Preventing Windows Intrusion with System Hooks

1
Preventing Windows Intrusion with System Hooks

• byEric Beetcher

2
Overview

• Windows XP Security Risk
• Technology Solution
• Implementation
• Possible Countermeasures

3
Problem

• Windows XP password security is weak
• Programs exist to crack account passwords
• Login Recovery http//www.loginrecovery.com
• Emergency Boot CD http//ebcd.pcministry.com
• John the Ripper http//www.openwall.com/john/

4
Typical Intrusion Process

• Download program
• Write to bootable media
• Insert media into target PC
• Boot PC from media
• Execute program to reveal/remove
  administrator/user passwords

5
What Can We Do?

• Since the process to discover user passwords is
  well-known and easy to perform, the default
  security is pretty useless
• One possible solution is to implement a custom
  login screen that does not share the same common
  vulnerabilities as the Windows login screen

6
Assumptions

• Targets OS Windows XP
• Attacker has physical access to computer when
  owner is not present
• Attacker wishes to cause minimal damage (will not
  reinstall OS, format hard-drive, etc.)

7
Considerations

• How to prevent user from interacting with the
  system except when we want them to?
• How to handle special key combinations (Alt-F4,
  Alt-Tab, Ctrl-Alt-Delete, Windows D)?
• Typical Windows event programming only examines
  the current thread, not the entire system

8
Preventive Measure System Hooks

• Purpose is to capture system-wide information by
  intercepting messages sent from operating system
• Figure 1 Hook Interaction

9
What Can We Do With This?

• Allows control of (nearly) all user input and
  whether or not to pass it to the next
  application
• Can prevent the user from interacting with other
  applications
• Hooking the mouse allows us to stop mouse
  movement
• Hooking the keyboard allows control of input,
  including (Alt-F4, Alt-Tab, Windows D)

10
Implementing a Login Screen

• Setup a keyboard hook and a mouse hook
• Disable all mouse movements and special Windows
  keys
• Display a password prompt
• Trap all user input. When the user presses a
  key, interpret the key code then immediately
  discard
• When the user submits a correct password, release
  hooks

11
Initiating the Login Screen

• Need to initiate the login app every time a user
  logs in
• Use Windows Registry
• HKEY_CURRENT_USER\Software\Microsoft\ Windows\Cur
  rentVersion\RunOnce
• RunOnce executes the app with higher priority,
  but also need to rewrite the key

12
What About Safe Mode?

• By preceding the name with a , the app will
  also execute when the PC boots up in safe mode

13
Wait a Second

• Holding the Shift key when logging into a user
  account prevents user-defined applications from
  starting, doesnt it?
• Actually, holding the Shift key only prevents
  user-defined applications in the Startup folder
  from executing. Applications booted from the
  RunOnce registry key are unaffected.

14
Almost There

• Can trap mouse activity and (nearly) all keyboard
  activity (Alt-F4, Alt-Tab, WindowsD)
• What about Ctrl-Alt-Delete / Task Manager? Hooks
  cant access this, since it is interpreted first
  by OS

15
Disabling the Task Manager

• Use Windows Registry
• HKEY_CURRENT_USER\Software\Microsoft\ Windows\Cur
  rentVersion\Policies\System
• Name DisableTaskMgr
• Data 1 to disable, 0 to enable
• Disable Task Manager when app starts, enable
  after user enters correct password

16
Putting It All Together

• Application executes
• Enable keyboard and mouse hooks
• Re-write RunOnce Registry key
• Disable Task Manager
• Trap/monitor keyboard input
• User submits correct password
• Enable Task Manager
• Disable keyboard and mouse hooks
• Application exits

17
Demo
18
Hook Process - Advantages

• Process executes as soon as a user logs in
• Prevents most (if not all) of user interaction
  while hooks are enabled
• Easy to implement

19
Hook Process - Disadvantages

• Relies on Registry to start process
• Process executes only when somebody actually logs
  in to a Windows account

20
Hook Process - Countermeasures

• Hook process relies on Registry to start it
• Attacker could edit Registry using a program on a
  bootable media device
• Enter BIOS, set hard-drives as the only type of
  bootable media and password protect BIOS
• Attacker could physically remove motherboard and
  reset BIOS battery, causing BIOS settings to be
  lost
• Acquire a case with a physical lock

21
Conclusion

• System-wide keyboard/mouse hooks provide the user
  with an easy way to monitor keyboard/mouse input
• By combining software countermeasures (secondary
  login screen) with reasonable physical
  countermeasures (secure chassis), can decrease
  risk of intrusion under the given assumptions

22
References

• Code Project. Keyboard Spy.
  http//www.codeproject.com/system/KeyLogger.asp
• DiLascia, Paul. C QA. http//msdn.microsoft.
  com/msdnmag/issues/02/09/CQA/default.aspx
• Petri, Daniel. Forgot Administrators
  Password? http//www.petri.co.il/forgot_administ
  rator_password.htm
• Microsoft Corporation. Run and RunOnce Registry
  Keys. http//msdn2.microsoft.com/en-us/library/a
  a376977.aspx