Windows Password penetration technology based on hook and MMF

AbstractWith the popularization of computers and networks, information security has become a common concern. The penetration of passwords and reverse osmosis have become increasingly prevalent in this field. This article deeply analyzes the features of Windows passwords of various versions, especially when the security of windws2k/XP is improved, and puts forward the key technologies and methods for obtaining windows passwords. The technical details of Windows Hook and memory image files (MMF) are further analyzed. In the MMF-based core class cipc, it provides a method for sharing hook handles in memory and solves the problem of inter-thread synchronization. Then, the features of wm_copydata messages are discussed in depth. Then, the important code and annotations of the Instance program are analyzed and the results are demonstrated. Finally, some anti-Password Penetration strategies are provided.

　　KeywordsMemory image files; Windows hooks; inter-process communication; Multithreading

　　1. Introduction

Few people who used Windows 3.x in the 90 s may know that such operating systems have password-protected vulnerabilities, if you select the "***" text in the password control and copy it to the clipboard, you will not see "***" but the original text of the password. Microsoft discovered the problem of Windows 3.x and modified this vulnerability in the new version of Windows 95. However, Windows 95 has a new security vulnerability. You can design a spyware program to obtain the password in the password control from the currently running program. These spyware are not the same as SoftICE cracking programs. However, Microsoft fixed this issue in window2000. How to obtain the content of any version of Windows Password control through MMF and hook technology is the key issue discussed in this article.

Figure 1 windows 2 k/XP password verification

The Windows password retrieval technology mainly exploits Windows security vulnerabilities. In Windows NT/95/98/me and other operating systems, if the wm_gettext message is sent to the password control in the spyware program, the returned text is no longer "***" but the actual text content. In Windows 2 k/XP, Microsoft adds security control. If wm_gettext is sent to the password control, the system will verify the request process to determine whether the process has permission. 1 shows that if the request process and the process where the password control is located are the same process, the wm_gettext message will still return the Real Text of the password. If the two processes are different, an error error_access_denied is returned. Therefore, the key technology for obtaining a Windows 2 k/XP password is to get the wm_gettext message from the process where the password control is located, rather than from the Penetration Process. However, this technology that runs user code in other processes can be fully implemented using the Windows Hook Technology. First, we need to know what a hook is.

2. Windows Hook

Windows is based on the event-driven mechanism, that is, the entire system is implemented through message transmission. Hook is a special message processing mechanism. It can monitor various event messages in the system or process, intercept and process messages sent to the target window. In this way, we can install custom hooks in the system to monitor the occurrence of specific events in the system and complete specific functions, such as intercepting keyboard and mouse input, and retrieving words on the screen, log monitoring. There are many types of hooks. Each Hook can intercept and process corresponding messages. For example, a keyboard Hook can intercept keyboard messages, and a shell Hook can intercept, start, and close application messages. 2 is a global hook.

Use the wh_getmessage hook in the instance program to monitor Windows messages delivered to the message queue.

Figure 2 Global hook schematic

　　3. Windows hook application

The function used to install Hooks is setwindowshookex. You can use this function to install hooks for the entire system or for a specific process. Different hooks monitor the occurrence of a specific hook event. When an event is triggered, the corresponding code will be called by the system.

One difficulty in using Windows Hooks is how to properly Save the hook handle. There are two things to solve before setting hooks:

1) A dynamic link library that includes hook functions;

2) the ID of the process to which the hook is injected.

Now let's assume process a injects a hook into process B. After hook injection, the hook handle is returned to process a and the dynamic link library is mapped to the address space of process B. When process B triggers a hook event, the hook code is called by process B (it should be noted that the hook code is called by a remote process, if the getcurrentprocessid function is called in the called Hook code, the ID of the Process injected with the hook process is obtained, rather than the process injected ). Get the Real Text of the password by sending a message in the hook code. Call the callnexthookex function before the hook code ends. If this function fails to be called, no messages will be sent to other hooks installed. The problem is that callnexthookex requires a hook handle, but the required handle has been returned to process a, and the hook program is currently running in the code segment of process B. In this way, the inter-process communication IPC (Inter Process Communication) is used to pass the hook handle.

　　4. General methods of inter-process communication

To solve the above problem, create a "share" section in the dynamic link library and write the following code:

# Pragma data_seg ("shared ") Hhook g_hhook = NULL; # Pragma data_seg () # Pragma comment (linker, "/section: shared, RWS ")

Simply put, these lines of code create a shared variable. If five processes load the dynamic link library, all five processes have access permissions. But this method has some problems: first, Some compilers may not support this method. Second, if the Windows version changes in the future, this method will not work. Third, this method does not stipulate thread synchronization. If multiple threads access this variable, thread synchronization is very important, and non-thread synchronization may trigger issues such as conflicts. To solve this problem, use the memory image file (MMF ).

　　5. memory image file (MMF)

In Win32, shared files or memory are shared between processes by using image files. If the same image name or file handle is used, different processes can read and write the same file or data block in the same memory through a pointer, and treat them as part of the memory space of the process. The memory image file can be mapped to a file, a specified region in the file, or a specified memory block. The data in the image file can be directly accessed using the memory READ command, instead of frequently using the I/O system functions of Operating Files, this increases the file access speed and efficiency.

Another important role of an image file is to support permanently named shared memory. To share memory between two applications, you can create a file in one application and map it. Then, another program opens and maps the file, and use it as the memory of your process.

　　6. Create a class cipc Based on MMF

Use the memory image file to solve inter-process communication problems, and create a mutex variable to solve the thread synchronization problem. All of these are encapsulated in a cipc class. The compatibility of different compilers is solved by using the memory image file, because the standard Win32 API is used. In addition, MMF supports data sharing between processes. In future Windows versions, Microsoft will not change the definition and method of MMF. And the mutex variable keeps the thread access synchronized. The class definition of cipc is given below.

Class cipc { Public: Cipc (); Virtual ~ Cipc (); Bool createipcmf (void); // creates an MMF for inter-process communication. Bool openipcmf (void); // enable an MMF for inter-process communication Void closeipcmf (void); // disable MMF for inter-process communication Bool isopen (void) const {return (m_hfilemap! = NULL);} // determines whether the MMF is enabled. Bool readipcmf (lpbyte pbuf, DWORD & dwbufsize); // read MMF Bool writeipcmf (const lpbyte pbuf, const DWORD dwbufsize); // write MMF Bool lock (void); // enter the critical section to create a mutex semaphore Void unlock (void); // exit the critical section and cancel the mutex semaphore. Protected: Handle m_hfilemap; // MMF file handle Handle m_hmutex; // mutex variable handle };

　　7. Use the wm_copydata message to solve inter-process communication

Wm_copydata is a good tool to solve inter-process communication problems, saving programmers a lot of time.

When the memory image file is created, the system sends a message to fill it. The system then forwards the data back to the process that initially called sendmessage, copies the data from the shared memory image file to the specified buffer, and then returns the data from the sendmessage call.

Messages that are already known to the system can be processed in the appropriate way when they are sent. What if you want to create your own (wm_user + x) message and send it from one process to another process window? The system does not know that the user wants to use the memory image file and change the pointer when sending the message. Therefore, Microsoft has created a special window message wm_copydata to solve this problem:

Copydatastruct CDs; Sendmessage (hwndreceiver, wm_copydata, (wparam) hwndsender, (lparam) & CDs ); Copydatastruct is a structure defined in winuser. h file in the following format: Typedef struct tagcopydatastruct { Ulong_ptr dwdata; DWORD cbdata; Pvoid lpdata; } Copydatastruct;

When a process sends data to a window of another process, the copydatastruct structure must be initialized first. The data member dwdata is a standby data item that can store any value. For example, a user may send data of different types or categories to another process. You can use this data to indicate the content of the data to be sent. The cbdata data Member specifies the number of bytes sent to another process. The lpdata Member points to the first byte to be sent. The address pointed to by lpdata is of course in the address space of the sending process.

When sendmessage sees that a wm_copydata message is to be sent, it creates a memory image file in bytes of cbdata and copies data to the memory image file from the address space of the sending process. Then, send a message to the target window. When processing a message in the receiving window, the lparam parameter points to a copydatastruct structure that is already in the address space of the receiving process. The lpdata member of this structure points to the view of the shared memory image file in the address space of the receiving process.

 

8. Pay attention to three important questions about wm_copydata messages.

1) only the message can be sent, and the message cannot be registered. You cannot register a wm_copydata message because the system must release the memory image file after the message is processed in the message receiving window. If you register the message, the system does not know when the message will be processed, so the copied memory block cannot be released.

2) It takes some time for the system to copy data from the address space of another process. Therefore, you should not have other threads running in the sender program modify the memory block until sendmessage is returned.

3) wm_copydata messages can be used to implement communication between 1-6 bits and 3-2 bits. It can also implement communication between 3, 2, and 6, 4. This is a convenient way for new programs to communicate with old ones.

　　9. Important code and annotations

9.1 hook function void extractpassword (const hwnd, const hwnd hpwdspywnd), which is the main function for getting the password

Tchar szbuffer [256] = {_ T ('/0')}; // allocate a buffer Sendmessage (hwnd, wm_gettext, // send a message to the injection hook process to obtain the Password text Sizeof (szbuffer)/sizeof (tchar), (lparam) szbuffer); // save it in the buffer Copydatastruct CDS = {0}; // defines a CDS struct. CDs. dwdata = (DWORD) hwnd; // dwdata Save the Process Handle CDs. cbdata = (lstrlen (szbuffer) + 1) * sizeof (tchar); // cbdata saves the Data Length CDs. lpdata = szbuffer; // lpdata points to the first buffer address Sendmessage (hpwdspywnd, wm_copydata, (Wparam) hwnd, (lparam) & CDs); // use the wm_copy data message to send a password to the process that obtains the password.

9.2 during the hook process, lresult winapi getmsgproc (INT ncode, wparam, lparam) reads the saved hook handle from the memory image file.

If (g_hhook = NULL) { // Read data from shared resources and obtain the hook handle. DWORD dwdata = 0, dwsize = sizeof (DWORD ); G_obipc.lock (); // g_obipc is the cipc object and enters the thread synchronization. G_obipc.openipcmf (); // open the MMF File G_obipc.readipcmf (lpbyte) & dwdata, dwsize); // read data to dwdata G_obipc.unlock (); // cancel thread synchronization and exit the critical section. G_hhook = (hhook) dwdata; // assign the read data to the hook handle. The key of this article is } If (ncode> = 0) // ignore values smaller than 0 { Hwnd = NULL; // window handle of the password control Hwnd hpwdspywnd = NULL; // obtain the window handle of the password Process MSG * PMSG = (MSG *) lparam; If (PMSG-> message = g_wmscanpassword) // whether the message we registered { Hwnd = (hwnd) PMSG-> wparam; Hpwdspywnd = (hwnd) PMSG-> lparam; Extractpassword (hwnd, hpwdspywnd); // obtain the password by sending a message } } Return callnexthookex (g_hhook, ncode, wparam, lparam); // return the next hook Process

　　10. Demo Interface

3. The instance is a dialog box-based project under MFC. In Window XP, drag the image control magnifier to retrieve the password in the password control. The text box below displays some related window information and Password text.

　　11. Anti-Password Penetration Strategies

Through the principles, methods, and implementations described above, we learned how to obtain Windows series passwords. A logical question is how to prevent others from using such spyware to copy our passwords? For example, how can we protect the password security if we are intruded by hook programs like this when accessing the internet. The preferred solution is to cheat the spyware program. Do not display the real password in the user program. It is best to display a false password in the password control. In this way, if someone uses the above program to obtain the password, what he gets is a false password instead of a real password.

Of course there are other countermeasures. One feasible method is to intercept wm_gettext. However, there are other advantages in using a false password. by using a false password instead of a real password, the length of the *** on the password control cannot be determined. If a program displays "***" text in its password control, we immediately know that the password has only three characters in length, greatly reducing the security of the password. However, if some encryption algorithms are used to convert the display of the password control into a long string of "*", this method is common in Microsoft's password protection policy. Therefore, password attackers cannot start.

　　12. Summary

Starting from commenting on the features of Windows series passwords, this article mainly analyzes password penetration under 2 k/XP. By injecting windows hooks into the process and passing hook handles securely using memory image files, you can find a way to obtain the password in 2 k/XP. However, it is undeniable that this is based on the use of Windows security vulnerabilities. In order to make up for these security vulnerabilities, this article also puts forward some ideas for your reference. Of course, it is not enough to solve some technical problems. The key is the human factor. Strengthening the concept of confidentiality plays a crucial role in password protection.