Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71468
FoxitReader Portable DLL Hijack
The following are two good candidates for DLLDynamic Link Library hijacks...
#1
FoxIt Reader attempts to auto update itself, looking for a DLLDynamic Link Library named "UpdaterLOC.dll" from its plugins folder (\Foxit Reader\plugins)
Returning FALSE from ProcessAttach doesn't seem to cause any negative side effects
#2
FoxIt attempts to load the system DLLDynamic Link Library "msimg32.dll" adjacent to itself firrst (\app\Foxit Reader\) before loading it in the proper location. The DLLDynamic Link Library export 5 functions with the following prototypes:
typedef VOID(WINAPIWindows Application Programming Interface *vSetDdrawflag)(VOID);
typedef BOOL(WINAPIWindows Application Programming Interface *AlphaBlend)(HDC, int, int, int, int, HDC, int, int, int, int, BLENDFUNCTION);
typedef DWORD(WINAPIWindows Application Programming Interface *DllInitialize)(DWORD, DWORD);
typedef BOOL(WINAPIWindows Application Programming Interface *GradientFill)(HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);
typedef BOOL(WINAPIWindows Application Programming Interface *TransparentBlt)(HDC, int, int, int, int, HDC, int, int, int, int, UINT);
To hijack this DLL, take the following steps:
- Determine if you're running on a 32 or 64 bit machine and call GetSystemDirectory() or GetSystemWow64Directory()
- LoadLibrary on the real msimg32.dll
- Call GetProcAdress on each of the functions listed above and store in global pointers
- Re-route all calls to any of these functions to the "real" functions and return appropriately
typedef VOID(WINAPIWindows Application Programming Interface *REAL_vSetDdrawflag)(VOID);typedef BOOL(WINAPIWindows Application Programming Interface *REAL_AlphaBlend)(HDC, int, int, int, int, HDC, int, int, int, int, BLENDFUNCTION);typedef DWORD(WINAPIWindows Application Programming Interface *REAL_DllInitialize)(DWORD, DWORD);typedef BOOL(WINAPIWindows Application Programming Interface *REAL_GradientFill)(HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);typedef BOOL(WINAPIWindows Application Programming Interface *REAL_TransparentBlt)(HDC, int, int, int, int, HDC, int, int, int, int, UINT);