Title:Analysis of security technology of password control and attack example
Time: 2013-07-14,16:09:57
Password control is a very common control, this article mainly introduces some implementation ideas and attack ideas of security password control.
1 Comparison of physical password keyboard and password controls
Let's talk about the comparison between the password control in the program and the password keyboard in the real world. Almost everyone enters a password on a bank or ATM machine, and the keyboard you touch when you enter the password is a financial password keyboard. The general Counter password keyboard is like a mouse with a data cable, this data cable is connected to the password keyboard and the bank processing terminal. The structure diagram is as follows:
Obviously, if a bad guy wants to steal the password information, it's made up of two ways:
A Record the user's input keys at the terminal
B Intercept user password input from the data line
For the first method, it relies on the user's self-protection when entering the password, and the second method is not easy to achieve. Do not underestimate the password keyboard, this password keyboard manufacturing standards are the national standard, the point of the national standard is: the data from the keyboard must be the user input encrypted data, so even if the data intercepted by the keyboard to crack out the password will need to get the password keyboard in the encryption process using the key ( The symmetric encryption algorithm is used here.
In fact, the password control is the software implementation of the password keyboard, in a software system using password control (mostly network check system), the entire software implementation of the password control is equivalent to the entire physical password keyboard, for the physical data lines and bank terminals such role, in the password control system does not have absolute correspondence. Because the password control may simply encrypt the data entered by the user and send it to the network, the network is the physical data line, and the other is that the data generated by the password control flows to another module of the entire local program, when the computer memory becomes the role of the physical data line.
In any case, the physical password keyboard above is certainly more secure than a variety of password controls, because they use a limited number of people who have access to the inside of the password keypad, so there is no way to do malicious attacks from within the password keyboard. The software implementation of the password control is now stretched, because to deploy to the user terminal, and the user terminal environment is very complex, and the permissions are very loose.
2 Soft Keyboard cipher Control principle and attack method
The built-in controls for Windows systems do not have a dedicated password control, but only a singleline edit control is set to a property password, so that the input of this edit will only be displayed as an unrecognized character. But this native password control from a security point of view is only one thing: the user input password is not visually visible, but the entire password control still follow the WIN32 message dispatch processing process, that is, write a standard program can achieve before the password space to obtain user input to record the effect of the password.
As a result, many software vendors have made a variety of "Secure password controls" for security reasons, common types of password controls:
1. Low-level keyboard hooks, changing message parameters and dispatch paths
2. Soft keyboard, completely bypass keyboard input message
3. I haven't thought about it for the moment.
Here is a brief introduction to the principles of the above two controls
2.1 Soft-keyboard password control
Since the 2nd scenario is not much used, one of the reasons why this method is not used much is that the user experience is not as good as the keyboard input. The method of this password control is to switch the keyboard input to the mouse button input, and the mouse button message does not carry the original password characters, but the coordinates of the key, and then the program maps the coordinates to the corresponding characters, and the mapping process to follow the f (x, y) is the program developers themselves and can be updated in real time (variable order)
Regardless of the other protection measures, if you want to attack this security control, from the perspective of the programmer to design such a control, if you want to get the user to enter a password, at least two conditions required
A mouse click Coordinates (x, y)
B In-Memory mapping algorithm f (x, Y)
Attackers can intercept the mouse click coordinates (x, y) and then according to the cracked f (x, y) to calculate the user input, this method for a non-full protection of the soft keyboard password control may be effective, but still too troublesome, in fact, there is a shortcut, As long as the attacker identifies the user's mouse click on the soft keyboard, and then each time the user clicks the mouse to a screen, full-screen or local can be, and then the intercepted picture sorting, you can get the user input password data, completely bypassing the program mapping algorithm.
Therefore, from the above attack method can be seen, the software disk password control if you want to be more secure, you have to deal with two of events,
A The message that the user clicked the mouse is not intercepted by other programs
B Black screen processing of all the windows of this program in the event of screenshot operation
About the soft keyboard password control introduced so much, just the original rational introduction, and did not practice code, but the principle and attack methods are very clear, so interested students can help some of the soft keyboard password control manufacturers to do the security test.
2.2 Low-level keyboard hook password control
This is now popular and typical password control implementation, this way the keyboard or the keyboard, the input box or the input box, the only difference is that the input box message dispatch path, a lot of cheap, the manufacturers are trying to find ways to solve the security problem in the Windows message processing mechanism.
Normal input box, when receiving the user's keyboard input will be corresponding WM_CHAR message, how does this message come? When a key is pressed, the keyboard driver generates a hardware interrupt IRQ and then passes the HAL mapping interrupt Request level (IRQL) If this level is higher than the allowable level of the CPU, then an interrupt occurs, the CPU takes out the keyboard interrupt number, and then uses the interrupt number as an index to remove the corresponding descriptor in IDT. Then the keyboard handler that the descriptor points to is executed, and the function of the keyboard interrupt handler is to process the original keyboard scan code to generate the data structure, and then cache it.
Then is the keyboard-driven work, the keyboard driver is to complete the device stack at the top of a function number Irp_mj_read IRP, this IRP is Win32 subsystem process Csrss.exe a thread rit (Raw input thread) generated, When this IRP is completed, RIT is responsible for generating a key message with the data generated by the keyboard event and putting it into the input queue of the corresponding GUI thread.
Then the corresponding GUI thread uses getmessage in the message loop to get the message, it takes out a WM_KEYDOWN message, and if the GUI thread uses TranslateMessage to process the WM_KEYDOWN message, it generates a wm_ The char message is stored in its own post message queue, and then the next time you go to GetMessage, the WM_CHAR message is taken out, and the char that carries the message is passed into the corresponding window Procedure. If you do not use TranslateMessage to process this message, no WM_CHAR messages will be generated.
The complete flowchart is as follows:
From the above description and flowchart, if as an attacker want to get user input password, it is very simple to intercept the WM_CHAR message, it is true, with Spy + + can be light and easy to get a native password input box of all WM_CHAR messages, So the goal of the security password control is to let the attacker not intercept the WM_CHAR message, or intercept the WM_CHAR message when the Virtualkeycode is false, and the real Virtualkeycode has been processed. Because only WM_CHAR this message is clear text records the data that the user has typed in the process of displaying more than one display character from the user key to the password box.
For the protection of WM_CHAR messages, it is necessary to get WM_KEYDOWN this message, because as long as there is wm_keydwon this message can bypass the system subsequent processing before the system calculates the user pressed virtual Key, Then save the case of the corresponding char, and then return a modified WM_KEYDOWN message, the back of the data are no longer tube, Wm_keydown was modified, Virtual key was modified, The WM_CHAR that results from subsequent calls to Transelatemessage messages are also incorrect, so it is futile for an attacker to intercept WM_CHAR.
The method of producing false Wm_char is very different from each manufacturer, such as QQ (5000 words filter). Another example of X-Treasure, if a user's password is mypasswordisaccess, then follow this key sequence input, the control returns the char sequence will be 1234556789054qqw55, that is, after the X-Po security control Each initialization, when the user enters a key, The control will set a mapping for this key char, if the next time the user input this key, then do not set the direct return to the last set of Char, the policy is the user input key after the control is responsible for generating the mapping relationship, the value of this map is produced in a simple way:
For example, four rows of keys, from top to bottom, are arranged from left to right.
The above said the principle, to achieve, it is necessary to use a technology of windows, that is based on the message of the hook mechanism (this hook and INLINE,IAT,SSDT and other hooks is not the same thing), because to deal with the system generated WM_CHAR before processing wm_ Keydwon and modify, you have to use low-level keyboard hooks, wh_keyboard_ll.
2.3 x Bao Security Code Control principle Analysis Practice
Well, not on paper, to find a target analysis, to avoid the lawyer letter, or choose the X Bao Bar Bao, x Treasure of the password control used in the login and payment password input process, both used are the same password control, first to debug it.
As mentioned earlier, the password control uses the Windows hook mechanism, so start with the SetWindowsHookEx function.
Code:
ntdll! dbgbreakpoint:00000000 ' 77410530 cc int 30:209> bp user32! Setwindowshookexw0:209> g
Then manipulate the Web page, let the control get the focus, trigger the breakpoint, and look at the stack:
Code:
(271c.4d7c): Break instruction Exception-code 80000003 (first chance) breakpoint 0 hituser32! setwindowshookexw:76d77603 8BFF mov edi,edi0:173:x86> kvn l10# childebp retaddr Args to child 4000ba84 73e94267 0000 000d5c1cca08 5c1c0000user32! SETWINDOWSHOOKEXW (FPO: [NON-FPO]) * * * warning:unable to verify checksum for npalisecctrl.dll*** Error:symbol file could Not being found. defaulted to export symbols for npalisecctrl.dll-01 4000bab4 5c1ccaf5 0000000d 5c1cca08 5c1c0000 ieshims! NS_SETWINDOWSHOOKEX::APIHOOK_SETWINDOWSHOOKEXW+0X6B (FPO: [Non-fpo]) Warning:stack unwind information not available. Following frames be wrong.02 4000bb04 5C1C62D2 00140154000000070014050a npalisecctrl! np_initialize+0x21c703 4000bb50 76d662fa 4e1c3070 00000007 0014050a npalisecctrl! Np_shutdown+0x269a04 4000bb7c 76d66d3a 05940920 0014015400000007 user32! internalcallwinproc+0x2305 4000bbf4 76d66de8 00000000 05940920 00140154 user32! usercallwinproccheckwow+0x109 (Fpo: [non-fpo]) 06 4000bc50 76d66e44 010e22c0 00000000 00000007 user32! dispatchclientmessage+0xe0 (Fpo: [non-fpo]) 07 4000bc8c 775b010a 4000bca4 00000000 4000bde0 user32!__fndword+0x2b (Fpo: [non-fpo]) 08 4000bcc4 5c1c9054 00140154 4e1c2f1c 00000001 ntdll_775a0000! kiusercallbackdispatcher+0x2e (fpo: [0,0,0]) 09 4000bcfc 5c1c5d79 0014050a 00000007 000c0822 npalisecctrl! np_shutdown+0x541c0a 4000bd4c 76d662fa 4e1c2f1c 4000c01c 000c0822 npalisecctrl! np_shutdown+0x21410b 4000bd78 76d66d3a 05940d80 0014050a 00000007 user32! Internalcallwinproc+0x230c 4000bdf0 76d66de8 00000000 05940d80 0014050a user32! usercallwinproccheckwow+0x109 (Fpo: [non-fpo]) 0d 4000be4c 76d66e44 00e9fdf0 00000000 00000007 user32! dispatchclientmessage+0xe0 (Fpo: [non-fpo]) 0e 4000be88 775b010a 4000bea0 00000000 4000bf38 user32!__fndword+0x2b (Fpo: [non-fpo]) 0f 4000bec0 5c1c6df4 0014050a 00000000 4e1c2ed4 ntdll_775a0000! kiusercallbackdispatcher+0x2e (fpo: [0,0,0])
Then take a look at the dynamic setting of two breakpoints:
Code:
0:170:x86> BP user32! Setwindowshookexw ". printf \" Hit user32! Setwindowshookexw\\r\\n\ "; G "0:170:x86> BP user32! Ntuserunhookwindowshookex ". printf \" Hit user32! Unhookwindowshookex\\r\\n\ "; G "0:170:x86> bl0 E x86 76d8f52b 0001 (0001) 0:**** user32! Ntuserunhookwindowshookex ". printf \" Hit user32! Unhookwindowshookex\\r\\n\ "; G "1 E x86 76d77603 0001 (0001) 0:**** user32! Setwindowshookexw ". printf \" Hit user32! Setwindowshookexw\\r\\n\ "; G "0:170:x86> g
Then just go back and forth and let the control get and lose focus:
Code:
(271c.1618): Unknown exception-code 800706ba (first chance) hit user32! Setwindowshookexwhit user32! Unhookwindowshookexhit user32! Setwindowshookexwhit user32! Unhookwindowshookexhit user32! Setwindowshookexwhit user32! Unhookwindowshookexhit user32! Setwindowshookexwhit user32! Unhookwindowshookexhit user32! Setwindowshookexwhit user32! Unhookwindowshookexhit user32! Setwindowshookexwhit user32! UnhookWindowsHookEx
Then take a look at the time the SETWINDOWSHOOKEXW is called, the module where the hook handler is set, and the offset
Code:
0:173:x86> LM a 5c1c0000 start end module name5c1c0000 5c27d000 Npalisecctrl C (export symbols) NpAliSecCtrl.DLL
The following does not debug, directly to analyze the processing function, find the module Npalisecctrl, first shelling, and then find the offset ca008
Then it's counter-clockwise ... I didn't reverse the code, just a rough frame.
In fact, just know his hook implementation mechanism is OK, the principle of this control is when the control gets the focus of the time set a low-level keyboard hook, the role of this keyboard hook is to intercept wm_keydown and then process the message, modify the message. In the debugging also found that after it set a low-level keyboard hook and no longer set a debug hook, so it is easy to break through this protection mechanism, as long as the time machine in his low-level keyboard hook settings and then set a low-level keyboard hook, then you can first in the control's own hook to get the keyboard input message, Do not know whether this is a lack of consideration of a design, but even add a debug hook, it is not without flaws, still let there is a way to attack.
2.4 x Treasure Security Password control attack instances
It said that even if the debug hook, but also can not stop the attack, because the Windows message hook hierarchy is too high, at such a high level of the system to do some protection, there is no way to be absolutely safe. For the X-Treasure password control, as long as an inline hook can be completely broken.
Principle: Go to the browser's process memory space, Inline Hook live user32! setwindowshookexw/a function, analyze the parameters of the function, judge if the incoming module belongs to the target module and the hook type is a low-level keyboard hook, then call the original function, wait for the original function to return successfully, then call the original function set a low-level keyboard hook, and then return. This is equivalent to a hook on the hook above the control itself, and this hook is our hook, we can get the keyboard input before the control hook, so as to calculate the user input characters, to achieve the purpose of the keylogger.
xxxx kind of reason, I can not provide the source code here, only a picture and a bin for you to study.
Analysis of security technology of password control and attack example
