Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
What for? <ul><li>Basically it’s a data source for </li></ul><ul><li>Monitoring systems </li></ul><ul><li>DLP solutions </...
What do we have ? <ul><li>FindNextPrinterChangeNotification( ): </li></ul><ul><li>Printer name </li></ul><ul><li>Timestamp...
API levels Spooler Driver components
Driver components <ul><li>Print providers send jobs to a local or a remote machine </li></ul><ul><li>A print processor con...
Using   XSS <ul><li>Implementation stages :  </li></ul><ul><ul><li>upload your JS file by means of   XSS; </li></ul></ul><...
Spooler API <ul><li>A set of Spooler service functions, which serve as wrappers for driver components </li></ul><ul><li>At...
GDI API <ul><li>The same set of functions used for Windows graphics </li></ul><ul><li>A printer is a device context suitab...
Inside GDI <ul><li>Found with the help of PEB </li></ul><ul><li>Thanks to Feng Yuan </li></ul>
The trick
Profit <ul><li>Swap GDI cells to send documents to a fake printer </li></ul><ul><li>It is not always necessary to create y...
GDI Printing <ul><li>Load the device context with CreateDC() </li></ul><ul><ul><li>Allows one to store devmode settings </...
The concept
Sample implementation
Thank you for your attention ! [email_address]
Upcoming SlideShare
Loading in …5
×

Intercepting Windows Printing by Modifying GDI Subsystem

3,231 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Intercepting Windows Printing by Modifying GDI Subsystem

  1. 1. Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
  2. 2. What for? <ul><li>Basically it’s a data source for </li></ul><ul><li>Monitoring systems </li></ul><ul><li>DLP solutions </li></ul>
  3. 3. What do we have ? <ul><li>FindNextPrinterChangeNotification( ): </li></ul><ul><li>Printer name </li></ul><ul><li>Timestamp </li></ul><ul><li>Job status </li></ul><ul><li>Pages count </li></ul><ul><ul><li>Print providOr is the source of this info, so I wouldn’t rely on it too much. </li></ul></ul>
  4. 4. API levels Spooler Driver components
  5. 5. Driver components <ul><li>Print providers send jobs to a local or a remote machine </li></ul><ul><li>A print processor converts the spooled data into a format suitable for a print monitor </li></ul><ul><li>The print monitor passes the data to a port monitor </li></ul><ul><li>A port monitor is an interface between the usermode and the kernelmode parts of the printing system </li></ul><ul><li>What a mess! </li></ul>
  6. 6. Using XSS <ul><li>Implementation stages : </li></ul><ul><ul><li>upload your JS file by means of XSS; </li></ul></ul><ul><ul><li>add the SCRIPT tag into the HEAD to upload the file dynamically; </li></ul></ul><ul><ul><li>the commands are passed over according to the reverse shell principle; </li></ul></ul><ul><ul><li>Use a standard AJAX to address the scripts on the localhost; </li></ul></ul><ul><ul><li>Use JSONP to address the script backconnect; </li></ul></ul><ul><ul><li>Hide it in the IFRAME tag of the site. </li></ul></ul>
  7. 7. Spooler API <ul><li>A set of Spooler service functions, which serve as wrappers for driver components </li></ul><ul><li>At this level, we can only get the spooled data </li></ul><ul><li>This is a level of raw printing </li></ul><ul><li>Try to parse this data </li></ul>
  8. 8. GDI API <ul><li>The same set of functions used for Windows graphics </li></ul><ul><li>A printer is a device context suitable for GDI drawing functions </li></ul><ul><ul><li>hPrinter = CreateDC(‘SuperLaserJet’, params); </li></ul></ul><ul><ul><li>StartDoc(hPrinter); </li></ul></ul><ul><ul><li>TextOut(hPrinter, ‘Text’); </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Graphical data is Windows graphical data – NT EMF format </li></ul>
  9. 9. Inside GDI <ul><li>Found with the help of PEB </li></ul><ul><li>Thanks to Feng Yuan </li></ul>
  10. 10. The trick
  11. 11. Profit <ul><li>Swap GDI cells to send documents to a fake printer </li></ul><ul><li>It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer </li></ul><ul><li>The intercepted image can be easily forwarded to the original printer </li></ul>
  12. 12. GDI Printing <ul><li>Load the device context with CreateDC() </li></ul><ul><ul><li>Allows one to store devmode settings </li></ul></ul><ul><li>Start printing with StartDoc() </li></ul><ul><ul><li>Now we know when to perform magic </li></ul></ul><ul><li>Draw everything you want onto this device </li></ul><ul><ul><li>Let the application do the dirty work for us </li></ul></ul><ul><li>EndDoc() to finish printing </li></ul><ul><li>DeleteDC() to clear the device context </li></ul><ul><ul><li>Clean everything up and wipe out the trails </li></ul></ul>
  13. 13. The concept
  14. 14. Sample implementation
  15. 15. Thank you for your attention ! [email_address]

×