printing interception via modifying windows gdi

8/2/2019 Printing Interception via Modifying Windows Gdi

1/13

Intercepting Windows

Printing by Modifying

GDI Subsystemby Artyom Shishkin,

Positive Technologies


2/13

Basically its a data source for

Monitoring systems

DLP solutions

What for?


3/13

FindNextPrinterChangeNotification():

Printer name

Timestamp

Job status

Pages countPrint providOr is the source of this info, so Iwouldnt rely on it too much.

What do we have?


4/13

API levels

Spooler

Driver components


5/13

Print providers send jobs to a local or a remote

machine A print processor converts the spooled data into

a format suitable for a print monitor The print monitor passes the data to a port

monitor A port monitor is an interface between the

usermode and the kernelmode parts of theprinting system

What a mess!

Driver components


6/13

A set of Spooler service functions, which serve as

wrappers for driver components At this level, we can only get the spooled data

This is a level of raw printing

Try to parse this data

Spooler API


7/13

The same set of functions used for Windows graphics

A printer is a device context suitable for GDI drawingfunctions hPrinter = CreateDC(SuperLaserJet, params);

StartDoc(hPrinter);

TextOut(hPrinter, Text);

Graphical data is Windows graphical data NT EMFformat

GDI API


8/13

Found with the help of PEB Thanks to Feng Yuan

Inside GDI

ProcessAddress Space

GDI shared handle

table

GDI cellObject kernel address

Selection count

Process ID

Upper handle value

Object type

Usermode info


9/13

The trick

hOriginalPrinter hPrintInterceptor

Shared handle table

Cellcontents

Cellcontents

Magical operation


10/13

Swap GDI cells to send documents to a fake printer

It is not always necessary to create your own virtualprinter, you can use something like Microsoft XPSWriter

The intercepted image can be easily forwarded to the

original printer

Profit


11/13

The conceptApplication wants to print things Ill save the original parameters

of this printing requestDLL: Its using GDI, Ill loadhere using windows hooks

and patch some GDIfunctions

CreateDC()

StartDoc()

EndDoc()

DeleteDC()

Hey, youve decided to print! Illswap the GDI cells so that you usethe old handle for a new device

Okay, done here, Illprint your document onthe real printer

Lets clean everything up andmake things look like they didbefore


12/13

Sample implementation

GUI-basedapplication

that issupposed to

printsomething

Dll used for

functioninterception

Settings file

.xps imageApplicationthat fulfillsthe original

request

Kernelmodemagic performer


13/13

Any questions?

Thank you!

printing interception via modifying windows gdi

Documents