Re: microsoft hooks

x (x@x.com)
Mon, 06 Apr 1998 18:23:45 -0700

• Next message: Ian Goldberg: "Re: ElGamal signature encoding"
• Previous message: Peter Gutmann: "Re: microsoft hooks"
• Maybe in reply to: staym@accessdata.com: "microsoft hooks"

Under NT there is a secure dialog environment; if not now, it will be
possible to integrate a sensitive dialog into this secure UI.
 

At 12:46 PM 4/7/98, Peter Gutmann wrote:
>>Under windows 95, various hooks can be installed to intercept *any* kind of
>>message. The computer-based training hook can intercept the WM_CREATE
>>message. If a password-box is created, the hook procedure could note it and
>>poll it for its text, then write the information to disk (or do anything
else
>>it wanted) when the window is destroyed. Same thing goes for edit boxes in
>>web browsers: if one contains a sixteen-digit number, odds are it's a credit
>>card number and the rest of the information is in the boxes around it. All
>>the crypto in the world won't help if they can (effectively) watch you
type in
>>the information in the first place.
>>
>>Is there any defense to this sort of attack other than switching to Linux?
>
>No. This has been possible since 3.x (I wrote a program to do this some time
>ago, not for password-grabbing but as a hotkey for my transparent drive
>encryption), for Win95 I've got (somewhere) a little program which will
>itercept anything typed into a dialog with the ES_PASSWORD option set (I've
>also got one which will reveal the (supposedly hidden) password by sucking it
>out of the dialog boxes memory).
>
>The installation of global hooks was supposedly disabled under NT for
security
>reasons, but recently I've seen hints that you can still install a type of
>global hook in some instances (I haven't checked the exact details, but
>computer-based training (CBT) hooks have always been a good way to intercept
>virtually anything which is going on). To do it under NT you need to splice
>in a keyboard driver which gets the keys before NT sees them, this is
somewhat
>more difficilt since you end up with *all* the keystrokes, not just the
>password-dialog ones. The way to do this would be to wait for a
>WM_DEBUGNOTIFY event which tells you that your target program is starting
up,
>and then log keystrokes from then on. Of course once you get to this
extreme,
>pretty much any OS is vulnerable.
>
>Peter.
>
>
>

• Next message: Ian Goldberg: "Re: ElGamal signature encoding"
• Previous message: Peter Gutmann: "Re: microsoft hooks"
• Maybe in reply to: staym@accessdata.com: "microsoft hooks"