{"id":6248,"date":"2019-04-24T23:31:52","date_gmt":"2019-04-24T23:31:52","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6248"},"modified":"2019-08-20T23:12:06","modified_gmt":"2019-08-20T23:12:06","slug":"treepoline-new-code-injection-technique","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/04\/24\/treepoline-new-code-injection-technique\/","title":{"rendered":"Treepoline &#8211; new code injection technique"},"content":{"rendered":"\n<p>(Rich)Edit controls are not the only ones that suffer callback overwrites. The tree-view controls are also in this category.<\/p>\n\n\n\n<p>When a tree-view control is displaying its content it needs to sort the items it shows. This sorting routine can be controlled, and changed with a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/api\/Commctrl\/ns-commctrl-tagtvsortcb\">TVSORTCB<\/a> structure. One of the fields in this structure is called lpfnCompare. It points to a routine that will be called anytime a comparison between tree elements is required.<\/p>\n\n\n\n<p>We can tell any tree-view window to use our callback by sending a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/Controls\/tvm-sortchildrencb\">TVM_SORTCHILDRENCB<\/a>. The moment control executes our call back routine it&#8217;s a game over.<\/p>\n\n\n\n<p>Since tree-view controls are present in many applications, including Windows Explorer, and Regedit, it is a far more interesting technique that these affecting (Rich) Edit controls.<\/p>\n\n\n\n<p>Here, an example of Regedit crashing when we change the address of the structure to 0x12345678:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/04\/Treepoline1.png\" alt=\"\" class=\"wp-image-6249\" width=\"500\" height=\"124\"\/><\/figure>\n\n\n\n<p>Modexp shared a nice POC <a href=\"https:\/\/modexp.wordpress.com\/2019\/04\/25\/seven-window-injection-methods\/\">here<\/a>.  <br>Csaba shared a nice POC <a href=\"https:\/\/github.com\/theevilbit\/injection\">here<\/a>.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Rich)Edit controls are not the only ones that suffer callback overwrites. The tree-view controls are also in this category. When a tree-view control is displaying its content it needs to sort the items it shows. This sorting routine can be &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/04\/24\/treepoline-new-code-injection-technique\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6248"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6248"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6248\/revisions"}],"predecessor-version":[{"id":6679,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6248\/revisions\/6679"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}