printing interception via modifying windows gdi
TRANSCRIPT
-
8/2/2019 Printing Interception via Modifying Windows Gdi
1/13
Intercepting Windows
Printing by Modifying
GDI Subsystemby Artyom Shishkin,
Positive Technologies
-
8/2/2019 Printing Interception via Modifying Windows Gdi
2/13
Basically its a data source for
Monitoring systems
DLP solutions
What for?
-
8/2/2019 Printing Interception via Modifying Windows Gdi
3/13
FindNextPrinterChangeNotification():
Printer name
Timestamp
Job status
Pages countPrint providOr is the source of this info, so Iwouldnt rely on it too much.
What do we have?
-
8/2/2019 Printing Interception via Modifying Windows Gdi
4/13
API levels
Spooler
Driver components
-
8/2/2019 Printing Interception via Modifying Windows Gdi
5/13
Print providers send jobs to a local or a remote
machine A print processor converts the spooled data into
a format suitable for a print monitor The print monitor passes the data to a port
monitor A port monitor is an interface between the
usermode and the kernelmode parts of theprinting system
What a mess!
Driver components
-
8/2/2019 Printing Interception via Modifying Windows Gdi
6/13
A set of Spooler service functions, which serve as
wrappers for driver components At this level, we can only get the spooled data
This is a level of raw printing
Try to parse this data
Spooler API
-
8/2/2019 Printing Interception via Modifying Windows Gdi
7/13
The same set of functions used for Windows graphics
A printer is a device context suitable for GDI drawingfunctions hPrinter = CreateDC(SuperLaserJet, params);
StartDoc(hPrinter);
TextOut(hPrinter, Text);
Graphical data is Windows graphical data NT EMFformat
GDI API
-
8/2/2019 Printing Interception via Modifying Windows Gdi
8/13
Found with the help of PEB Thanks to Feng Yuan
Inside GDI
ProcessAddress Space
GDI shared handle
table
GDI cellObject kernel address
Selection count
Process ID
Upper handle value
Object type
Usermode info
-
8/2/2019 Printing Interception via Modifying Windows Gdi
9/13
The trick
hOriginalPrinter hPrintInterceptor
Shared handle table
Cellcontents
Cellcontents
Magical operation
-
8/2/2019 Printing Interception via Modifying Windows Gdi
10/13
Swap GDI cells to send documents to a fake printer
It is not always necessary to create your own virtualprinter, you can use something like Microsoft XPSWriter
The intercepted image can be easily forwarded to the
original printer
Profit
-
8/2/2019 Printing Interception via Modifying Windows Gdi
11/13
The conceptApplication wants to print things Ill save the original parameters
of this printing requestDLL: Its using GDI, Ill loadhere using windows hooks
and patch some GDIfunctions
CreateDC()
StartDoc()
EndDoc()
DeleteDC()
Hey, youve decided to print! Illswap the GDI cells so that you usethe old handle for a new device
Okay, done here, Illprint your document onthe real printer
Lets clean everything up andmake things look like they didbefore
-
8/2/2019 Printing Interception via Modifying Windows Gdi
12/13
Sample implementation
GUI-basedapplication
that issupposed to
printsomething
Dll used for
functioninterception
Settings file
.xps imageApplicationthat fulfillsthe original
request
Kernelmodemagic performer
-
8/2/2019 Printing Interception via Modifying Windows Gdi
13/13
Any questions?
Thank you!