Scribd
Upload
139 views

Printing Interception Via Modifying Windows Gdi

The document discusses intercepting Windows printing by modifying the GDI subsystem. It describes how intercepting printing allows monitoring print jobs and collecting metadata like printer name, timestamp, job status and page count. It outlines the different API levels involved, including the spooler, driver components and GDI API. The technique involves swapping GDI printer handles so print jobs are redirected to a "fake" printer while still fulfilling the original request on the real printer. The goal is to transparently intercept print jobs for monitoring or data loss prevention purposes.

Uploaded by

liangtong
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
139 views

Printing Interception Via Modifying Windows Gdi

The document discusses intercepting Windows printing by modifying the GDI subsystem. It describes how intercepting printing allows monitoring print jobs and collecting metadata like printer name, timestamp, job status and page count. It outlines the different API levels involved, including the spooler, driver components and GDI API. The technique involves swapping GDI printer handles so print jobs are redirected to a "fake" printer while still fulfilling the original request on the real printer. The goal is to transparently intercept print jobs for monitoring or data loss prevention purposes.

Uploaded by

liangtong
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Intercepting Windows Printing by Modifying GDI Subsystem

by Artyom Shishkin, Positive Technologies

What for?
Basically its a data source for Monitoring systems DLP solutions

What do we have?
FindNextPrinterChangeNotification(): Printer name Timestamp Job status Pages count Print providOr is the source of this info, so I wouldnt rely on it too much.

API levels

Spooler

Driver components

Driver components
Print providers send jobs to a local or a remote machine A print processor converts the spooled data into a format suitable for a print monitor The print monitor passes the data to a port monitor A port monitor is an interface between the usermode and the kernelmode parts of the printing system What a mess!

Spooler API
A set of Spooler service functions, which serve as wrappers for driver components At this level, we can only get the spooled data
This is a level of raw printing Try to parse this data

GDI API
The same set of functions used for Windows graphics A printer is a device context suitable for GDI drawing functions
hPrinter = CreateDC(SuperLaserJet, params); StartDoc(hPrinter); TextOut(hPrinter, Text);

Graphical data is Windows graphical data NT EMF format

Inside GDI
Found with the help of PEB Thanks to Feng Yuan
GDI cell

Process Address Space


GDI shared handle table

Object kernel address Selection count Process ID


Upper handle value Object type Usermode info

The trick
hOriginalPrinter hPrintInterceptor

Shared handle table Magical operation

Cell contents

Cell contents

Profit
Swap GDI cells to send documents to a fake printer It is not always necessary to create your own virtual printer, you can use something like Microsoft XPS Writer The intercepted image can be easily forwarded to the original printer

The concept
Application wants to print things DLL: Its using GDI, Ill load here using windows hooks and patch some GDI functions CreateDC() StartDoc() EndDoc() DeleteDC() Ill save the original parameters of this printing request Hey, youve decided to print! Ill swap the GDI cells so that you use the old handle for a new device Okay, done here, Ill print your document on the real printer Lets clean everything up and make things look like they did before

Sample implementation
Settings file

Dll used for function interception

.xps image

GUI-based application that is supposed to print something

Application that fulfills the original request Kernelmode magic performer

Thank you!
Any questions?

You might also like