{"id":7634,"date":"2020-12-25T23:53:14","date_gmt":"2020-12-25T23:53:14","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7634"},"modified":"2020-12-25T23:53:14","modified_gmt":"2020-12-25T23:53:14","slug":"handle-ing-shallocshared","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/12\/25\/handle-ing-shallocshared\/","title":{"rendered":"handle..ing SHAllocShared"},"content":{"rendered":"\n

There couldn’t be a less misleading post title than the one I chose for this entry. The function SHAllocShared<\/a> is documented, may not be very well known, but we may see it more in the future. It is exported by shlwapi.dll and its description has a nice vibe to it:<\/p>\n\n\n\n

Allocates a handle in a specified process to a copy of a specified memory block in the calling process.<\/p><\/blockquote>\n\n\n\n

Hmm… I remember that 15+ years ago or so I was looking at the AppBar<\/a> functionality. At that time many applications were taking advantage of this desktop feature, so I was really curious how it works. Eventually I created a simple POC that relied on SHAppBarMessage<\/a> function to add my own app bar, but then got bored and forgot about it. <\/p>\n\n\n\n

A few months back I suddenly remembered that POC. I realized that I have never looked at the internals of the SHAppBarMessage function, and with my experiments around code injection via GUI primitives this of course triggered my interest. <\/p>\n\n\n\n

Under the hood, the SHAppBarMessage relies on SHAllocShared\/SHLockShared and SHUnlockShared\/SHFreeShared APIs to create&lock\/unlock&free block of memory allocated within program’s address space, and then WM_COPYDATA message is used to send info about the appbar message to ‘Shell_TrayWnd’ window (tray window). Internally, SHAllocShared relies on CreateFileMapping\/MapViewOfFile\/DuplicateHandle API set to duplicate a handle to existing memory block inside a target process.<\/p>\n\n\n\n

This is it. It’s not a lot, but having a set of atomic functions residing inside the shlwapi.dll is probably not a bad thing. This is not as robust as accessibility<\/a> functions that do a lot of reading and writing of memory blocks between different processes, but it’s always good to have some extra feature at hand.<\/p>\n","protected":false},"excerpt":{"rendered":"

There couldn’t be a less misleading post title than the one I chose for this entry. The function SHAllocShared is documented, may not be very well known, but we may see it more in the future. It is exported by … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7634"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7634"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7634\/revisions"}],"predecessor-version":[{"id":7635,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7634\/revisions\/7635"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7634"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7634"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7634"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}