The principle of illegally exploring passwords and its prevention

zhaozj2021-02-17  50

First, the principle of illegally acquiring Password:

The Edit control is a standard control for Windows. When the Password property is set to True, the input content is shielded as an asterisk to achieve the purpose of protection. Although we seem to be an asterisk, the EDIT control in the program is still the password entered by the user. The application can get the password in the control, and other applications can also get the EDIT control by sending a WM_GETTEXT or EM_GETLINE message. The content. The hacker program is using this feature of the Edit control. When the currently detected window is an EDIT control and has an ES_Password property, the WM_GETTEXT or EM_GETLINE message is sent to this window via SendMessage, so that the content in the EDIT box will be at a glance.

Second, hacker software work method:

First get the current window, and determine if the EDIT control is given, generally to specify the window to be probed by the mouse, for example, in the response function of the WM_MOUSEMOVE message, now the code snippet is as follows:

// Convert customer coordinates into screen coordinates

ClientToscreen (& Point);

/ / Returns a window with a specified screen coordinate point

CWND * PWND = CWND :: WindowFromPoint (Point);

IF (PWND)

{

// Get window handle

HWND HWNDCURR = PWND-> getsafehwnd ();

IF ((:: getWindowThreadProcess))! = (:: getWindowThreadProcessid (HWndCurr, null))))

{

Char lpclassname [255];

// Get class name

IF (: getclassname (hwndcurr, lpclassname, 255))

{

/ / Judgment is an edit control

IF (0 == m_strwndclass.comparenocase ("Edit"))

{

/ / Get window style

Long LStyle = :: getWindowlong (hwndcurr, gwl_style);

// If the ES_Password property is set

IF (LStyle & Es_Password)

{

Char sztext [255];

// Send a WM_GETTEXT message to this control by mastering the handle hwndcurr

:: SendMessage (hwndcurr, wm_gettext, 255, (lparam) sztext); // The password has been saved in Sztext

m_strpassword = sztext;

}

}

}

}

}

There are several critical places worth noting in the above code:

ClientToscreen (& Point);

CWND * PWND = CWND :: WindowFromPoint (Point);

HWND HWNDCURR = PWND-> getsafehwnd ();

These three sentences can get the window handle of the window in the current mouse position, in SendMessage.

:: SendMessage (HWndCurr, WM_Gettext, 255, (lParam) sztext);

This is a true SendMessage. The first parameter specifies the window handle to receive the message. We have obtained the above code, the second parameter is the WM_GetText message that allows the Edit control to return characters. The resulting content is saved in Sztext.

Third, prevention measures

Since we figure out the cluster of hacker software, we can naturally develop a set of measures to prevent its attacks. Below we have to protect Password.

From the above analysis, we can see that the vulnerability of the EDIT control is mainly inspected for the identity of the sending WM_GETTEXT or EM_GETLINE message, as long as the EDIT window handle can be found, any process can get its content. Therefore, you must verify the identity of the sending message. A method is given to verify whether the identity of the sending message is legal: 1. Create a new CEDIT class

Inheriting a subclass CPasswordedIt from CEDIT, declaring global variable g_bsenderidentity indicates the identity of the message sender:

BOOL G_BSENDERIDENTITY;

Then respond to the virtual function DEFWINDOWPROC of CWnd, authenticate in this callback function:

LResultcpassWordedit :: DefWindowProc (uintmessage, wparamwparam, lparamlparam)

{

/ / The content of the EDIT must be one of the following two messages

IF ((Message == WM_Gettext) || (Message == EM_GETLINE))

{

/ / Check if it is legal

IF (! g_bsenderidentity)

{

// illegally acquired, display information

AfxMessageBox (_t ("report: Attempt to steal password!"));

Return 0;

}

// legal acquisition

g_bsenderidentity = false;

}

Return Cedit :: DefWindowProc (Message, WPARAM, LPARAM);

}

2. Do some processing in the Data Enter dialog

In the dialog box, a class member m_edtpassword:

CPasswordEdit M_EDtpassword;

Then add the following code in OnInitDialog () of the dialog:

m_edtpassword.subclassdlgitem (idc_edit_password, this);

Connect the control with the new class.

After that, set the identity to legal in the data exchange function of the dialog:

Void CDLGINPUT :: DODATAEXCHANGE (CDATAEXCHANGE * PDX)

{

// If you get data

// Note: IF (PDX-> M_BsaveAndValidate) for CPROPERTYPAGE categories

IF (PDX-> M_BsaveAndValidate)

{

g_bsenderidentity = true;

}

CDIALOG :: DODATAEXCHANGE (PDX);

// {{AFX_DATA_MAP (CDLGINPUT)

DDX_Text (pdx, idc_edit_password, m_spassword);

//}} AFX_DATA_MAP

}

In this way, the Password input box has legal identity and will be protected.

in conclusion:

The above method is only for VC programs, for other languages ​​such as VB, Delphi, etc., you need to make a password's ActiveX control with VC, and the method is basically similar to the above method. The above procedures are prepared by VisualC 6.0.

转载请注明原文地址:https://www.9cbs.com/read-28769.html

New Post(0)