GET /api/techniques/115/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 115,
"key": "extra-window-memory-injection",
"unprotect_id": "U1219, E1055.011",
"name": "Extra Window Memory Injection",
"description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). \r\n\r\nRegistration of new windows classes can include a request for up to 40 bytes of Extra Window Memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.\r\n\r\nAdversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
"resources": "https://www.crowdstrike.com/blog/through-window-creative-code-invocation/\nhttps://modexp.wordpress.com/2018/08/26/process-injection-ctray/",
"creation_date": "2019-03-23T17:26:37Z",
"tags": "EWMI, Code Injection",
"modification_date": "2023-10-04T10:43:53.882000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
4,
6,
23,
24,
239,
290,
357,
363,
425
],
"contributors": []
}
