(Rich)Edit controls are not the only ones that suffer callback overwrites. The tree-view controls are also in this category.

When a tree-view control is displaying its content it needs to sort the items it shows. This sorting routine can be controlled, and changed with a TVSORTCB structure. One of the fields in this structure is called lpfnCompare. It points to a routine that will be called anytime a comparison between tree elements is required.

We can tell any tree-view window to use our callback by sending a TVM_SORTCHILDRENCB. The moment control executes our call back routine it’s a game over.

Since tree-view controls are present in many applications, including Windows Explorer, and Regedit, it is a far more interesting technique that these affecting (Rich) Edit controls.

Here, an example of Regedit crashing when we change the address of the structure to 0x12345678:

Modexp shared a nice POC here.
Csaba shared a nice POC here.

Update

After I published it I got a few updates; a couple of guys successfully implemented POCs for some of the techniques in this series, this post itself was updated a few times as well. Finally, Alex Ionescu also chipped in to say that he used this technique as early as 2008 (or 2011?) and presented it at Recon that year. Unfortunately link to/slides are not available online at the time of writing this update. Also, important to note that in my older post about WordWarper I included an update about that technique being known as early as 2003!

Old Post

I was planning to blog about various (Rich) Edit callback functions for a long time. Why? Because these callbacks allow us to remotely execute code inside processes that host these controls (sometimes these controls need to meet additional criteria).

I eventually started describing them yesterday.

At first I planned to have a few posts, each dedicated to one callback (with a new cheezy ‘code injection’ name included), but then Csaba discovered EM_SETAUTOCORRECTPROC and then I felt that it’s just easier to wrap it up with a short post, and introduce them all in one go 🙂

So… why does it work? (Rich) edit includes a number of CallBack functions that can be modified from a different program thanks to windows messaging mechanism. These callbacks are simple pointers to functions and are called by the control windows procedure in response to various events.

Below are the techniques I wanted to walk through – each one describes a message (or a pair of messages) that need(s) to be sent & a prototype for a callback procedure that will be executed by the (Rich) Edit windows procedure.

Due to its nature it should work across 32- and 64- boundary same as Propagate. Since the cat is out of the bag, I lost interest and have not tested it too much, but it should work.

WordWarping (if works)

EM_SETWORDBREAKPROC & EditWordBreakProc

Hyphentension (if works)

EM_SETHYPHENATEINFO & HyphenateProc

AutoCourgette (if works)

EM_SETAUTOCORRECTPROC & AutoCorrectProc

+ after I posted this Csaba discovered a super-cool ‘feature’ that allows to actually call the AutoCorrectProc in a remote process — via EM_CALLAUTOCORRECTPROC. This is a great find and simplifies execution (that otherwise requires GUI instrumentation).

Streamception (if works)

EM_STREAMIN or EM_STREAMOUT & EditStreamCallback

Update:

After I posted this, I found one more callback function. So the title should be probably ‘4 more code injection tricks’ 😉

Oleum (if works)

EM_SETOLECALLBACK and IRichEditOleCallback

Modexp shared a nice POC here.
Csaba shared a nice POC here.