Code Injection - Exploit WNF callback
Code injection series part 3

In this post I am going to take the WNF code injection method described in, and generalize it to execute remote code that was injected into any process.

Article published on 1 December 2019

by Emeric Nasi

Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.
License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I Introduction

Since Alex Ionescu and Gabrielle Viala Blackhat2018 talk on Windows Notification Facility ( there has been several posts on this topic.
Modexp wrote a nice proof of concept of executing remote code via WNF callback in explorer.exe (

In this paper, I am taking this WNF code injection POC and generalize it so that is works with any process.

If you wish to read more about this, the document can be downloaded in a PDF format