{"id":4614,"date":"2018-02-04T01:30:25","date_gmt":"2018-02-04T01:30:25","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4614"},"modified":"2018-02-04T01:38:50","modified_gmt":"2018-02-04T01:38:50","slug":"propagate-follow-up-2-some-more-shattering-attack-potentials","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/02\/04\/propagate-follow-up-2-some-more-shattering-attack-potentials\/","title":{"rendered":"PROPagate follow-up #2 \u2013 Some more Shattering Attack Potentials"},"content":{"rendered":"

A few months back I discovered a new code injection technique that I named PROPagate<\/a>. Using a subclass of a well-known shatter attack<\/a> one can modify the callback function pointers inside other processes by using Windows APIs like SetProp, and potentially others. After pointing out a few<\/a> ideas<\/a> I put it on a back burner for a while, but I knew I will want to explore some more possibilities in the future.<\/p>\n

In particular, I was curious what are the chances one could force the remote process to indirectly call the ‘prohibited’ functions like SetWindowLong, SetClassLong (or their newer alternatives SetWindowLongPtr and SetClassLongPtr), but with the arguments that we control (i.e. from a remote process). These API are ‘prohibited’ because they can only be called in a context of a process that owns them, so we can’t directly call them and target windows that belong to other processes.<\/p>\n

It turns out his may be possible!<\/p>\n

If there is one common way of using the SetWindowLong API it is to set up pointers, and\/or filling-in window-specific memory areas (allocated per window instance) with some values that are initialized immediately after the window is created. The same thing happens when the window is destroyed – during the latter these memory areas are usually freed and set to zeroes, and callbacks are discarded.<\/p>\n

These two actions are associated with two very specific window messages:<\/p>\n