Peter Gutmann (pgut001@cs.auckland.ac.nz)
Tue, 7 Apr 1998 12:46:34 (NZST)
>Under windows 95, various hooks can be installed to intercept *any* kind of
>message. The computer-based training hook can intercept the WM_CREATE
>message. If a password-box is created, the hook procedure could note it and
>poll it for its text, then write the information to disk (or do anything else
>it wanted) when the window is destroyed. Same thing goes for edit boxes in
>web browsers: if one contains a sixteen-digit number, odds are it's a credit
>card number and the rest of the information is in the boxes around it. All
>the crypto in the world won't help if they can (effectively) watch you type in
>the information in the first place.
>
>Is there any defense to this sort of attack other than switching to Linux?
No. This has been possible since 3.x (I wrote a program to do this some time
ago, not for password-grabbing but as a hotkey for my transparent drive
encryption), for Win95 I've got (somewhere) a little program which will
itercept anything typed into a dialog with the ES_PASSWORD option set (I've
also got one which will reveal the (supposedly hidden) password by sucking it
out of the dialog boxes memory).
The installation of global hooks was supposedly disabled under NT for security
reasons, but recently I've seen hints that you can still install a type of
global hook in some instances (I haven't checked the exact details, but
computer-based training (CBT) hooks have always been a good way to intercept
virtually anything which is going on). To do it under NT you need to splice
in a keyboard driver which gets the keys before NT sees them, this is somewhat
more difficilt since you end up with *all* the keystrokes, not just the
password-dialog ones. The way to do this would be to wait for a
WM_DEBUGNOTIFY event which tells you that your target program is starting up,
and then log keystrokes from then on. Of course once you get to this extreme,
pretty much any OS is vulnerable.
Peter.
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:53 ADT