{"id":5278,"date":"2018-08-18T00:35:27","date_gmt":"2018-08-18T00:35:27","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=5278"},"modified":"2018-08-18T00:35:27","modified_gmt":"2018-08-18T00:35:27","slug":"a-possible-extension-of-extra-window-memory-injection-ewmi-via-setwindowlong","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/08\/18\/a-possible-extension-of-extra-window-memory-injection-ewmi-via-setwindowlong\/","title":{"rendered":"A possible extension of Extra Window Memory Injection (EWMI) Via SetWindowLong"},"content":{"rendered":"<p>This is just a note with regards a question I sent to <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1030613606025625600\">Endgame<\/a>.<\/p>\n<p>While reading their excellent post &#8216;<a href=\"https:\/\/www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process\">Ten Process Injection Techniques<\/a>&#8216; it crossed my mind that the technique they refer to as &#8216;Extra Window Memory Injection (EWMI) Via SetWindowLong&#8217; and which was previously used by Gapz and PowerLoader could be potentially extended to make it undetectable (at least temporarily).<\/p>\n<p>How?<\/p>\n<p>The technique relies on &#8216;talking&#8217; to the &#8216;Shell_TrayWnd&#8217; window.<\/p>\n<p>Nowadays it&#8217;s not uncommon to have multi-monitor setups where users have two taskbars. The taskbar on the primary screen is still using the &#8216;Shell_TrayWnd&#8217; class while other displays use a different class name called &#8216;Shell_SecondaryTrayWnd&#8217;. So, given the functionality is almost identical there is a high possibility the trick could work on the secondary tray window class. I have not tested it, but I would expect it to work.<\/p>\n<p>Will update the post when I hear more\/test it myself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is just a note with regards a question I sent to Endgame. While reading their excellent post &#8216;Ten Process Injection Techniques&#8216; it crossed my mind that the technique they refer to as &#8216;Extra Window Memory Injection (EWMI) Via SetWindowLong&#8217; &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/08\/18\/a-possible-extension-of-extra-window-memory-injection-ewmi-via-setwindowlong\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[58],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5278"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=5278"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5278\/revisions"}],"predecessor-version":[{"id":5281,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/5278\/revisions\/5281"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=5278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=5278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=5278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}