You are browsing the archive for Random ideas.

A possible extension of Extra Window Memory Injection (EWMI) Via SetWindowLong

August 18, 2018 in Random ideas

This is just a note with regards a question I sent to Endgame.

While reading their excellent post ‘Ten Process Injection Techniques‘ it crossed my mind that the technique they refer to as ‘Extra Window Memory Injection (EWMI) Via SetWindowLong’ and which was previously used by Gapz and PowerLoader could be potentially extended to make it undetectable (at least temporarily).

How?

The technique relies on ‘talking’ to the ‘Shell_TrayWnd’ window.

Nowadays it’s not uncommon to have multi-monitor setups where users have two taskbars. The taskbar on the primary screen is still using the ‘Shell_TrayWnd’ class while other displays use a different class name called ‘Shell_SecondaryTrayWnd’. So, given the functionality is almost identical there is a high possibility the trick could work on the secondary tray window class. I have not tested it, but I would expect it to work.

Will update the post when I hear more/test it myself.

Adding some character to Alternate Data Streams

August 2, 2018 in Anti-*, Random ideas

Update

After I published it Vess suggested a test with \x08 (backspace) – it was a pretty cool idea so here is the result of testing:

  • c:\test\test.exe:foo\x08\x08\x08\x08\x08\x08\x08\x08\x08bar

Old Post

One of the file name restrictions that is listed on the classic Naming Files, Paths, and Namespaces page is this:

  • Characters whose integer representations are in the range from 1 through 31, except for alternate data streams where these characters are allowed. For more information about file streams, see File Streams.

I was curious how it works in practice with the ADS so here is the result of a test where I create the following file:

  • c:\test\test.exe:foo\x13\x10bar

So… creating the ADS using characters \x00-\x1F can produce unexpected results and possibly break various parsers. Not a biggie, but worth knowing about!

You can download the test file here. Just place it in c:\test\test.exe and run it.