|
#1
|
|||
|
|||
Windows Handle Hijacking
As @H4vC had asked in the chatbox about this topic yesterday, thought that I would post a few quick references for his benefit as well as anyone else interested in this topic (I cannot PM him and send him the details as he is not yet a "Family" ) - hence posting here :
Windows Handle Hijacking : Quote:
Quote:
Quote:
|
#2
|
|||
|
|||
Afaik that only works for .net window handles I'm working on a piece of proprietary software that implements an Obregister callback to block handle creation to the target software so I'm trying to hijack an already existing handle (csrss.exe) to do my read and write operations on the target. I'd rather not write driver code that I then have to get signed just to patch said program. So I think a good option from userland would be to hijack an existing handle.
Thanks anyways for the articles. Edit: Apparently if a process has VMREAD and VMWRITE rights I do not need to open a new handle I can just use the existing handle as if I had opened it, I ended up writing an injectable dll that does the reading and writing for me, thanks for the help either way Techlord. Last edited by H4vC; 05-13-2017 at 01:37. |
#3
|
|||
|
|||
Excuse the doublepost but as I see this becoming something i'll have to do a lot more and I'm guessing others at exetools while certainly more skilled than me might run into this I've written up a quick and easy way with handle inheritance.
Here's a source to a program that will steal handles from a privileged process and give them to your executable. (Compile as unsafe / 64bit only at the moment) We're basically exploiting windows handle inheritance behavior if you can spawn a process from crss for example and it has an 0x1fffff handle to your process you'll get the same handle. Last edited by H4vC; 05-15-2017 at 20:51. |
The Following User Says Thank You to H4vC For This Useful Post: | ||
tonyweb (05-15-2017) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[C/ASM] Easy to use DLL hijacking examples | zeffy | Source Code | 20 | 03-17-2023 11:07 |
how to handle this super annoying anti trace trick | niom | General Discussion | 8 | 04-14-2007 05:45 |
Release file lock handle | baatazu | General Discussion | 7 | 06-30-2005 00:22 |
Softice: hwnd -> invalid window handle | dreamershl | General Discussion | 2 | 04-19-2004 09:58 |