Preventing Windows Intrusion with System Hooks - PowerPoint PPT Presentation

Loading...

PPT – Preventing Windows Intrusion with System Hooks PowerPoint presentation | free to view - id: 3885d-ZDgzN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Preventing Windows Intrusion with System Hooks

Description:

Windows XP password security is weak. Programs exist to crack ... Target's OS: Windows XP. Attacker has physical access to computer when owner is not present ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 23
Provided by: peopl7
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Preventing Windows Intrusion with System Hooks


1
Preventing Windows Intrusion with System Hooks
  • byEric Beetcher

2
Overview
  • Windows XP Security Risk
  • Technology Solution
  • Implementation
  • Possible Countermeasures

3
Problem
  • Windows XP password security is weak
  • Programs exist to crack account passwords
  • Login Recovery http//www.loginrecovery.com
  • Emergency Boot CD http//ebcd.pcministry.com
  • John the Ripper http//www.openwall.com/john/

4
Typical Intrusion Process
  • Download program
  • Write to bootable media
  • Insert media into target PC
  • Boot PC from media
  • Execute program to reveal/remove
    administrator/user passwords

5
What Can We Do?
  • Since the process to discover user passwords is
    well-known and easy to perform, the default
    security is pretty useless
  • One possible solution is to implement a custom
    login screen that does not share the same common
    vulnerabilities as the Windows login screen

6
Assumptions
  • Targets OS Windows XP
  • Attacker has physical access to computer when
    owner is not present
  • Attacker wishes to cause minimal damage (will not
    reinstall OS, format hard-drive, etc.)

7
Considerations
  • How to prevent user from interacting with the
    system except when we want them to?
  • How to handle special key combinations (Alt-F4,
    Alt-Tab, Ctrl-Alt-Delete, Windows D)?
  • Typical Windows event programming only examines
    the current thread, not the entire system

8
Preventive Measure System Hooks
  • Purpose is to capture system-wide information by
    intercepting messages sent from operating system
  • Figure 1 Hook Interaction

9
What Can We Do With This?
  • Allows control of (nearly) all user input and
    whether or not to pass it to the next
    application
  • Can prevent the user from interacting with other
    applications
  • Hooking the mouse allows us to stop mouse
    movement
  • Hooking the keyboard allows control of input,
    including (Alt-F4, Alt-Tab, Windows D)

10
Implementing a Login Screen
  • Setup a keyboard hook and a mouse hook
  • Disable all mouse movements and special Windows
    keys
  • Display a password prompt
  • Trap all user input. When the user presses a
    key, interpret the key code then immediately
    discard
  • When the user submits a correct password, release
    hooks

11
Initiating the Login Screen
  • Need to initiate the login app every time a user
    logs in
  • Use Windows Registry
  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\Cur
    rentVersion\RunOnce
  • RunOnce executes the app with higher priority,
    but also need to rewrite the key

12
What About Safe Mode?
  • By preceding the name with a , the app will
    also execute when the PC boots up in safe mode

13
Wait a Second
  • Holding the Shift key when logging into a user
    account prevents user-defined applications from
    starting, doesnt it?
  • Actually, holding the Shift key only prevents
    user-defined applications in the Startup folder
    from executing. Applications booted from the
    RunOnce registry key are unaffected.

14
Almost There
  • Can trap mouse activity and (nearly) all keyboard
    activity (Alt-F4, Alt-Tab, WindowsD)
  • What about Ctrl-Alt-Delete / Task Manager? Hooks
    cant access this, since it is interpreted first
    by OS

15
Disabling the Task Manager
  • Use Windows Registry
  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\Cur
    rentVersion\Policies\System
  • Name DisableTaskMgr
  • Data 1 to disable, 0 to enable
  • Disable Task Manager when app starts, enable
    after user enters correct password

16
Putting It All Together
  • Application executes
  • Enable keyboard and mouse hooks
  • Re-write RunOnce Registry key
  • Disable Task Manager
  • Trap/monitor keyboard input
  • User submits correct password
  • Enable Task Manager
  • Disable keyboard and mouse hooks
  • Application exits

17
Demo
18
Hook Process - Advantages
  • Process executes as soon as a user logs in
  • Prevents most (if not all) of user interaction
    while hooks are enabled
  • Easy to implement

19
Hook Process - Disadvantages
  • Relies on Registry to start process
  • Process executes only when somebody actually logs
    in to a Windows account

20
Hook Process - Countermeasures
  • Hook process relies on Registry to start it
  • Attacker could edit Registry using a program on a
    bootable media device
  • Enter BIOS, set hard-drives as the only type of
    bootable media and password protect BIOS
  • Attacker could physically remove motherboard and
    reset BIOS battery, causing BIOS settings to be
    lost
  • Acquire a case with a physical lock

21
Conclusion
  • System-wide keyboard/mouse hooks provide the user
    with an easy way to monitor keyboard/mouse input
  • By combining software countermeasures (secondary
    login screen) with reasonable physical
    countermeasures (secure chassis), can decrease
    risk of intrusion under the given assumptions

22
References
  • Code Project. Keyboard Spy.
    http//www.codeproject.com/system/KeyLogger.asp
  • DiLascia, Paul. C QA. http//msdn.microsoft.
    com/msdnmag/issues/02/09/CQA/default.aspx
  • Petri, Daniel. Forgot Administrators
    Password? http//www.petri.co.il/forgot_administ
    rator_password.htm
  • Microsoft Corporation. Run and RunOnce Registry
    Keys. http//msdn2.microsoft.com/en-us/library/a
    a376977.aspx
About PowerShow.com