A new technique for introducing code into legitimate Windows processes is described

09 November 2017, 09:40 | Technologies 
фото с InternetUA

The security researcher, known on the Web as Adam, revealed details about a new technique for introducing code called PROPagate. The method works on all recent versions of the Windows operating system and allows you to seamlessly inject malicious code into applications.

PROPagate assumes the use of the Windows API GUI management services functions (graphical user interface, GUI). Initially, the expert's research was centered around the functions of the SetWindowSubclass API. Adam found out that he can exploit the properties of the GUI window (UxSubclassInfo and CC32SubclassInfo) used by the SetWindowSubclass function to load and execute malicious code inside other (legitimate) applications. As the expert explained in an interview with the Bleeping Computer resource, the code can be implemented not in all processes, but only in using Windows GUI controls and popular GUI-frameworks.

"In fact, this can not be considered a limitation, since the vulnerability extends to most popular applications, including Windows Explorer," added Adam.

Adam described the attack on his blog two weeks ago. Then he noted that he was able to use the PROPagate method to implement the code in "Windows Explorer, Total Commander, Process Hacker, Ollydbg and several other applications". The expert decided not to publish PoC attacks in connection with security considerations. According to the researcher, the attack works on versions of Windows XP and Windows 10, as well as on 32- and 64-bit processes.

As Adam explained, his find does not present a serious reason for concern in comparison with other vulnerabilities that allow executing arbitrary code or elevating privileges on the system.

"This is a bypass technique. I did not contact Microsoft, because this vulnerability is not critical and does not allow me to improve my rights, it seemed to me that I should not report it. An attacker can perform an attack only if the system has already been compromised, "- noted Adam.

Even if the researcher told Microsoft about the problem, the company most likely reacted the same way as with the enSilo command, which disclosed information about a similar technique for implementing a code called AtomBombing. Then the manufacturer refused to view the vulnerability as a security issue. However, a few months after the announcement, the AtomBombing technique replenished the arsenal of the bank's Trojan Dridex, which he used to inject malicious code into legitimate applications on infected computers.

Источник: InternetUA
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: