A security researcher has discovered a new code injection technique that works on all recent Windows versions and allows miscreants to inject malicious code into other applications undetected.
Discovered by a Hexacorn security researcher that only goes online by the name of Adam, this code injection technique — nicknamed PROPagate — takes advantage of generic properties of legitimate Windows GUI management APIs and functions.
Initial research focused on the SetWindowSubclass API
Adam’s research initially focused on the SetWindowSubclass API, a function of the Windows operating system that manages GUI application windows inside their parent process.
Adam has discovered that he can abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other (legitimate) applications.
“Not all processes can be injected,” Adam told Bleeping Computer in a private conversation today. “Only [applications] that use Windows GUI controls and popular GUI frameworks.”
“That is not really a limitation though,” Adam added, “the bug covers [the] majority of popular applications including Windows Explorer – a popular target for code injection.”
PoC works on numerous apps on all recent Windows versions
In a blog post published two weeks back that first detailed the PROPagate technique, Adam said a proof-of-concept PROPagate attack injected code into “Windows Explorer, Total Commander, Process Hacker, Ollydbg, and a few more applications.”
The PoC, which Adam said he won’t be releasing online for obvious reasons, worked on both Windows XP and Windows 10.
In subsequent research Adam published last Friday, the expert also discovered that PROPagate code injection attacks work on both 32-bit and 64-bit processes, with little modifications.
PROPagate attacks may work via other APIs
Further, besides the SetWindowSubclass API properties UxSubclassInfo and CC32SubclassInfo, Adam says other “generic or legitimate properties can be potentially leveraged in a very same way.”
“There is a scope for further research,” Adam told Bleeping Computer. “Many applications create windows properties that utilize properties that appear to include memory pointers referencing call back functions or methods that could be modified to point to malicious code.”
The expert listed the following avenues for future research into PROPagate attacks:
- The Microsoft Foundation Class Library (MFC) uses ‘AfxOldWndProc423’ property to subclass its windows
- ControlOfs[HEX] – properties associated with Delphi applications reference in-memory Visual Component Library (VCL) objects
- New windows framework e.g. Microsoft.Windows.WindowFactory.*
- A number of custom controls use ‘subclass’ and they can be modified in a similar way
- Some properties expose COM/OLE Interfaces e.g. OleDropTargetInterface
- SetWindowWord and SetClassWord
PROPagate is an evasion technique to hide malicious code
Adam made it clear that this is not a serious cause for concern when compared to other types of security bugs, such as remote code execution or escalation of privileges.
“This is an evasion technique,” Adam told Bleeping Computer. “I didn’t contact Microsoft because it’s not an RCE or EoP and didn’t consider it is worth reporting.”
“To use the attack, one has to be already running some code on your system, i.e., it’s already game over, as such, it has a limited scope,” the expert added.
PROPagate may be weaponized, similar to AtomBombing
Even if Adam had reported the issue, Microsoft would have probably declined to consider it a “security flaw” for the exact reasons Adam explained above.
The enSilo team received a similar response when they contacted Microsoft last year when they discovered the AtomBombing attack, a similar code injection technique.
A few months after enSilo’s AtomBombing disclosure, the Dridex banking trojan was using the code injection technique to help it inject malicious code into legitimate apps on infected computers.
As for PROPagate ending up in live malware attacks, this is also a possibility.
“AtomBombing is a perfect example – PROPagate is very similar in nature,” Adam told Bleeping Computer. “It’s quite an elegant way of executing code inside remote processes without using traditional ways, e.g., remote threads or asynchronous procedure calls.”
Protection against code injection techniques has always been notoriously difficult at both the OS and antivirus level. “I expect some security solutions to fail, but I have not made any tests,” Adam said.
Other notorious code injection techniques abused in the past include DLL sideloading, process hollowing, SIR thread execution hijacking, Asynchronous Procedure Calls (APC) hijacking, Gapz/Powerloader/EXMI technique, AtomBombing, and IAT hooking.
Image credits: Hexacorn, Rflor, Bleeping Computer