Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » Operational Support Branch (OSB) » OSB Home » Projects » Fine Dining » Fine Dining Tool Module Lists
Owner: User #71468
BabelPad Portable Hijack
Similar to one of FoxIt reader's hijack... there is also a manifest file next to the EXE (\app\BabelPad) that could easily be modified to load whatever we'd like
BabelPad attempts to load the system DLLDynamic Link Library "msimg32.dll" adjacent to itself firrst (\app\BabelPad\) before loading it in the proper location. The DLLDynamic Link Library export 5 functions with the following prototypes:
typedef VOID(WINAPIWindows Application Programming Interface *vSetDdrawflag)(VOID);
typedef BOOL(WINAPIWindows Application Programming Interface *AlphaBlend)(HDC, int, int, int, int, HDC, int, int, int, int, BLENDFUNCTION);
typedef DWORD(WINAPIWindows Application Programming Interface *DllInitialize)(DWORD, DWORD);
typedef BOOL(WINAPIWindows Application Programming Interface *GradientFill)(HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);
typedef BOOL(WINAPIWindows Application Programming Interface *TransparentBlt)(HDC, int, int, int, int, HDC, int, int, int, int, UINT);
To hijack this DLL, take the following steps:
- Determine if you're running on a 32 or 64 bit machine and call GetSystemDirectory() or GetSystemWow64Directory()
- LoadLibrary on the real msimg32.dll
- Call GetProcAdress on each of the functions listed above and store in global pointers
- Re-route all calls to any of these functions to the "real" functions and return appropriately
Languages Available:
Full unicode support of documents, but user interface only has following languages supported:
Language | %PAL:LanguageCustom% Replacement |
---|---|
English | dword:00000000 |
Simplified Chinese | dword:00000001 |
Traditional Chinese | dword:00000002 |