{"id":9168,"date":"2024-11-07T23:50:33","date_gmt":"2024-11-07T23:50:33","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9168"},"modified":"2024-11-07T23:50:33","modified_gmt":"2024-11-07T23:50:33","slug":"beating-the-dead-horse-only-to-inject-it-some-more","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/11\/07\/beating-the-dead-horse-only-to-inject-it-some-more\/","title":{"rendered":"Beating the dead horse, only to inject it some more…"},"content":{"rendered":"\n

The windows shatter attack<\/a> is so old that it’s time for someone to reinvent it. <\/p>\n\n\n\n

This someone could be me.<\/p>\n\n\n\n

While looking at wscadminui.exe<\/em> I noticed that it expects 2 arguments: the first one is a \/DefaultProductRequest<\/em> string, and the second is also a string (a name of an app). <\/p>\n\n\n\n

When these are provided, the program calls wscapi.dll<\/em>::wscLaunchAdminMakeDefaultUI<\/em> API and passes the app name to it. The wscLaunchAdminMakeDefaultUI<\/em> in turn, passes the app name to another function called wscShowAMSCNEx<\/em>. The latter creates a window of a class AMNotificationDialog<\/em>.<\/p>\n\n\n\n

So, running:<\/p>\n\n\n\n

wscadminui.exe \/DefaultProductRequest foobar<\/pre>\n\n\n\n
will start the wscadminui.exe<\/em> process and it will create the AMNotificationDialog<\/em> window for us:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
With that in place, we can look at the window procedure handling the messages for the AMNotificationDialog<\/em> window:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
You can see that it is using WM_NCCREATE<\/em> message to set a Window Long Pointer at offset 0 to a value provided in that windows message (lParam). What attracts our attention more though is that the very same value is later used as a function pointer — in other words, whatever the offset the Window Long Ptr @0 points to, the code at this offset will be executed!<\/p>\n\n\n\n
So, one could inject code into wscadminui.exe<\/em> process and then execute it using a simple call to SetWindowLongPtr <\/em>API:<\/p>\n\n\n\n
  WinExec (\"wscadminui.exe \/DefaultProductRequest foobar\",0);\n  Sleep(1000);\n  HWND x = FindWindow(\"AMNotificationDialog\", \"\");\n  if (x != NULL)\n  \t{\n  \t\tSetWindowLongPtr (x, 0, 0x123456789ABCDEF);\n  \t\tShowWindow (x, SW_SHOW);\n  \t}<\/pre>\n\n\n\n
Now, the very same program invocation:<\/p>\n\n\n\n
wscadminui.exe \/DefaultProductRequest foobar<\/pre>\n\n\n\n
leads to a creation of another window — this time it is of an ANIMATION_TIMER_HWND<\/em> class (you can see it on the screenshot above). This window’s lifecycle is handled by the UIAnimation.dll<\/em>, and this is where we can find the implementation of the window’s procedure handling messages for it:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Again, we can easily manipulate this GWLP_USERDATA<\/em> pointer – a simple snippet like the one below can redirect code execution of the scapegoat wscadminui.exe<\/em> to the pointer of our liking:<\/p>\n\n\n\n
  WinExec (\"wscadminui.exe \/DefaultProductRequest foobar\",0);\n  Sleep(1000);\n  HWND x = FindWindow(\"ANIMATION_TIMER_HWND\", \"\");\n  if (x != NULL)\n  \t{\n  \t\tSetWindowLongPtr (x, GWLP_USERDATA, 0x123456789ABCDEF);\n  \t\tShowWindow (x, SW_SHOW);\n  \t}\n<\/pre>\n\n\n\n
As usual, there are more examples like this out there, but the point I want to make is that over 20 years after the window shatter attack was described for the first time it is still available to attackers in many forms and places.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The windows shatter attack is so old that it’s time for someone to reinvent it. This someone could be me. While looking at wscadminui.exe I noticed that it expects 2 arguments: the first one is a \/DefaultProductRequest string, and the … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,57],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9168"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9168"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9168\/revisions"}],"predecessor-version":[{"id":9606,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9168\/revisions\/9606"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}