{"id":6476,"date":"2019-06-28T19:37:52","date_gmt":"2019-06-28T19:37:52","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6476"},"modified":"2019-06-28T19:38:10","modified_gmt":"2019-06-28T19:38:10","slug":"talking-to-and-handling-edit-boxes","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/06\/28\/talking-to-and-handling-edit-boxes\/","title":{"rendered":"Talking to, and handling (edit) boxes"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/05\/18\/inserting-data-into-other-processes-address-space\/\">older posts<\/a> I mentioned that data injection techniques are as important as code execution. If you can sneak in some data into another process&#8217; address space w\/o being caught&#8230; you get a foot in a door for a stealth code execution\/evasion.<\/p>\n\n\n\n<p>Writing data to other processes is quite easy, but finding where it is actually stored is much harder. Nowadays, aggressive enumeration \/ scanning of memory regions of other processes&#8217; address space will surely trigger <em>some<\/em> alerts (it&#8217;s a technique known as RAM Scraping and some security solutions detect it).<\/p>\n\n\n\n<p>Luckily, windows messages come to the rescue again &#8211; they are still benefiting from a very unrestricted access to memory of other processes while providing a convenient interface to access this goodness (an the interface itself is kinda hard to monitor). <\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-gethandle\">EM_GETHANDLE<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/controls\/em-sethandle\">EM_SETHANDLE<\/a> messages are used by Edit Controls. When you send the first of these messages you will get an address to a buffer where the edit control stores its text (i.e. whatever you e.g. type in Notepad). When you send the second &#8211; you can actually change the address of this buffer to whatever you want, even if temporarily.<\/p>\n\n\n\n<p>You could therefore launch Notepad, send keystrokes to it to &#8216;type&#8217; a set of characters &#8211; a cleverly crafted shellcode &#8211; or simply launch the program to open your payload file as text, and then find the memory of the address where this data is stored via EM_GETHANDLE message, and then finally use one of the known code execution techniques to run this code.<\/p>\n\n\n\n<p>The shellcode itself needs to be Unicode-compatible (if you use English letters only, each 8-bit character will be converted to Unicode as a 16-bit word with a leading zero; shellcode needs to take this into account). Luckily, the fact characters must be Unicode is actually beneficial, as the characters can be almost anything and these may form a nice binary shellcode (i.e. you could save the shellcode natively as UTF16 and use <a href=\"https:\/\/en.wikipedia.org\/wiki\/Byte_order_mark\">BOM<\/a> to let Notepad know how to load the file). Notably, E9 and EB (opcodes for unconditional jumps) seem to be easy to inject w\/o any tricks (both of them are Latin letters &#8216;e&#8217; with accents).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"251\" height=\"83\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/06\/em_gethandle.png\" alt=\"\" class=\"wp-image-6477\"\/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my older posts I mentioned that data injection techniques are as important as code execution. If you can sneak in some data into another process&#8217; address space w\/o being caught&#8230; you get a foot in a door for a &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/06\/28\/talking-to-and-handling-edit-boxes\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6476"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6476"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6476\/revisions"}],"predecessor-version":[{"id":6481,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6476\/revisions\/6481"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}