Your SlideShare is downloading. ×
Intercepting Windows Printing by Modifying GDI Subsystem
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Intercepting Windows Printing by Modifying GDI Subsystem


Published on

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
  • 2. What for?
    • Basically it’s a data source for
    • Monitoring systems
    • DLP solutions
  • 3. What do we have ?
    • FindNextPrinterChangeNotification( ):
    • Printer name
    • Timestamp
    • Job status
    • Pages count
      • Print providOr is the source of this info, so I wouldn’t rely on it too much.
  • 4. API levels Spooler Driver components
  • 5. Driver components
    • Print providers send jobs to a local or a remote machine
    • A print processor converts the spooled data into a format suitable for a print monitor
    • The print monitor passes the data to a port monitor
    • A port monitor is an interface between the usermode and the kernelmode parts of the printing system
    • What a mess!
  • 6. Using XSS
    • Implementation stages :
      • upload your JS file by means of XSS;
      • add the SCRIPT tag into the HEAD to upload the file dynamically;
      • the commands are passed over according to the reverse shell principle;
      • Use a standard AJAX to address the scripts on the localhost;
      • Use JSONP to address the script backconnect;
      • Hide it in the IFRAME tag of the site.
  • 7. Spooler API
    • A set of Spooler service functions, which serve as wrappers for driver components
    • At this level, we can only get the spooled data
    • This is a level of raw printing
    • Try to parse this data
  • 8. GDI API
    • The same set of functions used for Windows graphics
    • A printer is a device context suitable for GDI drawing functions
      • hPrinter = CreateDC(‘SuperLaserJet’, params);
      • StartDoc(hPrinter);
      • TextOut(hPrinter, ‘Text’);
    • Graphical data is Windows graphical data – NT EMF format
  • 9. Inside GDI
    • Found with the help of PEB
    • Thanks to Feng Yuan
  • 10. The trick
  • 11. Profit
    • Swap GDI cells to send documents to a fake printer
    • It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer
    • The intercepted image can be easily forwarded to the original printer
  • 12. GDI Printing
    • Load the device context with CreateDC()
      • Allows one to store devmode settings
    • Start printing with StartDoc()
      • Now we know when to perform magic
    • Draw everything you want onto this device
      • Let the application do the dirty work for us
    • EndDoc() to finish printing
    • DeleteDC() to clear the device context
      • Clean everything up and wipe out the trails
  • 13. The concept
  • 14. Sample implementation
  • 15. Thank you for your attention ! [email_address]