The following blog was written while working for CrowdStrike. It deals with a characteristic code invocation technique on 32-bit Windows that was discovered while analyzing malware linked to a targeted intrusion attributed to the VENOMOUS BEAR/Turla actor. The invocation technique leverages the window class “Shell_TrayWnd” to get a handle to explorer.exe, and uses SetWindowLong() to set a function pointer in extra window memory to the beginning of the injected shellcode.
Recently, while analyzing a targeted attack, CrowdStrike observed an interesting code invocation technique that we want to describe here. This particular technique can be used to invoke code that has been injected into explorer.exe.
Read the full post at https://www.crowdstrike.com/blog/through-window-creative-code-invocation/.