Awesome
PoC-Inject-Data-WM_COPYDATA
A tiny PoC to inject and execute code into explorer.exe with WM_SETTEXT+WM_COPYDATA+SetThreadContext
PoC code: Inject Explorer.exe process.
APIs used: SendMessage(WM_SETTEXT), SendMessage(WM_COPYDATA), SetThreadContext, OpenProcess, VirtualQueryEx, SuspendThread, ResumeThread, Toolhelp apis.
This code uses WM_SETTEXT and WM_COPYDATA messages to cause our controlled data to be copied into target process address space.
In this way, we introduce a very simple ROP to launch notepad with CreateProcess("notepad.exe") and call ExitProcess later.
We use SetThreadContext to redirect the thread.
Tests done on platform:
Windows 10 Pro 64 bits, version 1709 (OS comp. 16299.125).
Ntdll version 10.0.16299.64.