Author Archives: adam

How to con your host?

Posted on by

Good bye threat hunting configs and filters of the past. Microsoft introduced Windows Terminal and there is no way back.

While reading its actual source code today I noticed quite a lot of familiar code (I did poke around in conhost.exe code with Ida before), but then I stumbled upon an interesting bit that this post is all about.

The following command:

conhost.exe notepad.exe

doesn’t do anything on older version of Windows 10. However, the latest version (tested on 18363) has a little LOLBINish surprise:

So… go back to your config and remove filters on conhost.exe. Remember, hate the message, not the messenger 😉

Reverse Data Injection

Posted on by

This is just a blurb for an idea that I posted on Twitter today. I have not figured it out yet per se, but just jotting down notes.

Programs reading command line by design as well as software offering assistive technology offer an interesting opportunity to inject stuff into their process via reverse data injection. That is, the sole nature of them reading data from other processes will copy for us buffer we feed to them. Then just need to find out what is the address of that buffer & execute it (the latter is harder part).

As I was testing how popular methods of listing processes and command line retrieval work I noticed some inconsistencies in the way various programs report the results. The following list the preliminary findings:

Process list tools show command line buffer program started with

  • Tasklist /v
  • WMIC path win32_process
  • Get-Process – doesn’t show command line line! need to use Get-WmiObject
  • Taskmgr.exe

Process list tools show command line buffer program modified after start:

  • Process Hacker
  • Process Explorer (truncated to first Unicode null character)

This is not a huge difference, but in the instance of Process Hacker and Process Explorer you could use the fact they read the most up to date buffer content to e.g. transmit data in chunks, plus you don’t need to feed the logs with shellcode passed as a command line (i.e. can change command line buffer in memory, and only after child program is launched).

With regards to assistive technology, I covered it in the past. Their under the hood secrets rely heavily on ReadProcessMemory function that is reading data from other controls, hence you could feed a shellcode this way to a UI automation software.