intercepting windows printing by modifying gdi subsystem

15
Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies

Upload: positive-hack-days

Post on 24-Jan-2015

2.718 views

Category:

Technology


1 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Intercepting Windows Printing by Modifying GDI Subsystem

Intercepting Windows Printing by Modifying GDI Subsystem

by Artyom Shishkin,

Positive Technologies

Page 2: Intercepting Windows Printing by Modifying GDI Subsystem

What for?

• Basically it’s a data source for

• Monitoring systems

• DLP solutions

Page 3: Intercepting Windows Printing by Modifying GDI Subsystem

What do we have?

• FindNextPrinterChangeNotification():• Printer name• Timestamp• Job status• Pages count

Print providOr is the source of this info, so I wouldn’t rely on it too much.

Page 4: Intercepting Windows Printing by Modifying GDI Subsystem

API levels

Spooler

Driver components

Page 5: Intercepting Windows Printing by Modifying GDI Subsystem

Driver components

• Print providers send jobs to a local or a remote machine

• A print processor converts the spooled data into a format suitable for a print monitor

• The print monitor passes the data to a port monitor

• A port monitor is an interface between the usermode and the kernelmode parts of the printing system

• What a mess!

Page 6: Intercepting Windows Printing by Modifying GDI Subsystem

Using XSS

Implementation stages:

• upload your JS file by means of XSS;

• add the SCRIPT tag into the HEAD to upload the file dynamically;

• the commands are passed over according to the reverse shell principle;

• Use a standard AJAX to address the scripts on the localhost;

• Use JSONP to address the script backconnect;

• Hide it in the IFRAME tag of the site.

Page 7: Intercepting Windows Printing by Modifying GDI Subsystem

Spooler API

• A set of Spooler service functions, which serve as wrappers for driver components

• At this level, we can only get the spooled data

• This is a level of raw printing

• Try to parse this data

Page 8: Intercepting Windows Printing by Modifying GDI Subsystem

GDI API

• The same set of functions used for Windows graphics

• A printer is a device context suitable for GDI drawing functions• hPrinter = CreateDC(‘SuperLaserJet’, params);• StartDoc(hPrinter);• TextOut(hPrinter, ‘Text’);• …

• Graphical data is Windows graphical data – NT EMF format

Page 9: Intercepting Windows Printing by Modifying GDI Subsystem

Inside GDI

• Found with the help of PEB• Thanks to Feng Yuan

Page 10: Intercepting Windows Printing by Modifying GDI Subsystem

The trick

Page 11: Intercepting Windows Printing by Modifying GDI Subsystem

Profit

• Swap GDI cells to send documents to a fake printer

• It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer

• The intercepted image can be easily forwarded to the original printer

Page 12: Intercepting Windows Printing by Modifying GDI Subsystem

GDI Printing

• Load the device context with CreateDC()• Allows one to store devmode settings

• Start printing with StartDoc()• Now we know when to perform magic

• Draw everything you want onto this device• Let the application do the dirty work for us

• EndDoc() to finish printing

• DeleteDC() to clear the device context• Clean everything up and wipe out the trails

Page 13: Intercepting Windows Printing by Modifying GDI Subsystem

The concept

Page 14: Intercepting Windows Printing by Modifying GDI Subsystem

Sample implementation

Page 15: Intercepting Windows Printing by Modifying GDI Subsystem

Thank you for your attention!

[email protected]