|
Title: Injecting Browser Helper Objects Remotely == ? Post by: shakuni on May 23, 2008, 06:21:08 AM Some system monitoring program gave me this message
Quote A new startup program has been detected which means that it is executing the function whose name is c which is exported by jkhfd.dllD:\windows\system32\jkhfd.dll,c I dissassembled the file(jkhfd.dll) and found the following list of exported functions- Quote c (the function c, as I suspected, is exported)DllCanUnloadNow DllGetClassObject f InitSecurityInterfaceWLsaApCallPackage LsaApCallPackagePassthrough LsaApCallPackageUntrusted LsaApInitializePackage LsaApLogonTerminated LsaApLogonUser LsaApLogonUserEx o s SpInitialize Some sysinternals tools told me that the above dll is there(injected?) as the browser helper objects Quote HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects {B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:\windows\system32\jkhfd.dll From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion. My questions- Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ? Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?
Powered by SMF 1.1.7 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |