Injecting Browser Helper Objects Remotely ==?

Home Forums Discussions General Discussion Injecting Browser Helper Objects Remotely ==?

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 8 years, 11 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5205

    shakuni
    Participant

    Some system monitoring program gave me this message

    A new startup program has been detected
    D:windowssystem32jkhfd.dll,c

    which means that it is executing the function whose name is c which is exported by jkhfd.dll

    I dissassembled the file(jkhfd.dll) and found the following list of exported functions-

    c
    DllCanUnloadNow
    DllGetClassObject
    f
    InitSecurityInterfaceWLsaApCallPackage
    LsaApCallPackagePassthrough
    LsaApCallPackageUntrusted
    LsaApInitializePackage
    LsaApLogonTerminated
    LsaApLogonUser
    LsaApLogonUserEx
    o
    s
    SpInitialize

    (the function c, as I suspected, is exported)

    Ssinternals tools told me that the above dll is there(injected?) as the browser helper objects

    HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    {B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:windowssystem32jkhfd.dll

    From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

    My questions-

    Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

    #6622

    Vadim Smirnov
    Moderator

    Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?

    The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.

    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

    BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.