{"id":6238,"date":"2019-04-24T18:23:28","date_gmt":"2019-04-24T18:23:28","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6238"},"modified":"2019-08-20T23:11:49","modified_gmt":"2019-08-20T23:11:49","slug":"3-new-code-injection-tricks","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/04\/24\/3-new-code-injection-tricks\/","title":{"rendered":"3 (4) new code injection tricks"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>After I published it I got a few updates; a couple of guys successfully implemented POCs for some of the techniques in this series, this post itself was updated a few times as well. Finally, <a href=\"https:\/\/twitter.com\/aionescu\">Alex Ionescu<\/a> also <a href=\"https:\/\/twitter.com\/aionescu\/status\/1123351278384340992\">chipped in<\/a> to say that he used this technique as early as 2008 (or 2011?) and presented it at Recon that year. Unfortunately link to\/slides are not available online at the time of writing this update. Also, important to note that in my older post about <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/23\/wordwarper-new-code-injection-trick\/\">WordWarper<\/a> I included an update about that technique being known as early as 2003!<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>I was planning to blog about various (Rich) Edit callback functions for a long time. Why? Because these callbacks allow us to remotely execute code inside processes that host these controls (sometimes these controls need to meet additional criteria). <\/p>\n\n\n\n<p>I eventually <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/23\/wordwarper-new-code-injection-trick\/\">started<\/a> describing them yesterday. <\/p>\n\n\n\n<p>At first I planned to have a few posts, each dedicated to one callback (with a new cheezy &#8216;code injection&#8217; name included), but then <a href=\"https:\/\/twitter.com\/theevilbit\">Csaba<\/a> <a href=\"https:\/\/twitter.com\/theevilbit\/status\/1120982922616610816\">discovered<\/a> EM_SETAUTOCORRECTPROC and then I felt that it&#8217;s just easier to wrap it up with a short post, and introduce them all in one go \ud83d\ude42<\/p>\n\n\n\n<p>So&#8230; why does it work? (Rich) edit includes a number of CallBack functions that can be modified from a different program thanks to windows messaging mechanism. These callbacks are simple pointers to functions and are called by the control windows procedure in response to various events.  <\/p>\n\n\n\n<p>Below are the techniques I wanted to walk through &#8211; each one describes a message (or a pair of messages) that need(s) to be sent &amp; a prototype for a callback procedure that will be executed by the (Rich) Edit windows procedure.<\/p>\n\n\n\n<p>Due to its nature it should work across 32- and 64- boundary same as <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/11\/03\/propagate-a-new-code-injection-trick-64-bit-and-32-bit\/\">Propagate<\/a>. Since the cat is out of the bag, I lost interest and have not tested it too much, but it should work.<\/p>\n\n\n\n<p><strong>WordWarping (if works)<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-setwordbreakproc\">EM_SETWORDBREAKPROC<\/a> &amp; <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/winuser\/nc-winuser-editwordbreakproca\">EditWordBreakProc<\/a><\/p>\n\n\n\n<p><strong>Hyphentension<\/strong> <strong>(if works)<\/strong> <\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-sethyphenateinfo\">EM_SETHYPHENATEINFO<\/a> &amp; <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/richedit\/nf-richedit-hyphenateproc\">HyphenateProc<\/a><\/p>\n\n\n\n<p><strong>AutoCourgette (if works)<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-setautocorrectproc\">EM_SETAUTOCORRECTPROC<\/a> &amp; <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/Richedit\/nc-richedit-autocorrectproc\">AutoCorrectProc<\/a><\/p>\n\n\n\n<p>+ after I posted this <a href=\"https:\/\/twitter.com\/theevilbit\">Csaba<\/a> discovered a super-cool &#8216;feature&#8217; that allows to actually call the AutoCorrectProc in a remote process &#8212; via <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-callautocorrectproc\">EM_CALLAUTOCORRECTPROC<\/a>. This is a great find and simplifies execution (that otherwise requires GUI instrumentation).<\/p>\n\n\n\n<p><strong>Streamception (if works)<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-streamin\">EM_STREAMIN<\/a> or <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-streamout\">EM_STREAMOUT <\/a>&amp; <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/Richedit\/nc-richedit-editstreamcallback\">EditStreamCallback<\/a> <\/p>\n\n\n\n<p><strong>Update: <\/strong><\/p>\n\n\n\n<p>After I posted this, I found one more callback function. So the title should be probably &#8216;4 more code injection tricks&#8217; \ud83d\ude09<\/p>\n\n\n\n<p><strong>Oleum (if works)<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-setolecallback\">EM_SETOLECALLBACK<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/Richole\/nn-richole-iricheditolecallback\">IRichEditOleCallback<\/a><\/p>\n\n\n\n<p>Modexp shared a nice POC <a href=\"https:\/\/modexp.wordpress.com\/2019\/04\/25\/seven-window-injection-methods\/\">here<\/a>. <br>Csaba shared a nice POC <a href=\"https:\/\/github.com\/theevilbit\/injection\">here<\/a>.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After I published it I got a few updates; a couple of guys successfully implemented POCs for some of the techniques in this series, this post itself was updated a few times as well. Finally, Alex Ionescu also chipped &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/24\/3-new-code-injection-tricks\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6238"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6238"}],"version-history":[{"count":17,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6238\/revisions"}],"predecessor-version":[{"id":6678,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6238\/revisions\/6678"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}