Treepoline – new code injection technique

(Rich)Edit controls are not the only ones that suffer callback overwrites. The tree-view controls are also in this category.

When a tree-view control is displaying its content it needs to sort the items it shows. This sorting routine can be controlled, and changed with a TVSORTCB structure. One of the fields in this structure is called lpfnCompare. It points to a routine that will be called anytime a comparison between tree elements is required.

We can tell any tree-view window to use our callback by sending a TVM_SORTCHILDRENCB. The moment control executes our call back routine it’s a game over.

Since tree-view controls are present in many applications, including Windows Explorer, and Regedit, it is a far more interesting technique that these affecting (Rich) Edit controls.

Here, an example of Regedit crashing when we change the address of the structure to 0x12345678:

Modexp shared a nice POC here.
Csaba shared a nice POC here.