Your SlideShare is downloading. ×
Intercepting Windows Printing by Modifying GDI Subsystem
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Intercepting Windows Printing by Modifying GDI Subsystem

459
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
459
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
  • 2. What for?
    • Basically it’s a data source for
    • Monitoring systems
    • DLP solutions
  • 3. What do we have ?
    • FindNextPrinterChangeNotification( ):
    • Printer name
    • Timestamp
    • Job status
    • Pages count
      • Print providOr is the source of this info, so I wouldn’t rely on it too much.
  • 4. API levels Spooler Driver components
  • 5. Driver components
    • Print providers send jobs to a local or a remote machine
    • A print processor converts the spooled data into a format suitable for a print monitor
    • The print monitor passes the data to a port monitor
    • A port monitor is an interface between the usermode and the kernelmode parts of the printing system
    • What a mess!
  • 6. Using XSS
    • Implementation stages :
      • upload your JS file by means of XSS;
      • add the SCRIPT tag into the HEAD to upload the file dynamically;
      • the commands are passed over according to the reverse shell principle;
      • Use a standard AJAX to address the scripts on the localhost;
      • Use JSONP to address the script backconnect;
      • Hide it in the IFRAME tag of the site.
  • 7. Spooler API
    • A set of Spooler service functions, which serve as wrappers for driver components
    • At this level, we can only get the spooled data
    • This is a level of raw printing
    • Try to parse this data
  • 8. GDI API
    • The same set of functions used for Windows graphics
    • A printer is a device context suitable for GDI drawing functions
      • hPrinter = CreateDC(‘SuperLaserJet’, params);
      • StartDoc(hPrinter);
      • TextOut(hPrinter, ‘Text’);
    • Graphical data is Windows graphical data – NT EMF format
  • 9. Inside GDI
    • Found with the help of PEB
    • Thanks to Feng Yuan
  • 10. The trick
  • 11. Profit
    • Swap GDI cells to send documents to a fake printer
    • It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer
    • The intercepted image can be easily forwarded to the original printer
  • 12. GDI Printing
    • Load the device context with CreateDC()
      • Allows one to store devmode settings
    • Start printing with StartDoc()
      • Now we know when to perform magic
    • Draw everything you want onto this device
      • Let the application do the dirty work for us
    • EndDoc() to finish printing
    • DeleteDC() to clear the device context
      • Clean everything up and wipe out the trails
  • 13. The concept
  • 14. Sample implementation
  • 15. Thank you for your attention ! [email_address]