Injecting Browser Helper Objects Remotely ==?

Home Forums Discussions General Injecting Browser Helper Objects Remotely ==?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • May 23, 2008 at 12:13 pm #5205
    shakuni
    Participant

      Some system monitoring program gave me this message

      A new startup program has been detected
      D:windowssystem32jkhfd.dll,c

      which means that it is executing the function whose name is c which is exported by jkhfd.dll

      I dissassembled the file(jkhfd.dll) and found the following list of exported functions-

      c
      DllCanUnloadNow
      DllGetClassObject
      f
      InitSecurityInterfaceWLsaApCallPackage
      LsaApCallPackagePassthrough
      LsaApCallPackageUntrusted
      LsaApInitializePackage
      LsaApLogonTerminated
      LsaApLogonUser
      LsaApLogonUserEx
      o
      s
      SpInitialize

      (the function c, as I suspected, is exported)

      Ssinternals tools told me that the above dll is there(injected?) as the browser helper objects

      HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
      {B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:windowssystem32jkhfd.dll

      From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

      My questions-

      Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
      Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

      May 29, 2008 at 8:57 am #6622
      Vadim Smirnov
      Keymaster

        Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?

        The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.

        Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

        BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.

      • Author
        Posts
      Viewing 2 posts - 1 through 2 (of 2 total)
      • You must be logged in to reply to this topic.