Jump to content
herakty

Teoria sobre Win Hook e como explorar a técnica em C++ e C# .NET

Recommended Posts

herakty

os sistemas operativos têm na sua base um sistema de mensagens entre processos, que são tudo o que acontece no SO, eventos como clicar do rato ou teclado, abrir uma janela, tudo o que se passa no SO, pois é este sistema que liga todas as partes do mesmo... é o sistema de comunicação interno de um SO e no Windows é muito simples "apanhar" esssas mensagens e manipula-las, quer alterando-as, retirando info das mesmas, tomando controle para novos passos, nem o céu é o limite naquilo a que se chama Windows HOOK.... apesar de neste caso ser especifico

pode-se analisar por exemplo todas as janelas e procurar certas propriedades, como por exemplo um browser e ver em que site esse browser está... pode-se depois identificar todas as teclas clicadas e todas as posições clicadas pelo rato, etc, etc... no windows tudo passa por este sistema interno de mensagem e o windows permite com grande facilidade (não é exploitation isso é outra coisa) aceder a outros processos... aliás, deixa-nos aceder ao sistema geral de mensagens onde tudo passa.

é por isto que não confio no home banking, particularmente em windows, pois já analisei trojans/worms que estavam especificamente feitos para detectar a visita a sites de home banking e conheciam o mecanismo complexo de autentição, mas conseguiam interceptar a sessão, pois através de win hook tomavam controle do processo envolvido. e ai podem fazer tudo, como enviar mensagens "behind the cenes", o que é complexo, para certos pedidos mas é muito simples "apanhar" todos os dados necessários à autenticação para posterior uso... mesmo os sistemas que usam variantes podem ser explorados, pois podem "apanhar" variações sufecientes para conseguir uma autenticação com sucesso... quem entende o windows internamente entende o que eu digo... e eu já fui arquitecto de sistemas numa grande projecto de home banking, trabalhei vários anos no departamento de banca e seguros de uma multinacional e até já foi vários anos especialista de segurança no maior banco nacional.... agora não sei se ainda é ;)

Theory:

Windows hooks can be considered one of the most powerful features of Windows. With them, you can trap events that will occur, either in your own process or in other processes. By "hooking", you tell Windows about a function, filter function also called hook procedure, that will be called everytime an event you're interested in occurs. There are two types of them: local and remote hooks.

    Local hooks trap events that will occur in your own process.

    Remote hooks trap events that will occur in other process(es). There are two types of remote hooks

        thread-specific  traps events that will occur in a specific thread in other process. In short, you want to observe events in a specific thread in a specific process.

        system-wide  traps all events destined for all threads in all processes in the system.

HOME PAGE DA M$ SOBRE HOOK

A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system and process certain types of messages before they reach the target window procedure.

http://msdn.microsoft.com/en-us/library/ms632589%28v=vs.85%29.aspx

PRÁTICA

How to set a Windows hook in Visual C# .NET

http://support.microsoft.com/kb/318804/en-us?fr=1

SetWindowsHookEx Function

Installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread.

HHOOK WINAPI SetWindowsHookEx(
  __in  int idHook,
  __in  HOOKPROC lpfn,
  __in  HINSTANCE hMod,
  __in  DWORD dwThreadId
);

http://msdn.microsoft.com/en-us/library/ms644990%28v=vs.85%29.aspx

ALGUMAS MENSAGENS

 

 WH_CALLWNDPROC  called when SendMessage is called
    WH_CALLWNDPROCRET  called when SendMessage returns
    WH_GETMESSAGE   called when GetMessage or PeekMessage is called
    WH_KEYBOARD  called when GetMessage or PeekMessage retrieves WM_KEYUP or WM_KEYDOWN from the message queue
    WH_MOUSE  called when GetMessage or PeekMessage retrieves a mouse message from the message queue
    WH_HARDWARE called when GetMessage or PeekMessage retrieves some hardware message that is not related to keyboard or mouse.
    WH_MSGFILTER  called when a dialog box, menu or scrollbar is about to process a message. This hook is local. It's specifically for those objects which have their own internal message loops.
    WH_SYSMSGFILTER  same as WH_MSGFILTER but system-wide
    WH_JOURNALRECORD  called when Windows retrieves message from the hardware input queue
    WH_JOURNALPLAYBACK  called when an event is requested from the system's hardware input queue.
    WH_SHELL  called when something interesting about the shell occurs such as when the task bar needs to redraw its button.
    WH_CBT  used specifically for computer-based training (CBT).
    WH_FOREGROUNDIDLE used internally by Windows. Little use for general applications
    WH_DEBUG  used to debug the hooking procedure

Global Windows Hooks

Uma biblioteca de ALTO NIVEL para win hook... limitada, claro, o melhor é ir directo à base... MAS MUITO BOM PARA EXPlORAR O CÓDIGO FONTE E APRENDER e pode servir de base a outros voos

The WindowsHookLib is a single library to hook the mouse, keyboard and the clipboard system wide. WindowsHookLib library has been rewritten in C# and therefore it uses Common Language Runtime (CLR). This means that the library can be referenced from various projects in .NET. The mouse and keyboard hooks are low level so you can use the Handled property of the MouseEventArgs or the KeyboardEventArgs to prevent the windows messages being passed to the other applications. Note you need to use the DLL file, not the classes in your projects; otherwise they might not work correctly.

    Clipboard hook

    Keyboard hook

    Mouse hook

http://www.codeproject.com/KB/DLL/WindowsHookLib.aspx

Tutorial 24: Windows Hooks

We will learn about Windows hooks in this tutorial. Windows hooks are very powerful. With them, you can poke inside other processes and sometimes alter their behaviors.

Download the example here.

http://win32assembly.online.fr/files/tut24.zip

teckV

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.