A security researcher has discovered a new code injection technique that works on all recent Windows versions and allows miscreants to inject malicious code into other applications undetected.
Discovered by a Hexacorn security researcher that only goes online by the name of Adam, this code injection technique — nicknamed PROPagate — takes advantage of generic properties of legitimate Windows GUI management APIs and functions.
Initial research focused on the SetWindowSubclass API
Adam's research initially focused on the
SetWindowSubclass API, a function of the Windows operating system that manages GUI application windows inside their parent process.
Adam has discovered that he can abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other (legitimate) applications.
"Not all processes can be injected," Adam told
Bleeping Computer in a private conversation today. "Only [applications] that use Windows GUI controls and popular GUI frameworks."
"That is not really a limitation though," Adam added, "the bug covers [the] majority of popular applications including Windows Explorer - a popular target for code injection."
PoC works on numerous apps on all recent Windows versions
In a blog post published two weeks back that first detailed the PROPagate technique, Adam said a proof-of-concept PROPagate attack injected code into "Windows Explorer, Total Commander, Process Hacker, Ollydbg, and a few more applications."
The PoC, which Adam said he won't be releasing online for obvious reasons, worked on both Windows XP and Windows 10.
In subsequent research Adam published last Friday, the expert also discovered that PROPagate code injection attacks work on both 32-bit and 64-bit processes, with little modifications.
