Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
What for? <ul><li>Basically it’s a data source for </li></ul><ul><li>Monitoring systems </li></ul><ul><li>DLP solutions </...
What do we have ? <ul><li>FindNextPrinterChangeNotification( ): </li></ul><ul><li>Printer name </li></ul><ul><li>Timestamp...
API levels Spooler Driver components
Driver components <ul><li>Print providers send jobs to a local or a remote machine </li></ul><ul><li>A print processor con...
Using   XSS <ul><li>Implementation stages :  </li></ul><ul><ul><li>upload your JS file by means of   XSS; </li></ul></ul><...
Spooler API <ul><li>A set of Spooler service functions, which serve as wrappers for driver components </li></ul><ul><li>At...
GDI API <ul><li>The same set of functions used for Windows graphics </li></ul><ul><li>A printer is a device context suitab...
Inside GDI <ul><li>Found with the help of PEB </li></ul><ul><li>Thanks to Feng Yuan </li></ul>
The trick
Profit <ul><li>Swap GDI cells to send documents to a fake printer </li></ul><ul><li>It is not always necessary to create y...
GDI Printing <ul><li>Load the device context with CreateDC() </li></ul><ul><ul><li>Allows one to store devmode settings </...
The concept
Sample implementation
Thank you for your attention ! [email_address]
Upcoming SlideShare
Loading in …5
×

Intercepting Windows Printing by Modifying GDI Subsystem

840 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
840
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Intercepting Windows Printing by Modifying GDI Subsystem

  1. 1. Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
  2. 2. What for? <ul><li>Basically it’s a data source for </li></ul><ul><li>Monitoring systems </li></ul><ul><li>DLP solutions </li></ul>
  3. 3. What do we have ? <ul><li>FindNextPrinterChangeNotification( ): </li></ul><ul><li>Printer name </li></ul><ul><li>Timestamp </li></ul><ul><li>Job status </li></ul><ul><li>Pages count </li></ul><ul><ul><li>Print providOr is the source of this info, so I wouldn’t rely on it too much. </li></ul></ul>
  4. 4. API levels Spooler Driver components
  5. 5. Driver components <ul><li>Print providers send jobs to a local or a remote machine </li></ul><ul><li>A print processor converts the spooled data into a format suitable for a print monitor </li></ul><ul><li>The print monitor passes the data to a port monitor </li></ul><ul><li>A port monitor is an interface between the usermode and the kernelmode parts of the printing system </li></ul><ul><li>What a mess! </li></ul>
  6. 6. Using XSS <ul><li>Implementation stages : </li></ul><ul><ul><li>upload your JS file by means of XSS; </li></ul></ul><ul><ul><li>add the SCRIPT tag into the HEAD to upload the file dynamically; </li></ul></ul><ul><ul><li>the commands are passed over according to the reverse shell principle; </li></ul></ul><ul><ul><li>Use a standard AJAX to address the scripts on the localhost; </li></ul></ul><ul><ul><li>Use JSONP to address the script backconnect; </li></ul></ul><ul><ul><li>Hide it in the IFRAME tag of the site. </li></ul></ul>
  7. 7. Spooler API <ul><li>A set of Spooler service functions, which serve as wrappers for driver components </li></ul><ul><li>At this level, we can only get the spooled data </li></ul><ul><li>This is a level of raw printing </li></ul><ul><li>Try to parse this data </li></ul>
  8. 8. GDI API <ul><li>The same set of functions used for Windows graphics </li></ul><ul><li>A printer is a device context suitable for GDI drawing functions </li></ul><ul><ul><li>hPrinter = CreateDC(‘SuperLaserJet’, params); </li></ul></ul><ul><ul><li>StartDoc(hPrinter); </li></ul></ul><ul><ul><li>TextOut(hPrinter, ‘Text’); </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Graphical data is Windows graphical data – NT EMF format </li></ul>
  9. 9. Inside GDI <ul><li>Found with the help of PEB </li></ul><ul><li>Thanks to Feng Yuan </li></ul>
  10. 10. The trick
  11. 11. Profit <ul><li>Swap GDI cells to send documents to a fake printer </li></ul><ul><li>It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer </li></ul><ul><li>The intercepted image can be easily forwarded to the original printer </li></ul>
  12. 12. GDI Printing <ul><li>Load the device context with CreateDC() </li></ul><ul><ul><li>Allows one to store devmode settings </li></ul></ul><ul><li>Start printing with StartDoc() </li></ul><ul><ul><li>Now we know when to perform magic </li></ul></ul><ul><li>Draw everything you want onto this device </li></ul><ul><ul><li>Let the application do the dirty work for us </li></ul></ul><ul><li>EndDoc() to finish printing </li></ul><ul><li>DeleteDC() to clear the device context </li></ul><ul><ul><li>Clean everything up and wipe out the trails </li></ul></ul>
  13. 13. The concept
  14. 14. Sample implementation
  15. 15. Thank you for your attention ! [email_address]

×