{"id":7625,"date":"2020-12-22T00:09:18","date_gmt":"2020-12-22T00:09:18","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7625"},"modified":"2020-12-22T00:09:18","modified_gmt":"2020-12-22T00:09:18","slug":"propagate-ribbonate","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/12\/22\/propagate-ribbonate\/","title":{"rendered":"Propagate, Ribbonate"},"content":{"rendered":"\n<p>I <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/10\/26\/propagate-a-new-code-injection-trick\/\">thought<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/11\/03\/propagate-a-new-code-injection-trick-64-bit-and-32-bit\/\">Propagate<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/02\/04\/propagate-follow-up-2-some-more-shattering-attack-potentials\/\">technique<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/11\/19\/propagate-yet-another-follow-up-hypothetical-clipboard-execution-version\/\">is<\/a> a dead horse. Described, implemented, used in malware.<\/p>\n\n\n\n<p>But.<\/p>\n\n\n\n<p>There is perhaps one more possibility, or four.<\/p>\n\n\n\n<p>When you open Windows Explorer and Ribbons are enabled:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon0.png\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon0-1024x85.png\" alt=\"\" class=\"wp-image-7626\" width=\"512\" height=\"48\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon0-1006x93.png 1006w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon0-990x93.png 990w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/a><\/figure>\n\n\n\n<p>the UIRibbon.dll DLL gets loaded into this process address space:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon2.png\"><img decoding=\"async\" loading=\"lazy\" width=\"532\" height=\"166\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon2.png\" alt=\"\" class=\"wp-image-7627\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon2.png 532w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon2-300x94.png 300w\" sizes=\"(max-width: 532px) 100vw, 532px\" \/><\/a><\/figure>\n\n\n\n<p>One of the things the DLL does is setting properties of its internal windows using the following methods:<\/p>\n\n\n\n<ul><li>HWndContainer::Build(HWND hWnd, char a2, struct HWndContainer **a3)<ul><li>Property:0xA91C<\/li><\/ul><\/li><li>OfficeSpace::Root::SetEventLogger(OfficeSpace::Root *this, struct IUIEventLogger *a2)<ul><li>Property: 0xBCDE<\/li><\/ul><\/li><li>NetUI::SetCommandManager(HWND hWnd, HWND hData, struct NetUI::ICommandManager *a3)<ul><li>Property:0xBCDF<\/li><\/ul><\/li><li>UXHwndEffectsManager::FInitialize@(HANDLE hData@, HWND hWnd@, bool a3, bool a4, bool a5)<ul><li>Property (atom name): SCENIC_UXHWNDEFFECTSMANAGER_WINDOW_PROP<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>Example:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon1.png\" alt=\"\" class=\"wp-image-7628\" width=\"510\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon1.png 732w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/12\/prop_ribbon1-300x171.png 300w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><\/a><\/figure>\n\n\n\n<p>So, what do we do with this?<\/p>\n\n\n\n<p>These are all possible targets for a Propagate code injection as all these properties appear to be holding virtual table pointers&#8230; <\/p>\n","protected":false},"excerpt":{"rendered":"<p>I thought Propagate technique is a dead horse. Described, implemented, used in malware. But. There is perhaps one more possibility, or four. When you open Windows Explorer and Ribbons are enabled: the UIRibbon.dll DLL gets loaded into this process address &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/12\/22\/propagate-ribbonate\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,57,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7625"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7625"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7625\/revisions"}],"predecessor-version":[{"id":7629,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7625\/revisions\/7629"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}