Intercepting Windows Printing by Modifying GDI Subsystem
Download as PPT, PDF0 likes677 views
The document summarizes techniques for intercepting Windows printing by modifying the Graphics Device Interface (GDI) subsystem. It discusses intercepting print jobs by swapping GDI cells to send documents to a fake printer instead of the intended printer. The intercepted print data can then be forwarded to the original printer or used for other purposes like monitoring or data loss prevention. It provides examples of using the GDI and spooler APIs to implement such an intercepting print handler.
![Thank you for your attention ! [email_address]](https://image.slidesharecdn.com/gdih-111229083451-phpapp02/85/Intercepting-Windows-Printing-by-Modifying-GDI-Subsystem-15-320.jpg)
Intercepting Windows Printing by Modifying GDI Subsystem
- 1. Intercepting Windows Printing by Modifying GDI Subsystem by Artyom Shishkin, Positive Technologies
- 2. What for? Basically it’s a data source for Monitoring systems DLP solutions
- 3. What do we have ? FindNextPrinterChangeNotification( ): Printer name Timestamp Job status Pages count Print providOr is the source of this info, so I wouldn’t rely on it too much.
- 4. API levels Spooler Driver components
- 5. Driver components Print providers send jobs to a local or a remote machine A print processor converts the spooled data into a format suitable for a print monitor The print monitor passes the data to a port monitor A port monitor is an interface between the usermode and the kernelmode parts of the printing system What a mess!
- 6. Using XSS Implementation stages : upload your JS file by means of XSS; add the SCRIPT tag into the HEAD to upload the file dynamically; the commands are passed over according to the reverse shell principle; Use a standard AJAX to address the scripts on the localhost; Use JSONP to address the script backconnect; Hide it in the IFRAME tag of the site.
- 7. Spooler API A set of Spooler service functions, which serve as wrappers for driver components At this level, we can only get the spooled data This is a level of raw printing Try to parse this data
- 8. GDI API The same set of functions used for Windows graphics A printer is a device context suitable for GDI drawing functions hPrinter = CreateDC(‘SuperLaserJet’, params); StartDoc(hPrinter); TextOut(hPrinter, ‘Text’); … Graphical data is Windows graphical data – NT EMF format
- 9. Inside GDI Found with the help of PEB Thanks to Feng Yuan
- 10. The trick
- 11. Profit Swap GDI cells to send documents to a fake printer It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer The intercepted image can be easily forwarded to the original printer
- 12. GDI Printing Load the device context with CreateDC() Allows one to store devmode settings Start printing with StartDoc() Now we know when to perform magic Draw everything you want onto this device Let the application do the dirty work for us EndDoc() to finish printing DeleteDC() to clear the device context Clean everything up and wipe out the trails
- 13. The concept
- 15. Thank you for your attention ! [email_address]