Use detours to intercept the windows program password

I. Introduction
 
With the rapid development of information technology, people will pay more and more attention to information security. The security and confidentiality of information data has become an important topic for the development of computer science. In the absence of other identification technologies, passwords are often used by users as the last barrier to protect their valuable data. However, with passwords, users cannot rest assured, because there are a lot of tools that can be used to steal user passwords, the following uses detours to briefly introduce the basic principle of intercepting passwords, so as to remind users to change passwords on a regular basis, in addition, other related security measures cannot be ignored.
 
 
Ii. Basic Principles
 
In Windows programming, the password editing box is widely used to prompt users to use the password. The password editing box is no different from the general editing box control except for ECHO characters. You can easily obtain the entered password characters by calling the getwindowtext and getdlgitemtext functions or sending the wm_gettext message to the password edit box window, this can be verified by the spy ++ tool provided by Visual Studio. If you want to save time and let the system remember these passwords without entering the password at each login, this will make them more dangerous, because there are many reveal-like applets, you can obtain the passwords pointed by the mouse. They are basically implemented by sending the wm_gettext message to the password edit box. Even if you do not allow the system to save the password, the user cannot care about it, because behind your input program, such a malicious program may be hidden, and it will record any character you enter, it is recorded in a file without any knowledge.
 
Such programs are generally implemented through hook functions or API hooks. After the user enters the password, the user must submit it to the application for verification and determine whether the user is a valid user. At this time, the application will often call the above function or send the wm_gettext message to obtain the Password text entered by the user. If such a program can intercept these API function calls or intercept these window messages, it will intercept these passwords before they arrive at the application.
 
These programs generally run automatically when the system is started, and then install the system hook to intercept the getwindowtext or getdlgitemtext functions, or intercept Windows messages (such as wm_destroy ), send the wm_gettext message to the password and its brother window to obtain all the text including the user name, save it to the file, and give the control to the system. Such a program generally has limitations because it takes effect only after it is automatically started. Therefore, it is easy to find traces of these programs by modifying the registration and editing table, and clear them out of the system. In security mode, these programs will never be activated unless you take the initiative to run them. Note that you do not need to double-click an application to run the program. If the file you double-click is a TXT text file (or BMP, HTML, and other files ), by default, the opened programs of these files have been modified to hacker programs. In this case, data files become a fuse and they will also activate the hacker program.
 
Another program is parasitic on executable files in the form of DLL (such as NotePad notepad and paint mspaint) _), which usually requires an installer to modify the executable file, this makes it possible to automatically load these (Trojan program) Dynamic Link Libraries when the executable files are running. Deleting these dynamic link libraries will cause the executable files to fail to run. In this case, you cannot get rid of the shadows behind your program unless you reinstall the application.
 
Iii. Implementation
 
1. Dynamic Link Library Injection
 
The dynamic link library is an important part of the Win32 system. It can be dynamically loaded into the address space of the process. Once the dynamic link library is injected into the process space of the application, it becomes a part of the application running and runs together with the application code. Some processes do not use some dynamic link libraries, including their output data and output functions. It can be said that there is no "kinship" between these applications and dynamic link libraries, and the application never actively loads these dynamic link libraries. Therefore, we must write code to inject the dll library. Inject the dynamic link library into another process. The most typical practice is to install a hook function in the DLL so that the system will inject it into every process affected by the hook function.
 
The installation of hook functions usually requires an installer to call the setwindowshookex function. However, if we run the installer every time we use the hook function, it will be very troublesome. For a trojan program, it is easy to expose ourselves, so we hope that our dynamic connection library can be parasitic on an executable file. Once this application is executed, it will be in the process initialization phase (dll_process_attach ), install the hook function so that the application and even System window messages are monitored by the hook function. The hook process of the hook function intercepts useful messages and processes them accordingly.
 
The detours Toolkit (http://www.research.microsoft.com/sn/detours) provided by Microsoft can meet our requirements. In addition to a set of API blocking functions, detours also provides a set of functions that can easily implement DLL injection, we can create a new process injected with the DLL, or inject the DLL into a running process. More importantly, it can also modify the file header of the application, add the DLL information to the file header so that the application can load the dynamic link library without any intervention after modification.
 
2. detours injection Dynamic Link Library
 
 
We know that Win32 applications are stored in the Win 32 binary PE format, and PE is a coff extension (Common Object File Format ). A Win32 binary file consists of the following parts, A DoS compatibility header, a PE Header, a text segment containing program code, a data segment containing initialization data, an import table listing and referencing DLL and function names, and a listing code and Output symbol output table, except for the two header structures, the rest are optional and some parts may not exist in some Win32 files.
 
 
 
 
To modify the Windows 32 binary code, detours creates a new one between the output table and the debugging symbol. detours segment (as shown in) (Note: the part of the debugging symbol must be at the end of the Win32 binary value file. the detours segment contains a detours header record and a copy of the original PE Header. If you want to modify the input table, detours will create a new input table, add it to the copied PE Header, and then modify the original PE Header structure, point it to the new input table. Finally, detours appends the user's payloads (load) to the end of the. detours segment, and then adds the debugging symbol information at the end of the file. Because detours backs up the original PE Header, this process is completely reversible, so that the. detours segment can be removed and the EXE file will be restored to the original format before being injected.
 
Creating a new input table has two purposes: one is to save the original input table, so that modification to the original file can be restored as needed; the other is, the new input table can contain renamed dynamic connection libraries and functions, as well as new dynamic connection libraries and functions.
 
Detours provides a set of input tables for editing, adding, enumerating, removing payloads (loads), and then binding binary functions, it also provides a set of functions to enumerate the binary files mapped to the address space and locate the paying file payloads (load. Each payload is identified by a guid (a 128-bit globally unque identifier globally unique identifier.
 
Readers of these functions can refer to the example program setdll. cpp file provided by detours.
 
3. message interception
 
Once the dynamic link library is injected into the application, it will install the hook function in the process initialization phase. Here we have installed two hook types: wh_getmessage and wh_callwndproc, the hook function mainly intercepts the wm_setfocus and wm_destroy messages. For the previous message, first obtain its class name (getclassname function) and window style (getwindowlong function ), determine whether it is a password editing box (note that the class names in the Visual C ++, Delphi, and Visual Basic editing boxes are different ). If yes, save the window handle of the window itself, its brother window, and its parent window to an array. Once the system sends a message to the window wm_destroy, the message is intercepted by the hook function, the hook process sends wm_gettext to each window handle saved to the array to obtain the dialog box title or the text of each edit box.
 
Iv. Application Usage
 
This program is debugged in Windows 2000 using Visual C ++ 6.0 and can be run in Windows 98. Run dllpatch first. EXE program, and then browse to the application with a password. After confirmation, the dllpath program will create a backup file for the target application, then modify the application, and put inetpub. copy the DLL file to the target application directory and Windows System directory. In this case, you can use the view dependency tool to open the application file, and you will find that there is a reference named inetpub. DLL dynamic link library. after the password is intercepted, the trojan will store the password file in a file with the TMP extension under the temporary file directory. For convenience, the content of the file is not encrypted, the kernel32.ini file in the Windows System directory also saves some password information. The real hacker program may not do this because it is easy to expose itself and it will modify the date of the inetpub. dll file to be consistent with that of the application. Maybe you will say, I will change the password right away, and the password you intercepted will still not be able to get in. But while you change the password, the new password will be recorded.
 
Through this program, we can see that relying solely on passwords to ensure system security is far from enough.
Click here to download the source program and demo program.
Detours:
Http://www.research.microsoft.com/sn/detours
Http://research.microsoft.com/sn/detours