Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-11-2017, 03:01
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 2,056 Times in 596 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Smile Windows Handle Hijacking

As @H4vC had asked in the chatbox about this topic yesterday, thought that I would post a few quick references for his benefit as well as anyone else interested in this topic (I cannot PM him and send him the details as he is not yet a "Family" ) - hence posting here :

Windows Handle Hijacking :

Quote:
http://blog.diniscruz.com/2012/11/util-win32-window-handle-hijack-simple.html

http://diniscruz.blogspot.co.uk/2012/11/ibm-appscan-sources-and-appscan.html

http://diniscruz.blogspot.co.uk/2012/11/util-windows-handles-view-handle.html
PDFs and other Documents can be found here :

Quote:
https://github.com/DinisCruz/Security-Research/tree/master/O2%20Raw%20Docs
Win32 Window Handle Hijack (4x host panels) :

Quote:
https://leanpub.com/Practical_O2Platform/read#leanpub-auto-windows-hijacking
Reply With Quote
  #2  
Old 05-11-2017, 08:15
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 32
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 20 Times in 11 Posts
H4vC Reputation: 1
Afaik that only works for .net window handles I'm working on a piece of proprietary software that implements an Obregister callback to block handle creation to the target software so I'm trying to hijack an already existing handle (csrss.exe) to do my read and write operations on the target. I'd rather not write driver code that I then have to get signed just to patch said program. So I think a good option from userland would be to hijack an existing handle.

Thanks anyways for the articles.

Edit:
Apparently if a process has VMREAD and VMWRITE rights I do not need to open a new handle I can just use the existing handle as if I had opened it, I ended up writing an injectable dll that does the reading and writing for me, thanks for the help either way Techlord.

Last edited by H4vC; 05-13-2017 at 01:37.
Reply With Quote
  #3  
Old 05-15-2017, 20:11
H4vC H4vC is offline
Friend
 
Join Date: Jan 2017
Posts: 32
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 3
Thanks Rcvd at 20 Times in 11 Posts
H4vC Reputation: 1
Excuse the doublepost but as I see this becoming something i'll have to do a lot more and I'm guessing others at exetools while certainly more skilled than me might run into this I've written up a quick and easy way with handle inheritance.
Here's a source to a program that will steal handles from a privileged process and give them to your executable. (Compile as unsafe / 64bit only at the moment)
We're basically exploiting windows handle inheritance behavior if you can spawn a process from crss for example and it has an 0x1fffff handle to your process you'll get the same handle.
Attached Files
File Type: 7z HandleJack.7z (20.0 KB, 15 views)

Last edited by H4vC; 05-15-2017 at 20:51.
Reply With Quote
The Following User Says Thank You to H4vC For This Useful Post:
tonyweb (05-15-2017)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[C/ASM] Easy to use DLL hijacking examples zeffy Source Code 9 06-04-2019 04:09
how to handle this super annoying anti trace trick niom General Discussion 8 04-14-2007 05:45
Release file lock handle baatazu General Discussion 7 06-30-2005 00:22
Softice: hwnd -> invalid window handle dreamershl General Discussion 2 04-19-2004 09:58


All times are GMT +8. The time now is 03:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )