Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Windows Handle Hijacking (https://forum.exetools.com/showthread.php?t=18242)

TechLord 05-11-2017 03:01

Windows Handle Hijacking
 
As @H4vC had asked in the chatbox about this topic yesterday, thought that I would post a few quick references for his benefit as well as anyone else interested in this topic (I cannot PM him and send him the details as he is not yet a "Family" :) ) - hence posting here :

Windows Handle Hijacking :

Quote:

http://blog.diniscruz.com/2012/11/util-win32-window-handle-hijack-simple.html

http://diniscruz.blogspot.co.uk/2012/11/ibm-appscan-sources-and-appscan.html

http://diniscruz.blogspot.co.uk/2012/11/util-windows-handles-view-handle.html
PDFs and other Documents can be found here :

Quote:

https://github.com/DinisCruz/Security-Research/tree/master/O2%20Raw%20Docs
Win32 Window Handle Hijack (4x host panels) :

Quote:

https://leanpub.com/Practical_O2Platform/read#leanpub-auto-windows-hijacking

H4vC 05-11-2017 08:15

Afaik that only works for .net window handles I'm working on a piece of proprietary software that implements an Obregister callback to block handle creation to the target software so I'm trying to hijack an already existing handle (csrss.exe) to do my read and write operations on the target. I'd rather not write driver code that I then have to get signed just to patch said program. So I think a good option from userland would be to hijack an existing handle.

Thanks anyways for the articles.

Edit:
Apparently if a process has VMREAD and VMWRITE rights I do not need to open a new handle I can just use the existing handle as if I had opened it, I ended up writing an injectable dll that does the reading and writing for me, thanks for the help either way Techlord.

H4vC 05-15-2017 20:11

1 Attachment(s)
Excuse the doublepost but as I see this becoming something i'll have to do a lot more and I'm guessing others at exetools while certainly more skilled than me might run into this I've written up a quick and easy way with handle inheritance.
Here's a source to a program that will steal handles from a privileged process and give them to your executable. (Compile as unsafe / 64bit only at the moment)
We're basically exploiting windows handle inheritance behavior if you can spawn a process from crss for example and it has an 0x1fffff handle to your process you'll get the same handle.


All times are GMT +8. The time now is 04:25.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX