Preventing passwords from being illegally acquired
Author: Hao Feng
---- WINDOWS although it is a powerful operating system, some congenital defects have a hacker
There are many multi-map, the famous BO program is to use Windows's vulnerabilities to harm the computer.
Safety. The author recently discovered a very popular tool for acquiring the edit box Password, even its source
The code has been published on a newspaper, which is undoubtedly a completely negation for the Password function of Edit. This article will first
Analyze illegal access to the principle of Password, and then give Visualc to implement the protection edit box.
Password does not be illegally acquired.
First, illegal access to the principle of Password
---- Edit is a standard control for Windows. When the Password property is set to true, it will be entered.
The content shield is an asterisk (*) to achieve the purpose of protection. And the content in the Edit box can pass
WM_GETTEXT, EM_GETLINE message is obtained. The hacker program uses the EDIT's characteristics, first enumerate
All sub-windows of the former program, when the window is found to be an Edit and have an es_password property,
SendMessage sends a WM_GETTEXT or EM_GETLINE message to this window, so that the content in the Edit box will be
Of course.
Second, protect Password
---- It can be seen from the above analysis that the EDIT's vulnerability is that there is no check to send WM_GETTEXT or EM_GETLINE
The identity, just find the Edit window handle, any process can get its content. It gives a simple
Method to verify that the identity of the sending message is legal.
---- 1. Create a new CEDIT class
---- Inheriting a subclass CPasswordedit from CEDIT, stating global variable g_bauthorIdentity indicates that the message sender
identity of:
Boolg_bauthorident;
---- Then respond to the virtual function DEFWINDOWPROC of CWnd, authenticate in this callback function:
LResultcpassWordedit :: DefWindowProc (uintmessage, wparamwparam, lparamlparam) {
// Get the content of Edit must pass
One of the following two messages
IF ((Message == WM_GETTEXT) || (Message == EM_GETLINE)) {
/ / Check if it is legal
IF (! g_bauthoridentity) {
// illegally acquired, display information
AfxMessageBox (_t
("My password, can't let you see!"));
// return0;
// legal acquisition
g_bauthoridentity = false;} ReturnCedit :: DefWindowProc (Message, WPARAM, LPARAM);
---- 2. Processing in the Data Enter dialog
---- During the dialog box, a class member m_edtpassword:
CPasswordeditm_edtpassword;
---- Then add the following code in OnInitDialog () in the dialog:
m_edtpassword.subclassdlgitem (idc_edit_password, this);
---- The purpose is to associate control with new categories.
---- After the data exchange in the dialog box, the identity is legally:
VoidCDLGINPUT :: DODATAEXCHANGE
(CDATAEXCHANGE * PDX)
{
// If you get data
// Note: No IF is required for CPROPERTYPAGE categories
(PDX-> M_BsaveAndValidate) condition
IF (PDX-> M_BsaveAndValidate)
{G_bAuthorIdentity = TRUE;} CDialog :: DoDataExchange (pDX); // {{AFX_DATA_MAP (CDlgInput) DDX_Text (pDX, IDC_EDIT_PASSWORD, m_sPassword); //}} AFX_DATA_MAP} ---- Thus, Password input box will be protected .
Third, the problem that needs attention
---- The above method is only for the VC program, for the VB program, you need to make a password ActiveX control with VC.
The implementation method is similar to the above. The above programs are passed on Visualc 6.0, and with a hacker program
PWBTOOL test passes. The full demo code is available to "programming skill" download at http://myhelper.yeah.net.