Code Injection - Exploit WNF callback
Code injection series part 3
1 December 2019 21:34 1 messages
Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
I Introduction
Since Alex Ionescu and Gabrielle Viala Blackhat2018 talk on Windows Notification Facility (https://www.youtube.com/watch?v=MybmgE95weo) there has been several posts on this topic.
Modexp wrote a nice proof of concept of executing remote code via WNF callback in explorer.exe (https://modexp.wordpress.com/2019/06/15/4083/).
In this paper, I am taking this WNF code injection POC and generalize it so that is works with any process.
If you wish to read more about this, the document can be downloaded in a PDF format
Also in this section
2 September 2020 – Code Injection - Weaponize GhostWriting Injection
1 December 2019 – Code Injection - Disable Dynamic Code Mitigation (ACG)
5 September 2019 – Code Injection - Bypass start address protection
1 September 2019 – Code Injection - Process PE Injection Basics
1 Forum posts
After spending a while to get everything to compile the injected code execution is blocked by CFG which invokes LdrpDispatchUserCallTarget and a read access violation within the target process, thus preventing you from executing your injected code. If you have a solution to this, please update