MITRE ATT&CK Technique
Description
Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function) Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM. Execution granted through EWM injection may take place in the address space of a separate live process. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. (Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Before creating a window, graphical Windows-based processes '
'must prescribe to or register a windows class, which '
'stipulate appearance and behavior (via windows procedures, '
'which are functions that handle input/output of data). '
'(Citation: Microsoft Window Classes) Registration of new '
'windows classes can include a request for up to 40 bytes of '
'extra window memory (EWM) to be appended to the allocated '
'memory of each instance of that class. This EWM is intended '
'to store data specific to that window and has specific '
'application programming interface (API) functions to set and '
'get its value. (Citation: Microsoft GetWindowLong function) '
'(Citation: Microsoft SetWindowLong function)\n'
'\n'
'Although small, the EWM is large enough to store a 32-bit '
'pointer and is often used to point to a windows procedure. '
'Malware may possibly utilize this memory location in part of '
'an attack chain that includes writing code to shared sections '
'of the process’s memory, placing a pointer to the code in '
'EWM, then invoking execution by returning execution control '
'to the address in the process’s EWM.\n'
'\n'
'Execution granted through EWM injection may take place in the '
'address space of a separate live process. Similar to [Process '
'Injection](https://attack.mitre.org/techniques/T1055), this '
"may allow access to both the target process's memory and "
'possibly elevated privileges. Writing payloads to shared '
'sections also avoids the use of highly monitored API calls '
'such as WriteProcessMemory and CreateRemoteThread. (Citation: '
'Elastic Process Injection July 2017) More sophisticated '
'malware samples may also potentially bypass protection '
'mechanisms such as data execution prevention (DEP) by '
'triggering a combination of windows procedures and other '
'system functions that will rewrite the malicious payload '
'inside an executable portion of the target process. '
'(Citation: MalwareTech Power Loader Aug 2013) (Citation: '
'WeLiveSecurity Gapz and Redyms Mar 2013)',
'external_references': [{'external_id': 'T1181',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1181'},
{'description': 'Microsoft. (n.d.). About Window '
'Classes. Retrieved December 16, '
'2017.',
'source_name': 'Microsoft Window Classes',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx'},
{'description': 'Microsoft. (n.d.). GetWindowLong '
'function. Retrieved December 16, '
'2017.',
'source_name': 'Microsoft GetWindowLong function',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx'},
{'description': 'Microsoft. (n.d.). SetWindowLong '
'function. Retrieved December 16, '
'2017.',
'source_name': 'Microsoft SetWindowLong function',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
{'description': 'MalwareTech. (2013, August 13). '
'PowerLoader Injection – Something '
'truly amazing. Retrieved December '
'16, 2017.',
'source_name': 'MalwareTech Power Loader Aug 2013',
'url': 'https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html'},
{'description': 'Matrosov, A. (2013, March 19). Gapz '
'and Redyms droppers based on Power '
'Loader code. Retrieved December 16, '
'2017.',
'source_name': 'WeLiveSecurity Gapz and Redyms Mar '
'2013',
'url': 'https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/'},
{'description': 'Microsoft. (n.d.). SendNotifyMessage '
'function. Retrieved December 16, '
'2017.',
'source_name': 'Microsoft SendNotifyMessage function',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx'}],
'id': 'attack-pattern--52f3d5a6-8a0f-4f82-977e-750abf90d0b0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:47.575Z',
'name': 'Extra Window Memory Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}