Windows Password penetration technology based on hook and MMF

Source: Internet
Author: User
Tags password protection
ArticleDirectory
  • 1. Introduction
  • 2. Windows Hook
  • 3. Windows hook application
  • 4. General methods of inter-process communication
  • 5. memory image file (MMF)
  • 6. Create a class cipc Based on MMF
  • 8. Pay attention to three important questions about wm_copydata messages.
  • 9. Important code and annotations
  • 11. Anti-Password Penetration Strategies
  • 12. Summary
Abstract
With the popularization of computers and networks, information security has become a common concern. The penetration of passwords and reverse osmosis have become increasingly prevalent in this field. This article deeply analyzes the features of Windows passwords of various versions, especially when the security of windws2k/XP is improved, and puts forward the key technologies and methods for obtaining windows passwords.
The technical details of Windows Hook and memory image files (MMF) are further analyzed. In the MMF-based core class cipc, it provides a method for sharing hook handles in memory and solves the problem of inter-thread synchronization. Then, the features of wm_copydata messages are discussed in depth. Then, the instance is analyzed. Program Important Code And annotations, and demonstrate the results. Finally, some anti-Password Penetration strategies are provided. 1. Introduction

Few people who used Windows 3.x in the 90 s may know that such operating systems have password-protected vulnerabilities, if you select the "***" text in the password control and copy it to the clipboard, you will not see "***" but the original text of the password. Microsoft discovered the problem of Windows 3.x and modified this vulnerability in the new version of Windows 95. However, Windows 95 has a new security vulnerability. You can design a spyware program to obtain the password in the password control from the currently running program. These spyware are not the same as SoftICE cracking programs. However, Microsoft fixed this issue in window2000. How can we obtain any version of Windows through MMF and Hook Technology?
Password control content, which is the key issue discussed in this article.

Figure 1 windows 2 k/XP password verification

The Windows password retrieval technology mainly exploits Windows security vulnerabilities. In Windows NT/95/98/me and other operating systems, if the wm_gettext message is sent to the password control in the spyware program, the returned text is no longer "***" but the actual text content. In Windows 2 k/XP, Microsoft adds security control. If wm_gettext is sent to the password control, the system will verify the request process to determine whether the process has permission. 1 shows that if the request process and the process where the password control is located are the same process, the wm_gettext message will still return the Real Text of the password. If the two processes are different, an error error_access_denied is returned. Therefore, the key technology for obtaining a Windows 2 k/XP password is to get the wm_gettext message from the process where the password control is located, rather than from the Penetration Process. However, this technology that runs user code in other processes can be fully implemented using the Windows Hook Technology. First, we need to know what a hook is.

2. Windows Hook

Windows is based on the event-driven mechanism, that is, the entire system is implemented through message transmission. Hook is a special message processing mechanism. It can monitor various event messages in the system or process, intercept and process messages sent to the target window. In this way, we can install custom hooks in the system to monitor the occurrence of specific events in the system and complete specific functions, such as intercepting keyboard and mouse input, and retrieving words on the screen, log monitoring. There are many types of hooks. Each Hook can intercept and process corresponding messages. For example, a keyboard Hook can intercept keyboard messages, and a shell Hook can intercept, start, and close application messages. 2 is a global hook. Use the wh_getmessage hook in the instance program to monitor Windows messages delivered to the message queue.


Figure 2 Global hook schematic

3. Windows hook application

The function used to install Hooks is setwindowshookex. You can use this function to install hooks for the entire system or for a specific process. Different hooks monitor the occurrence of a specific hook event. When an event is triggered, the corresponding code will be called by the system.

One difficulty in using Windows Hooks is how to properly Save the hook handle. There are two things to solve before setting hooks:

1) A dynamic link library that includes hook functions;

2) the ID of the process to which the hook is injected.

Now let's assume process a injects a hook into process B. After hook injection, the hook handle is returned to process a and the dynamic link library is mapped to the address space of process B. When process B triggers a hook event, the hook code is called by process B (it should be noted that the hook code is called by a remote process, if the getcurrentprocessid function is called in the called Hook code, the ID of the Process injected with the hook process is obtained, rather than the process injected ). Get the Real Text of the password by sending a message in the hook code. Call the callnexthookex function before the hook code ends. If this function fails to be called, no messages will be sent to other hooks installed. The problem is that callnexthookex requires a hook handle, but the required handle has been returned to process a, and the hook program is currently running in the code segment of process B. In this way, inter-process communication IPC (Inter
Process Communication) to pass the hook handle.

4. General methods of inter-process communication

To solve the above problem, create a "share" section in the dynamic link library and write the following code:

 
# Pragma data_seg ("shared") hhook g_hhook = NULL; # pragma data_seg () # pragma comment (linker, "/section: shared, RWS ")

Simply put, these lines of code create a shared variable. If five processes load the dynamic link library, all five processes have access permissions. But this method has some problems: first, Some compilers may not support this method. Second, if the Windows version changes in the future, this method will not work. Third, this method does not stipulate thread synchronization. If multiple threads access this variable, thread synchronization is very important, and non-thread synchronization may trigger issues such as conflicts. To solve this problem, use the memory image file (MMF ).

5. memory image file (MMF)

In Win32, shared files or memory are shared between processes by using image files. If the same image name or file handle is used, different processes can read and write the same file or data block in the same memory through a pointer, and treat them as part of the memory space of the process. The memory image file can be mapped to a file, a specified region in the file, or a specified memory block. The data in the image file can be directly accessed using memory read commands without frequent operations.CompositionThe I/O system function of the file to improve the speed and efficiency of file access.

Another important role of an image file is to support permanently named shared memory. To share memory between two applications, you can create a file in one application and map it. Then, another program opens and maps the file, and use it as the memory of your process.

6. Create a class cipc Based on MMF

Use the memory image file to solve inter-process communication problems, and create a mutex variable to solve the thread synchronization problem. All of these are encapsulated in a cipc class. The compatibility of different compilers is solved by using the memory image file, because the standard Win32
API. In addition, MMF supports data sharing between processes. In future Windows versions, Microsoft will not change the definition and method of MMF. And the mutex variable keeps the thread access synchronized. The class definition of cipc is given below.

 class cipc {public: cipc (); Virtual ~ Cipc (); bool createipcmf (void); // create an MMF bool openipcmf (void) for inter-process communication; // enable the MMF void closeipcmf (void) for inter-process communication ); // disable the MMF bool isopen (void) const {return (m_hfilemap! = NULL);} // determine whether MMF enables bool readipcmf (lpbyte pbuf, DWORD & dwbufsize); // read MMF bool writeipcmf (const lpbyte pbuf, const DWORD dwbufsize ); // write the MMF bool lock (void); // enter the critical section and create the mutex semaphores void unlock (void); // exit the critical section and cancel the mutex semaphores protected: handle m_hfilemap; // MMF file handle m_hmutex; // mutex variable handle}; 

7. Use the wm_copydata message to solve inter-process communication

Wm_copydata is a good tool to solve inter-process communication problems, saving programmers a lot of time.

When the memory image file is created, the system sends a message to fill it. The system then forwards the data back to the process that initially called sendmessage, copies the data from the shared memory image file to the specified buffer, and then returns the data from the sendmessage call.

Messages that are already known to the system can be processed in the appropriate way when they are sent. What if you want to create your own (wm_user + x) message and send it from one process to another process window? The system does not know that the user wants to use the memory image file and change the pointer when sending the message. To this end, Microsoft has created a special window message,
Wm_copydata to solve this problem:

 
Copydatastruct CDs;
Sendmessage (hwndreceiver, wm_copydata, (wparam) hwndsender, (lparam)&CDs );
Copydatastruct is a structure defined in winuser. h file in the following format:
TypedefStructTagcopydatastruct {
Ulong_ptr dwdata;
DWORD cbdata;
Pvoid lpdata;
} Copydatastruct;

When a process sends data to a window of another process, the copydatastruct structure must be initialized first. The data member dwdata is a standby data item that can store any value. For example, a user may send data of different types or categories to another process. You can use this data to indicate the content of the data to be sent. The cbdata data Member specifies the number of bytes sent to another process. The lpdata Member points to the first byte to be sent. The address pointed to by lpdata is of course in the address space of the sending process.

When sendmessage sees that a wm_copydata message is to be sent, it creates a memory image file in bytes of cbdata and copies data to the memory image file from the address space of the sending process. Then, send a message to the target window. When processing a message in the receiving window, the lparam parameter points to a copydatastruct structure that is already in the address space of the receiving process. The lpdata member of this structure points to the view of the shared memory image file in the address space of the receiving process.

8. Pay attention to three important questions about wm_copydata messages.

1) only the message can be sent, and the message cannot be registered. You cannot register a wm_copydata message because the system must release the memory image file after the message is processed in the message receiving window. If you register the message, the system does not know when the message will be processed, so the copied memory block cannot be released.

2) It takes some time for the system to copy data from the address space of another process. Therefore, you should not have other threads running in the sender program modify the memory block until sendmessage is returned.

3) wm_copydata messages can be used to implement communication between 1-6 bits and 3-2 bits. It can also implement 3, 2, and 6
4-bit communication. This is a convenient way for new programs to communicate with old ones.

9. Important code and annotations

9.1 hook function void extractpassword (const hwnd, const hwnd
Hpwdspywnd), which is the main function for getting passwords.

 Tchar szbuffer [  256  ]  =  ')};  //  Allocate a buffer  
Sendmessage (hwnd, wm_gettext, // Send a message to the hook process to obtain the Password text.
Sizeof (Szbuffer) / Sizeof (Tchar ),
(Lparam) szbuffer ); // Save in buffer
Copydatastruct CDs = ; // Define a CDS struct
CDs. dwdata = (DWORD) hwnd; // Dwdata saves the Process Handle
CDs. cbdata = (Lstrlen (szbuffer) + 1 ) * Sizeof (Tchar );
// Length of data stored in cbdata
CDs. lpdata = Szbuffer; // Lpdata points to the buffer first address
Sendmessage (hpwdspywnd, wm_copydata,
(Wparam) hwnd, (lparam) & CDs ); // Wm_copy

Send a data message to the process that obtains the password

9.2 lresult winapi getmsgproc (INT ncode, wparam,
Lparam). This process mainly reads the stored hook handle from the memory image file.

 If (G_hhook  =  Null)
{
// Read data from shared resources and obtain the hook handle.
DWORD dwdata = 0 , Dwsize = Sizeof (DWORD );
G_obipc.lock (); // G_obipc is the cipc object and enters the thread synchronization.
G_obipc.openipcmf (); // Open the MMF File
G_obipc.readipcmf (lpbyte) & Dwdata,
Dwsize ); // Read data to dwdata
G_obipc.unlock (); // Cancel thread synchronization and exit critical section
G_hhook = (Hhook) dwdata; // Assign the read data to the hook handle. The key of this article is
}

If (Ncode > = 0 ) // Ignore values smaller than 0
{
Hwnd = NULL; // Window handle of the password control
Hwnd hpwdspywnd = NULL; // Obtain the window handle of the password Process
MSG * PMSG = (Msg * ) Lparam;
If (PMSG -> Message = G_wmscanpassword) // Message we registered?
{
Hwnd = (Hwnd) PMSG -> Wparam;
Hpwdspywnd = (Hwnd) PMSG -> Lparam;
Extractpassword (hwnd, hpwdspywnd ); // Get the password by sending a message
}
}

Return Callnexthookex (g_hhook, ncode, wparam,
Lparam ); // Returns the next hook process.

10. Demo Interface

3. The instance is a dialog box-based project under MFC. In the window
In XP, drag the image control magnifier to retrieve the password in the password control. The text box below displays some related window information and Password text.

11. Anti-Password Penetration Strategies

Through the principles, methods, and implementations described above, we learned how to obtain Windows series passwords. A logical question is how to prevent others from using such spyware to copy our passwords? For example, how can we protect the password security if we are intruded by hook programs like this when accessing the internet. The preferred solution is to cheat the spyware program. Do not display the real password in the user program. It is best to display a false password in the password control. In this way, if someone uses the above program to obtain the password, what he gets is a false password instead of a real password.

Of course there are other countermeasures. One feasible method is to intercept wm_gettext. However, there are other advantages in using a false password. by using a false password instead of a real password, the length of the *** on the password control cannot be determined. If a program displays "***" text in its password control, we immediately know that the password has only three characters in length, greatly reducing the security of the password. However, if you use some EncryptionAlgorithmChange the display of the password control to a long string of "*", which is common in Microsoft's password protection policy. Therefore, password attackers cannot start.


Figure 3 instance demonstration

12. Summary

Starting from commenting on the features of Windows series passwords, this article mainly analyzes password penetration under 2 k/XP. By injecting windows hooks into the process and passing hook handles securely using memory image files, you can find a way to obtain the password in 2 k/XP. However, it is undeniable that this is based on the use of Windows security vulnerabilities. In order to make up for these security vulnerabilities, this article also puts forward some ideas for your reference. Of course, it is not enough to solve some technical problems. The key is the human factor. Strengthening the concept of confidentiality plays a crucial role in password protection.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.