Network security knowledge points: Principles and prevention of password theft

I. How to obtain the Password illegally:

The Edit Control is a standard control in Windows. When the Password attribute is set to True, the input content is blocked as asterisks for protection purposes. Although we all seem to be asterisks, the Edit Control in the program is still the password entered by the user. The application can obtain the password in the control, other applications can also obtain the content in the Edit control by sending WM_GETTEXT or EM_GETLINE messages to it. Hackers use this feature of the Edit Control to send WM_GETTEXT or EM_GETLINE messages to the window through SendMessage when the detected window is the Edit Control and has the ES_PASSWORD attribute, in this way, the content in the Edit box is clear at a glance.

Ii. Working methods of hacker software

First, you need to obtain the current window and determine whether it is an Edit control. Generally, You need to specify the window to be tested with the mouse, for example, in the response function of the WM_MOUSEMOVE message, the following code snippets are listed:

// Convert customer coordinates to screen coordinates

ClientToScreen (& point );

// Return a window containing the coordinates of the specified Screen

CWnd * pWnd = CWnd: WindowFromPoint (point );

If (pWnd)

{

// Obtain the window handle

HWND hwndCurr = pWnd-> GetSafeHwnd ();

If (: GetWindowThreadProcessId (GetSafeHwnd (), NULL ))! = (: GetWindowThreadProcessId (hwndCurr, NULL )))

{[Page] char lpClassName [255];

// Obtain the class name

If (: GetClassName (hwndCurr, lpClassName, 255 ))

{

// Determine whether it is an Edit control

If (0 = m_strWndClass.CompareNoCase ("EDIT "))

{

// Obtain the window style

LONG lStyle =: GetWindowLong (hwndCurr, GWL_STYLE );

// If the ES_PASSWORD attribute is set

If (lStyle & ES_PASSWORD)

{

Char szText [255];

// Send the WM_GETTEXT message to the control through the master handle hwndCurr

: SendMessage (hwndCurr, WM_GETTEXT, 255, (LPARAM) szText); // The password is saved in szText.

M_strPassword = szText;

Note the following key points in the above Code:

ClientToScreen (& point );

CWnd * pWnd = CWnd: WindowFromPoint (point );

HWND hwndCurr = pWnd-> GetSafeHwnd ();

These three codes can be used to obtain the window handle of the window where the current mouse is located.

: SendMessage (hwndCurr, WM_GETTEXT, 255, (LPARAM) szText );

This is the actually active SendMessage. The first parameter specifies the window handle for receiving the message. We have obtained it through the above Code, the second parameter is to let the Edit Control return the WM_GETTEXT message of the character, and save the obtained content in szText.

Iii. Preventive measures

Now that we understand the common practices of hacking software, we can naturally develop a set of measures to prevent such attacks. We need to protect the Password below.

From the above analysis, we can see that the vulnerability of the Edit Control is mainly because it does not check the identity of the sender who sends the WM_GETTEXT or EM_GETLINE message. Any process can obtain the content of the Edit window handle as long as it can find the Edit window handle. Therefore, you must verify the sender's identity. Here we provide a method to verify that the sender's identity is valid:

1. Create a New CEdit class

Inherit a subclass CPasswordEdit from CEdit and declare that the global variable g_bSenderIdentity indicates the identity of the message sender: BOOL g_bSenderIdentity;

Then, return to the virtual function DefWindowProc of CWnd and perform authentication in the callback function:

LRESULTCPasswordEdit: efWindowProc (UINTmessage, WPARAMwParam, LPARAMlParam)

{

// Obtain the Edit content through one of the following two messages

If (message = WM_GETTEXT) | (message = EM_GETLINE ))

{

// Check whether it is legal

If (! G_bSenderIdentity)

{

// Illegal acquisition, display information

AfxMessageBox (_ T ("Report: attempting to steal the password! "));

Return 0;

}

// Valid access

G_bSenderIdentity = FALSE;

}

Return CEdit: efWindowProc (message, wParam, lParam );

}

2. Do some processing in the data input dialog box

In the dialog box, declare a class member m_edtPassword:

CpasswordEdit m_edtPassword;

Then add the following code to OnInitDialog () in the dialog box:

M_edtPassword.SubclassDlgItem (IDC_EDIT_PASSWORD, this );

Associate the control with the new class.

Then, you must set the identity to legal in the data exchange function of the dialog box:

Void CDlgInput: oDataExchange (CDataExchange * pDX)

{

// If data is obtained

// Note: The if (pDX-> m_bSaveAndValidate) condition is not required for the CPropertyPage class.

If (pDX-> m_bSaveAndValidate)

{

G_bSenderIdentity = TRUE;

}

CDialog: oDataExchange (pDX );

// {AFX_DATA_MAP (CDlgInput)

DDX_Text (pDX, IDC_EDIT_PASSWORD, m_sPassword );

//} AFX_DATA_MAP

}

In this way, the Password input box has a valid identity and will be protected.

Conclusion:

The above method is only applicable to VC programs. For other languages such as VB and Delphi, you need to use VC to create a Password ActiveX control. The implementation method is similar to the above method. The above programs are compiled and debugged using Visual C ++ 6.0.