EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-11-2017, 03:01
TechLord TechLord is offline
VIP
 
Join Date: Mar 2005
Location: PlanetTech
Posts: 472
Rept. Given: 366
Rept. Rcvd 176 Times in 77 Posts
Thanks Given: 493
Thanks Rcvd at 904 Times in 236 Posts
TechLord Reputation: 100-199 TechLord Reputation: 100-199
Smile Windows Handle Hijacking

As @H4vC had asked in the chatbox about this topic yesterday, thought that I would post a few quick references for his benefit as well as anyone else interested in this topic (I cannot PM him and send him the details as he is not yet a "Family" ) - hence posting here :

Windows Handle Hijacking :

Quote:
http://blog.diniscruz.com/2012/11/util-win32-window-handle-hijack-simple.html

http://diniscruz.blogspot.co.uk/2012/11/ibm-appscan-sources-and-appscan.html

http://diniscruz.blogspot.co.uk/2012/11/util-windows-handles-view-handle.html
PDFs and other Documents can be found here :

Quote:
https://github.com/DinisCruz/Security-Research/tree/master/O2%20Raw%20Docs
Win32 Window Handle Hijack (4x host panels) :

Quote:
https://leanpub.com/Practical_O2Platform/read#leanpub-auto-windows-hijacking
Reply With Quote
  #2  
Old 05-11-2017, 08:15
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 26
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Afaik that only works for .net window handles I'm working on a piece of proprietary software that implements an Obregister callback to block handle creation to the target software so I'm trying to hijack an already existing handle (csrss.exe) to do my read and write operations on the target. I'd rather not write driver code that I then have to get signed just to patch said program. So I think a good option from userland would be to hijack an existing handle.

Thanks anyways for the articles.

Edit:
Apparently if a process has VMREAD and VMWRITE rights I do not need to open a new handle I can just use the existing handle as if I had opened it, I ended up writing an injectable dll that does the reading and writing for me, thanks for the help either way Techlord.

Last edited by H4vC; 05-13-2017 at 01:37.
Reply With Quote
  #3  
Old 05-15-2017, 20:11
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 26
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 18 Times in 9 Posts
H4vC Reputation: 1
Excuse the doublepost but as I see this becoming something i'll have to do a lot more and I'm guessing others at exetools while certainly more skilled than me might run into this I've written up a quick and easy way with handle inheritance.
Here's a source to a program that will steal handles from a privileged process and give them to your executable. (Compile as unsafe / 64bit only at the moment)
We're basically exploiting windows handle inheritance behavior if you can spawn a process from crss for example and it has an 0x1fffff handle to your process you'll get the same handle.
Attached Files
File Type: 7z HandleJack.7z (20.0 KB, 14 views)

Last edited by H4vC; 05-15-2017 at 20:51.
Reply With Quote
The Following User Says Thank You to H4vC For This Useful Post:
tonyweb (05-15-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 12:54.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX