You are here : Home » Learning security » Operating Systems » Windows » Code injection series » Code Injection - Exploit WNF callback

Code Injection - Exploit WNF callback

Code injection series part 3

D 1 December 2019     H 21:34     A Emeric Nasi     C 1 messages


Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

Since Alex Ionescu and Gabrielle Viala Blackhat2018 talk on Windows Notification Facility ( there has been several posts on this topic.
Modexp wrote a nice proof of concept of executing remote code via WNF callback in explorer.exe (

In this paper, I am taking this WNF code injection POC and generalize it so that is works with any process.

If you wish to read more about this, the document can be downloaded in a PDF format

PDF - 366.9 kb

1 Forum posts

  • After spending a while to get everything to compile the injected code execution is blocked by CFG which invokes LdrpDispatchUserCallTarget and a read access violation within the target process, thus preventing you from executing your injected code. If you have a solution to this, please update

Any message or comments?

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post