Preventing passwords from being illegally acquired

zhaozj2021-02-11  177

Preventing passwords from being illegally acquired

Author: Hao Feng

---- WINDOWS although it is a powerful operating system, some congenital defects have a hacker

There are many multi-map, the famous BO program is to use Windows's vulnerabilities to harm the computer.

Safety. The author recently discovered a very popular tool for acquiring the edit box Password, even its source

The code has been published on a newspaper, which is undoubtedly a completely negation for the Password function of Edit. This article will first

Analyze illegal access to the principle of Password, and then give Visualc to implement the protection edit box.

Password does not be illegally acquired.

First, illegal access to the principle of Password

---- Edit is a standard control for Windows. When the Password property is set to true, it will be entered.

The content shield is an asterisk (*) to achieve the purpose of protection. And the content in the Edit box can pass

WM_GETTEXT, EM_GETLINE message is obtained. The hacker program uses the EDIT's characteristics, first enumerate

All sub-windows of the former program, when the window is found to be an Edit and have an es_password property,

SendMessage sends a WM_GETTEXT or EM_GETLINE message to this window, so that the content in the Edit box will be

Of course.

Second, protect Password

---- It can be seen from the above analysis that the EDIT's vulnerability is that there is no check to send WM_GETTEXT or EM_GETLINE

The identity, just find the Edit window handle, any process can get its content. It gives a simple

Method to verify that the identity of the sending message is legal.

---- 1. Create a new CEDIT class

---- Inheriting a subclass CPasswordedit from CEDIT, stating global variable g_bauthorIdentity indicates that the message sender

identity of:

Boolg_bauthorident;

---- Then respond to the virtual function DEFWINDOWPROC of CWnd, authenticate in this callback function:

LResultcpassWordedit :: DefWindowProc (uintmessage, wparamwparam, lparamlparam) {

// Get the content of Edit must pass

One of the following two messages

IF ((Message == WM_GETTEXT) || (Message == EM_GETLINE)) {

/ / Check if it is legal

IF (! g_bauthoridentity) {

// illegally acquired, display information

AfxMessageBox (_t

("My password, can't let you see!"));

// return0;

// legal acquisition

g_bauthoridentity = false;} ReturnCedit :: DefWindowProc (Message, WPARAM, LPARAM);

---- 2. Processing in the Data Enter dialog

---- During the dialog box, a class member m_edtpassword:

CPasswordeditm_edtpassword;

---- Then add the following code in OnInitDialog () in the dialog:

m_edtpassword.subclassdlgitem (idc_edit_password, this);

---- The purpose is to associate control with new categories.

---- After the data exchange in the dialog box, the identity is legally:

VoidCDLGINPUT :: DODATAEXCHANGE

(CDATAEXCHANGE * PDX)

{

// If you get data

// Note: No IF is required for CPROPERTYPAGE categories

(PDX-> M_BsaveAndValidate) condition

IF (PDX-> M_BsaveAndValidate)

{G_bAuthorIdentity = TRUE;} CDialog :: DoDataExchange (pDX); // {{AFX_DATA_MAP (CDlgInput) DDX_Text (pDX, IDC_EDIT_PASSWORD, m_sPassword); //}} AFX_DATA_MAP} ---- Thus, Password input box will be protected .

Third, the problem that needs attention

---- The above method is only for the VC program, for the VB program, you need to make a password ActiveX control with VC.

The implementation method is similar to the above. The above programs are passed on Visualc 6.0, and with a hacker program

PWBTOOL test passes. The full demo code is available to "programming skill" download at http://myhelper.yeah.net.

转载请注明原文地址:https://www.9cbs.com/read-5707.html

New Post(0)