title: Extra Window Memory Injection (T1055.011)
id: df00tech-t1055-011
status: experimental
description: "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior via windows procedures. Registration of new windows classes can include a request for up to 40 bytes of EWM. Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM."
references:
  - https://attack.mitre.org/techniques/T1055/011/
  - https://df00tech.com/detections/T1055.011
author: df00tech
date: 2026/04/17
tags:
  - attack.t1055.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Shell extensions and explorer plugins that legitimately modify Shell_TrayWnd properties
  - "Taskbar customization tools (StartAllBack, Start11) modifying Shell_TrayWnd EWM"
  - Accessibility tools that modify window properties for screen reading
  - System tray management applications interacting with Shell_TrayWnd
level: critical