Windows Styles and Control Types

Just about everything on the Windows desktop is a window, right down to the scroll bar. Because windows can have different styles and types, some of these messages have potential security ramifications. Sending messages requires that the developer (or attacker) knows the window handle (hWnd) and sends the message by using SendMessage. The following sections describe the most dangerous Windows styles and control types.

TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING, and TVM_GETISEARCHSTRING

These messages copy data from a control into a buffer; make sure lParam is set to NULL first to acquire the source buffer size first.

TTM_GETTEXT

There is no way to limit the size of the buffer; it assumes the source is no more than 80 characters long. Be careful when using this message.

CB_GETLBTEXT, CB_GETLBTEXTLEN, SB_GETTEXT, SB_GETTEXTLENGTH, SB_GET TIP TEXT, LB_GETTEXT, and LB_GETTEXTLEN

In general, you should always use the GETTEXTLENGTH message first to determine the size of the source string. However, if the size of the data changes between determining the length and you copying the data by using the appropriate get text message, you might still have a buffer overrun. Be very conservative when calling these.

There is presently no way to query the text length of a ToolTip text from a status bar with SB_GETTIPTEXT.

ES_PASSWORD

This edit control window style displays all characters as an asterisk (*) as they are typed. Remember to erase the buffer you passed to GetWindowText or SetWindowText so that the password doesn't reside in cleartext in memory. Refer to Chapter 9, Protecting Secret Data, for more information.