This is just a note with regards a question I sent to Endgame.

While reading their excellent post ‘Ten Process Injection Techniques‘ it crossed my mind that the technique they refer to as ‘Extra Window Memory Injection (EWMI) Via SetWindowLong’ and which was previously used by Gapz and PowerLoader could be potentially extended to make it undetectable (at least temporarily).

How?

The technique relies on ‘talking’ to the ‘Shell_TrayWnd’ window.

Nowadays it’s not uncommon to have multi-monitor setups where users have two taskbars. The taskbar on the primary screen is still using the ‘Shell_TrayWnd’ class while other displays use a different class name called ‘Shell_SecondaryTrayWnd’. So, given the functionality is almost identical there is a high possibility the trick could work on the secondary tray window class. I have not tested it, but I would expect it to work.

Will update the post when I hear more/test it myself.