You are here : Home » Learning security » Operating Systems » Windows » Code injection series » Code Injection - Exploit WNF callback

Code Injection - Exploit WNF callback

Code injection series part 3

D 1 December 2019     H 21:34     A Emeric Nasi     C 1 messages

agrandir


Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

Since Alex Ionescu and Gabrielle Viala Blackhat2018 talk on Windows Notification Facility (https://www.youtube.com/watch?v=MybmgE95weo) there has been several posts on this topic.
Modexp wrote a nice proof of concept of executing remote code via WNF callback in explorer.exe (https://modexp.wordpress.com/2019/06/15/4083/).

In this paper, I am taking this WNF code injection POC and generalize it so that is works with any process.

If you wish to read more about this, the document can be downloaded in a PDF format

PDF - 366.9 kb

Also in this section

2 September 2020 – Code Injection - Weaponize GhostWriting Injection

1 December 2019 – Code Injection - Disable Dynamic Code Mitigation (ACG)

5 September 2019 – Code Injection - Bypass start address protection

1 September 2019 – Code Injection - Process PE Injection Basics

1 Forum posts

  • After spending a while to get everything to compile the injected code execution is blocked by CFG which invokes LdrpDispatchUserCallTarget and a read access violation within the target process, thus preventing you from executing your injected code. If you have a solution to this, please update

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post

Search

Also in this section

1.  Code Injection - Weaponize GhostWriting Injection

2.  Code Injection - Disable Dynamic Code Mitigation (ACG)

3.  Code Injection - Exploit WNF callback

4.  Code Injection - Bypass start address protection

5.  Code Injection - Process PE Injection Basics

Most popular

1.  Digging passwords in Linux swap

2.  Bypass Defender and other thoughts on Unicode RTLO attacks

3.  Launch shellcodes and bypass Antivirus using MacroPack Pro VBA payloads

4.  Hacking around HTA files

5.  PE injection explained

5 random articles

1.  Code Injection - Bypass start address protection

2.  cve-2014-4943 Linux Kernel D.O.S POC

3.  Code Injection - Disable Dynamic Code Mitigation (ACG)

4.  Bypass Antivirus Dynamic Analysis

5.  Advanced MacroPack payloads: XLM Injection

Sponsor

If you appreciate my work, you may help or reward with a contribution :)

Most recent articles

1 | 2 | 3 | 4 | 5

Recent comments

1 | 2 | 3 | 4 | 5

Latest news

2010-2023 Sevagas
Archives | | Contact

RSS 2.0 twitter linkedin facebook