Results 1 to 3 of 3

Thread: Injecting Browser Helper Objects Remotely

  1. #1
    shakuni
    Guest

    Injecting Browser Helper Objects Remotely

    Some system monitoring program gave me this message

    A new startup program has been detected
    D:\windows\system32\jkhfd.dll,c

    which means that it is executing the function whose name is c which is exported by jkhfd.dll

    I dissassembled the file(jkhfd.dll) and found the following list of exported functions-

    c
    DllCanUnloadNow
    DllGetClassObject
    f
    InitSecurityInterfaceWLsaApCallPackage
    LsaApCallPackagePassthrough
    LsaApCallPackageUntrusted
    LsaApInitializePackage
    LsaApLogonTerminated
    LsaApLogonUser
    LsaApLogonUserEx
    o
    s
    SpInitialize

    (the function c, as I suspected, is exported)

    Ssinternals tools told me that the above dll is there(injected?) as the browser helper objects

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    {B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:\windows\system32\jkhfd.dll


    From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

    My questions-

    Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by shakuni View Post
    Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
    Unpack the DLL before you try to disassemble it statically.


    Quote Originally Posted by shakuni View Post
    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?
    The normal method is to exploit vulnerabilities in Windows, browsers and "browser related software", that you have installed on your computer, in order to execute arbitrary code on your computer, which is in turn often used to inject things like this, often aimed to steal data and money from you.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Which is more "vulnerable" because they don't have to break into your house and force you to install their "stuff." The simply trick you into installing the damn stuff for them.

    Regards,
    JMI

Similar Threads

  1. Injecting 64-Bit DLL Into 32-Bit Process
    By walied in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: January 27th, 2013, 01:00
  2. Strong Name Helper 0.8beta By Whoknows
    By Kurapica in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: December 6th, 2009, 20:27
  3. GREPEXEC: Grepping Executive Objects from Pool Memory
    By Uninformed Journal in forum Blogs Forum
    Replies: 0
    Last Post: October 22nd, 2007, 12:22
  4. Opera Browser 7.54 For Free (As In Beer)
    By JimmyClif in forum Off Topic
    Replies: 6
    Last Post: April 29th, 2005, 02:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •