupid but it’s not. It counter-marshals (pun intended) the whole system of windows message marshaling…

Common controls use WM_USER+ messages. Custom controls use WM_USER+ messages. Every app is most likely using _some_ controls that are relying on WM_USER+ message. So yeah.. you just narrow this one down that allows you to swap content of a pointer of your choice and you have your code running inside another process user space.

This is the most vague code injection post you will probably come across, but let me tell you this: it describes a whole class of shatter attacks that are either happening, or are going to happen.

Hint: a good message to start playing with is EM_SETTEXTEX (WM_USER+97).

People pointing out Brett Moore’s work are absolutely right. The above idea is identical in principle, just generalized to cover the whole WM_USER spectrum (that includes custom messages that are application-specific & may require per-app research which opens up a lot of pathways to custom code injections e.g. Nvidia, AMD, Intel, Dell etc. GUI applications that are always on).

Code Injection everyone forgets about

April 9, 2020 in Code Injection

In 2013 Nick posted an article about Windows x64 system service hooks and advanced debugging. 2 years later Alex Ionescu published his classic Esoteric Hooks (PDF), and eventually Lasha Khasaia (@_qaz_qaz) published a POC that seemed to work as well.

All these references are pretty rare, and I must admit, I have not tested the code available, but it would be a waste it this trick was not covered one way or another, as both EDR and sandboxes could be potentially fooled by it…

How does it work?

NtSetInformationProcess(NtCurrentProcess(),
ProcessInstrumentationCallback,
&callback,
sizeof(callback));

So… if you are one of the vendors that operate in this space I hope you cover this particular call, at least.

My contribution to the topic: 0. But… Better safe than sorry.

For a comprehensive list of code injection techniques, check this post.