How to call SetWindowBand

Yes… how to call SetWindowBand?
This article will be subdivided into 2 parts.

Definitions:

Part 1: Using explorer.exe via DLL injection

You need to use detours (or any library that redirects function calls).
Example for accessing SetWindowBand function via DLL injection via explorer.exe (github.com)

How it works?

For SetWindowBand to work requires that IAM have access to the current thread. To enable access we need a key and that key can only be caught with a hook.

To put it simply, we inject our dll into explorer, wait until explorer makes a call to NtUserEnableIAMAccess which at this point is a detoured function, save the key so we can use it later, detach the hook and then we can finally call SetWindowBand (after enabling IAM access).

Part 2: Using another broker via DLL injection WITHOUT running explorer.exe

This part will be detailed soon (or whenever I have a bit of time)

TL;DR: You need a broker that is MS signed and has “.imrsiv” data section. Call SetShellWindow (this is important), the call NtUserAcquireIAMKey and save the key. Finally use NtUserEnableIAMAccess BEFORE calling SetWindowBand (must be on the same thread, test it yourself 🙂 ).

Thanks to Matthew for finding out that SetShellWindow/Ex creates an IAM key internally.


This article was made 1 year ago, sorry for not publishing it earlier but I didn’t have time to proofread and check for any possible issue :/

1 thought on “How to call SetWindowBand”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enable Notifications    OK No thanks