Yes… how to call SetWindowBand?
This article will be subdivided into 2 parts.
Definitions:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
typedef BOOL(WINAPI* NtUserEnableIAMAccess)( IN ULONG64 key, IN BOOL enable); typedef BOOL(WINAPI* NtUserAcquireIAMKey)( OUT ULONG64* pkey); typedef BOOL(WINAPI* SetWindowBand)( IN HWND hWnd, IN HWND hwndInsertAfter, IN DWORD dwBand); typedef BOOL SetShellWindow( IN HWND hwnd) |
Part 1: Using explorer.exe via DLL injection
You need to use detours (or any library that redirects function calls).
Example for accessing SetWindowBand function via DLL injection via explorer.exe (github.com)
How it works?
For SetWindowBand to work requires that IAM have access to the current thread. To enable access we need a key and that key can only be caught with a hook.
To put it simply, we inject our dll into explorer, wait until explorer makes a call to NtUserEnableIAMAccess which at this point is a detoured function, save the key so we can use it later, detach the hook and then we can finally call SetWindowBand (after enabling IAM access).
Part 2: Using another broker via DLL injection WITHOUT running explorer.exe
This part will be detailed soon (or whenever I have a bit of time)
TL;DR: You need a broker that is MS signed and has “.imrsiv” data section. Call SetShellWindow (this is important), the call NtUserAcquireIAMKey and save the key. Finally use NtUserEnableIAMAccess BEFORE calling SetWindowBand (must be on the same thread, test it yourself 🙂 ).
Thanks to Matthew for finding out that SetShellWindow/Ex creates an IAM key internally.
This article was made 1 year ago, sorry for not publishing it earlier but I didn’t have time to proofread and check for any possible issue :/
Hi!
Waiting for part 2.