Windows password penetration technology based on hooks and MMF

With the popularization of computer and network , information security has become a major concern of people. The penetration and reverse osmosis of passwords has intensified in this area. This paper analyzes the characteristics of each version of Windows password, especially in the case of improving the security of WINDWS2K/XP, and puts forward the key techniques and methods of acquiring Windows password. The technical details of the Windows hook and memory image file (MMF) are further analyzed. In the core class CIPC based on MMF, a method is provided for the hook handle in-memory sharing, and the synchronization problem between threads is resolved. The characteristics of the WM_COPYDATA message are then discussed in depth. Then the important code and annotations of the instance program are analyzed and the results are demonstrated. Finally, some anti-password infiltration strategies are given.

1. Introduction

People who used windows3.x in the 90 may have few knowledge of password-protected vulnerabilities in such operating systems , and if you select the "* * *" text in the password control and copy it to the Clipboard, you will not see "* * *" But the original text of the password. Microsoft has discovered windows3.x and modified the vulnerability in a new version of Window95. However, there is a new security vulnerability in Windows95, which can be designed to get a password from a password control in a program that is currently running, which is not a hacking program like SoftICE. However, Microsoft has patched up this issue in window2000, and how to get the content of any version of the Windows password control through MMF and hook technology is the key issue discussed in this article.

Figure 1 Windows 2k/xp password check

Getting Windows password technology is primarily taking advantage of Windows security vulnerabilities. InWindows NT/95/98/me and other operating systems, if the spy program sends wm_gettext messages to the password control, the returned text will no longer be "* * * * * * * * * * * * * * * * *, but in the WINDOWS2K/XP system Microsoft added security control, if sent Wm_ GetText to the password control, the system officer the request process to determine whether the process has permissions, 1: If the request process is the same process as the password control's process, the Wm_gettext message will still return the true text of the password. If two processes are different, return a error_Access_denied's error. So the key technique for getting the windows2k/xp password is to get the Wm_gettext message from the process in which the password control resides, rather than in the infiltration process. This technique of running user code in other processes can be fully implemented using Windows Hook technology. First we need to know what hooks are.

2. Windows hooks

Windows systems are built on eventsDriveMechanism, that is, the entire system is implemented through the delivery of messages. Hooks are a special kind of message handling mechanism that can monitor various event messages in a system or process, intercept messages destined for a target window, and process them. In this way, we can install custom hooks in the system, monitor the occurrence of specific events in the system, and complete certain functions, such as interceptingkeyboard、MouseInput, screen fetching words, log monitoring and so on. There are many kinds of hooks, each hook can intercept and process the corresponding message, such as keyboard hooks can intercept keyboard messages, shell hooks can intercept, start and close the application of the message, and so on. 2 is a global hook.

Using the Wh_getmessage hook in the instance program, this hook monitors the Windows messages posted to the message queue.

　　
Figure 2 schematic diagram of a global hook

　　 3, the application of Windows hook here

The function for installing hooks is SetWindowsHookEx, which can be used to install hooks for the whole system or for a particular process, and different hooks monitor the occurrence of a particular hook event, and when an event is triggered, the corresponding code is called by the system.

One difficulty with using Windows hooks is how to properly store the handle of a hook. There are two things to solve before setting up hooks:

1) A dynamic link library that includes a hook function;

2) The process ID to inject the hook into.

Now assume that process a injects a hook for process B. After the hook is injected, the handle of the hook is returned to process a and the dynamic link library is mapped to process B's address space. When a hook event is triggered in process B, the hook code is called by Process B (It should be noted that the hook code is called by a remote process, and if the call to GetCurrentProcessId is called in the hook code, the process ID of the hook process is injected, Rather than the injection process). In the hook code by sending a message to get the true text of the password, before the end of the hook code to call the CallNextHookEx function, if the function call fails, the installation of the other hooks will not get the message. The problem now is that CallNextHookEx needs a handle to the hook, but the desired handle has been returned to process a and the hook is currently running in Process B's code snippet. This requires the use of interprocess communication IPC (Inter process Communication) to pass the hook handle.

　　 4, the general method of inter-process communication

The general way to solve these problems is to create a "shared" section in the dynamic link library and write the following code:

#pragma data_seg ("Shared") Hhook G_hhook = NULL; #pragma data_seg () #pragma COMMENT (linker, "/SECTION:SHARED,RWS")

The

simply says that these lines of code create a shared variable, and if 5 processes are loaded into the dynamic link library, 5 processes have access permissions. But there are some problems with this approach: one is that some compilers may not support this approach. The second is if the future version of Windows changes, this method will not work. Three is that this method does not specify thread synchronization, if there are multiple threads to access this variable, thread synchronization is very important, no synchronization between threads may trigger problems such as conflict. The solution to this problem is to use a memory image file (MMF).

5, Memory image file (MMF)

in WIN32, by using image files to implement shared files or memory sharing between processes, if you take advantage of the same image name or file handle, The different processes can read and write the same file or the same memory data block through a pointer and treat them as part of the process memory space. A memory image file can map a file, a specified area in a file, or a specified block of memory, where the data can be accessed directly using memory read instructions, rather than using the I/O system functions of the operation file frequently, thus improving the file's access speed and efficiency. Another important role of the

image file is to support permanently named shared memory. To share memory between two applications, you can create a file and map it in one application, and then another program uses it by opening and mapping the file and using it as the memory of its own process.

6, establishing a class based on MMF CIPC

Use a memory image file to resolve interprocess communication issues, and create a mutex to resolve thread synchronization issues. All of these are encapsulated in a CIPC class. The use of memory image files solves the compatibility problems of different compilers, because the standard Win32 API is used. Plus MMF support for data sharing between processes, Microsoft will not change the definition and methods of MMF in future versions of Windows. And the mutex keeps the thread-access synchronization. The class definition for CIPC is given below.

class CIPC { Public: CIPC ( ); Virtual ~CIPC (); bool CreateipCMM F (void);//Create MMF bool openipcmmf (void) for interprocess communication;// Open an interprocess communication between MMF void closeipcmmf (void);//Turn off an interprocess communication MMF bool IsOpen (void) const {return (M_hfilemap! = NULL);}　　Determine if MMF opens bool readipcmmf (lPB yte PBuf, DWORD &dwbufsize);//Read MMF BOOL WRITEIPCMMF (const LPBYTE PBUF, const DWORD dwbufsize);//write MMF bool Lock (void);//Enter the critical section to create the mutex semaphore Void Unlock (VO ID);//exit critical section, revoke mutex semaphore Protected: HANDLE m_hfilemap;//mmf file handle HANDLE m_hmutex;//mutex handle };

　　7. Use WM_COPYDATA messages to resolve inter-process communication

Wm_copydata Messaging is a great tool for solving communication problems between processes, which can save programmers a lot of time.

When the memory image file is established, the system sends a message to populate it. The system then goes back to the process that originally called SendMessage, copies the data from the shared memory image file into the specified buffer, and then returns from the SendMessage call.

For messages that are already known to the system, they can be handled in the appropriate manner when they are sent. What if you want to create your own (WM_USER+X) message and send it from one process to another? The system does not know that the user wants to use the memory image file and changes the pointer when sending the message. To this end, Microsoft has created a special window message that wm_copydata to solve this problem:

COPYDATASTRUCT CDs; SendMessage (Hwndreceiver,wm_copydata, (WPARAM) Hwndsender, (LPARAM) &cds); Copydatastruct is a structure that is defined in the Winuser.h file, in the form of the following: Typedef struct tagcopydatastruct{ ULONG_PTR Dwdata; DWORD cbdata; PVOID lpdata; }copydatastruct;

When a process wants to send some data to another process's window, the COPYDATASTRUCT structure must be initialized first. The data member Dwdata is an alternate data item that can hold any value. For example, it is possible for a user to send different types or different categories of data to another process. You can use this data to indicate what you want to send the data to. The Cbdata data member specifies the number of bytes sent to another process, and the Lpdata data member points to the first byte to be sent. The address that lpdata points to, of course, in the address space of the sending process.

When SendMessage sees a WM_COPYDATA message to send, it establishes a memory image file with a size of cbdata bytes and copies data from the address space of the sending process to the memory image file. The message is then sent to the destination window. When the window procedure that receives the message processes the message, the lparam parameter points to a COPYDATASTRUCT structure that is already in the receiving process address space. The lpdata member of this structure points to the view of the shared memory image file in the receiving process address space.

8, about the Wm_copydata news, should pay attention to three important questions

1) You can only send this message and cannot register this message. You cannot enlist a WM_COPYDATA message because the system must free the memory image file after the message has been processed by the window procedure that received the message. If you register this message, the system does not know when the message is processed, so it cannot release the copied memory block.

2) It takes some time for the system to replicate data from the address space of another process. So you should not let other threads running in the sending program modify this memory block until the SendMessage call returns.

3) with the WM_COPYDATA message, 1 6-bit and 3 2-bit communication can be achieved. It also enables communication between 3 2-bit and 6 4-bit. This is a convenient way to make the new program communicate with the old program.

　　9. Important Codes and annotations

9.1 Hook function void Extractpassword (const HWND hwnd, const HWND Hpwdspywnd), which is the main function to get the password

TCHAR szbuffer[256] = {_t ('/0 ')};//allocate a buffer SendMessage (hwnd,wm_gettext,//sends a message to the injection hook process to get the password text sizeof (Szbuffer)/sizeof (TCHAR), (LPARAM) szbuffer);//Save in Buffer Copydatastruct CDs = {0};//defines a CDS structure Cds.dwdata = (DWORD) Hwnd;//dwdata Save the process handle Cds.cbdata = (Lstrlen (szbuffer) + 1) * sizeof (TCHAR); Cbdata Saving Data length Cds.lpdata = Szbuffer;//lpdata points to the first address of the buffer SendMessage (Hpwdspywnd,wm_copydata, (WPARAM) HWnd, (LPARAM) &cds);//Use the WM_COPY data message to send a password to the Get password process

9.2 Hook procedure lresult WINAPI getmsgproc (int nCode, WPARAM WPARAM, LPARAM LPARAM), this process mainly completes reading the saved hook handle from the memory image file.

if (G_hhook = = NULL) { //read from shared resource The data, which eventually gets the hook handle DWORD dwdata = 0, dwsize = sizeof (DWORD), G_obipc.lock (),//G_OBIPC as the CIPC object, enters thread synchronization G_ Obipc.openipCMM F ();//Open MMF file g_obipc.readipcmmf ((L PB Yte) &dwdata, dwsize);//Read data to Dwdata G_obipc.unlock ();//Cancel thread synchronization, exit critical section G_hhook = (hhook) dwdata;// Assign the read data to the hook handle, the key of this article is } if (nCode >= 0)//Ignore values less than 0 { hwnd hwnd = NULL;//The window handle where the password control is located HWND Hpwdspywnd = null;//Gets the window handle of the password process MSG *pmsg = (msg*) lParam; if (pmsg->message = = G_wmscanpassword)//Whether we register the message　　 { hwnd = (hwnd) Pmsg->wparam; Hpwdspywnd = (HWND) pmsg->lparam; Extractpassword (hWnd, Hpwdspywnd);//Get password by sending message } } return CallNextHookEx (G_hhook, NCode, WParam, LParam);//returns to the next hook procedure

10, demo interface

3: The instance is a dialog-based project under MFC. Under Window XP, drag the picture control Magnifier to retrieve the password in the password control. The following text box displays some relevant window information along with the password text.

11, anti-password penetration response policy

through the principles, methods and implementations described above, we learned how to get windows Series Password method, a logical question is how to prevent others from using such a spy program to copy our password? For example, if we are on the Internet, if this hook program intrusion, how to protect the password security. The preferred solution is to spoof the spy program, do not display the actual password in the user program, preferably in the password control to display a false password. So if someone uses the above program to get the password, then he gets a false password instead of a real password.

Of course there are other coping strategies, and one possible way is to intercept wm_gettext. But with false passwords there are other advantages, by using a false password instead of a true password, then see the password control on the length can not determine how long the password. If a program displays the text "* * *" in its password control, we immediately know that the password is only three characters long and the security of the password is greatly reduced. However, this method is common in Microsoft's password protection policy if the display of the password control becomes a long string of "*" through some encryption algorithms. Then the password attacker will not be the only person.


Figure 3 Example Demo

12, summary

This article is a starting point for commenting on the password characteristics of the Windows family, mainly for the analysis of password infiltration under 2K/XP. Find a way to get the password in the 2K/XP by injecting Windows hooks into the process and using the memory image file to safely pass the hook handle. But it is undeniable that this is based on the use of Windows security vulnerabilities. In order to make up for these security loopholes, this article finally put forward some ideas for readers ' reference. Of course, it is not enough to solve some problems technically, the key is the human factor, and strengthening the concept of secrecy plays a vital role in the protection of passwords.