Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71468
BabelPad Portable
Similar to one of FoxIt reader's hijack... there is also a manifest file next to the EXE (\app\BabelPad) that could easily be modified to load whatever we'd like
BabelPad attempts to load the system DLLDynamic Link Library "msimg32.dll" adjacent to itself firrst (\app\BabelPad\) before loading it in the proper location. The DLLDynamic Link Library export 5 functions with the following prototypes:
typedef VOID(WINAPIWindows Application Programming Interface *vSetDdrawflag)(VOID);
typedef BOOL(WINAPIWindows Application Programming Interface *AlphaBlend)(HDC, int, int, int, int, HDC, int, int, int, int, BLENDFUNCTION);
typedef DWORD(WINAPIWindows Application Programming Interface *DllInitialize)(DWORD, DWORD);
typedef BOOL(WINAPIWindows Application Programming Interface *GradientFill)(HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);
typedef BOOL(WINAPIWindows Application Programming Interface *TransparentBlt)(HDC, int, int, int, int, HDC, int, int, int, int, UINT);
To hijack this DLL, take the following steps:
- Determine if you're running on a 32 or 64 bit machine and call GetSystemDirectory() or GetSystemWow64Directory()
- LoadLibrary on the real msimg32.dll
- Call GetProcAdress on each of the functions listed above and store in global pointers
- Re-route all calls to any of these functions to the "real" functions and return appropriately