{"id":4403,"date":"2017-11-03T00:54:05","date_gmt":"2017-11-03T00:54:05","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4403"},"modified":"2017-11-03T01:17:25","modified_gmt":"2017-11-03T01:17:25","slug":"propagate-a-new-code-injection-trick-64-bit-and-32-bit","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/11\/03\/propagate-a-new-code-injection-trick-64-bit-and-32-bit\/","title":{"rendered":"PROPagate \u2013 a new code injection trick – 64-bit and 32-bit"},"content":{"rendered":"

I have recently discovered a new trick<\/a> that allows to execute code in other processes without using remote threads, APC, etc. While describing it, I focused only on 32-bit architecture. One may wonder whether there is a way for it to work on 64-bit systems and even more interestingly – whether there is a possibility to inject\/run code between 32- and 64- bit processes.<\/p>\n

To test it, I checked my 32-bit code injector on a 64-bit box. It crashed my 64-bit Explorer.exe process in no time.<\/p>\n

So, yes, we can change properties of windows belonging to 64-bit processes from a 32-bit process! And yes, you can swap the subclass properties I described previously to point to your injected buffer and eventually make the payload execute! The reason it works is that original property addresses are stored in lower 32-bit of the 64-bit offset. Replacing that lower 32-bit part of the offset to point to a newly allocated buffer (also in lower area of the memory, thanks to VirtualAllocEx) is enough to trigger the code execution.<\/p>\n

See below the GetProp inside explorer.exe retrieving the subclassed property:<\/p>\n

\"\"<\/a><\/p>\n

So, there you have it… 32 process injecting into 64-bit process and executing the payload w\/o heaven’s gate or using other undocumented tricks.<\/p>\n

The below is the moment the 64-bit shellcode is executed:<\/p>\n

\"\"<\/a><\/p>\n

p.s. the structure of the subclassed callbacks is slightly different inside 64-bit processes due to 64-bit offsets, but again, I don’t want to make it any easier to bad guys than it should be \ud83d\ude42<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

I have recently discovered a new trick that allows to execute code in other processes without using remote threads, APC, etc. While describing it, I focused only on 32-bit architecture. One may wonder whether there is a way for it … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,57,15,52,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4403"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4403"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4403\/revisions"}],"predecessor-version":[{"id":4416,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4403\/revisions\/4416"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}