I thought Propagate technique is a dead horse. Described, implemented, used in malware.

But.

There is perhaps one more possibility, or four.

When you open Windows Explorer and Ribbons are enabled:

the UIRibbon.dll DLL gets loaded into this process address space:

One of the things the DLL does is setting properties of its internal windows using the following methods:

• HWndContainer::Build(HWND hWnd, char a2, struct HWndContainer **a3)
  • Property:0xA91C
• OfficeSpace::Root::SetEventLogger(OfficeSpace::Root *this, struct IUIEventLogger *a2)
  • Property: 0xBCDE
• NetUI::SetCommandManager(HWND hWnd, HWND hData, struct NetUI::ICommandManager *a3)
  • Property:0xBCDF
• UXHwndEffectsManager::FInitialize@(HANDLE hData@, HWND hWnd@, bool a3, bool a4, bool a5)
  • Property (atom name): SCENIC_UXHWNDEFFECTSMANAGER_WINDOW_PROP

Example:

So, what do we do with this?

These are all possible targets for a Propagate code injection as all these properties appear to be holding virtual table pointers…