![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/05\/marshmellow.gif\")
<\/figure>\n\n\n\nThen you explain that… any windows message above WM_USER is a potential code execution massacre. Yes. The GIF you looked at is just a simple example of enumerating all windows and their children, and then running a simple loop on all the windows handles. Each iteration of that loop sends a Window Message WM_USER (up to WM_USER+1000) to these windows owned by various processes.<\/p>\n\n\n\n
It sounds stupid but it’s not. It counter-marshals (pun intended) the whole system of windows message marshaling… <\/p>\n\n\n\n
Common controls use WM_USER+ messages. Custom controls use WM_USER+ messages. Every app is most likely using _some_ controls that are relying on WM_USER+ message. So yeah.. you just narrow this one down that allows you to swap content of a pointer of your choice and you have your code running inside another process user space.<\/p>\n\n\n\n
This is the most vague code injection post you will probably come across, but let me tell you this: it describes a whole class of shatter attacks that are either happening, or are going to happen.<\/p>\n\n\n\n
Hint: a good message to start playing with is EM_SETTEXTEX<\/a> (WM_USER+97).<\/p>\n\n\n\n People pointing out Brett Moore’s work are absolutely right. The above idea is identical in principle, just generalized to cover the whole WM_USER spectrum (that includes custom messages that are application-specific & may require per-app research which opens up a lot of pathways to custom code injections e.g. Nvidia, AMD, Intel, Dell etc. GUI applications that are always on).<\/p>\n","protected":false},"excerpt":{"rendered":" All righty… this is a cool one, because it’s so… vague. How do you describe a generic code execution technique without showing examples? You show le video… Then you explain that… any windows message above WM_USER is a potential code … Continue reading