The Ethical Hacker Network - Injecting Browser Helper Objects Remotely == ?

Latest Additions

Who's Online

EH-Net Donations

Google Ads

EH-Net News Feeds

Latest Additions

Book Recommendations

Some system monitoring program gave me this message

Quote

A new startup program has been detected
D:\windows\system32\jkhfd.dll,c

which means that it is executing the function whose name is c which is exported by jkhfd.dll

I dissassembled the file(jkhfd.dll) and found the following list of exported functions-

Quote

c
DllCanUnloadNow
DllGetClassObject
f
InitSecurityInterfaceWLsaApCallPackage
LsaApCallPackagePassthrough
LsaApCallPackageUntrusted
LsaApInitializePackage
LsaApLogonTerminated
LsaApLogonUser
LsaApLogonUserEx
o
s
SpInitialize

(the function c, as I suspected, is exported)

Some sysinternals tools told me that the above dll is there(injected?) as the browser helper objects

Quote

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:\windows\system32\jkhfd.dll

From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

My questions-

Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!

Recent Forum Topics

Other : LZMA Decompression Help (1) by BillV
Programming : not static? (7) by RoNNie_13
Calendar Of Events : BOSS Conference 2009 (0) by don
Calendar Of Events : CSI SX 2009 (0) by don
Calendar Of Events : Security OPUS Spring 2009 (0) by don
Calendar Of Events : CanSecWest 2009 (0) by don
Calendar Of Events : Carolinacon 2009 (0) by don
Calendar Of Events : Black Hat USA 2009 (0) by don
Calendar Of Events : Black Hat Europe 2009 (0) by don
Calendar Of Events : Black Hat DC 2009 (0) by don
Calendar Of Events : Cyber Warfare 2009 (0) by don
Calendar Of Events : White Hat Ball 2009 (0) by don
Calendar Of Events : RSA Conference 2009 (0) by don
Calendar Of Events : SOURCE Boston 2009 (0) by don
Calendar Of Events : Notacon 6 (0) by don
Calendar Of Events : ShmooCon 2009 (0) by don
Calendar Of Events : SANS Pen Testing Summit 2009 (0) by don
Calendar Of Events : SANS 2009 (0) by don
Calendar Of Events : SANS Security West 2009 (0) by don
Calendar Of Events : SANS CDI 2008 (0) by don
Forensics : The Julie Amero Case: A Dangerous Farce (0) by don
Other : Early Details of Vista, Server 2008 SP2 Due in April (0) by don
Career Central : 7 Tips for Career Growth in Tight Times (0) by don
Other : Do we or Dont we... (7) by pseud0
Special Events : Pen Testing Perfect Storm Webcast Series: Part 2 - Teaser (6) by don
News from the Outside World : Would you trade your privacy for a smartphone? (5) by jason
Hardware : Key Duplication from Photos (5) by jason
Career Central : Confused about future (8) by Artful Dodger
Tools : Cain & Abel v4.9.24 Released (1) by RoleReversal
CEH - Certified Ethical Hacker : MSS from EC-Council? (13) by shednik
Book Reviews : Network Intrusion Alert (1) by don
Hardware : Lenovo Introduces Remote Disable Feature for Laptops (16) by jason
Wireless : Jamming by babycam (6) by jason
Other : What kind of lab, machines you have for your security testing? (6) by MadmanTM
Wireless : help wid wifi !!!! (1) by jason
Malware : Military Bans Removable Media (10) by ChrisG
Network Pen Testing : Metasploit Question (4) by ethicalhack3r
Other : SANS CDI (1) by jason
Hardware : Recommendations for IDS Hardware (1) by jason
News Items and General Discussion About EH-Net : Happy Turkey Day 2008 (5) by BillV

Support EH-Net by Buying all of your Amazon items using the search bar above. Try CBT Nuggets Free!

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.

Try CBT Nuggets Free!