As part of trying to describe the threat posed by spyware and how to mitigate it I've been looking for information on how the various common spyware trojans currently in the wild capture password data. My best guess is that they either log keystrokes, intercept browser submissions or intercept GUI messages.
I'd like some more definitive information though and haven't been able to find it. Where would I find this sort of analysis?
Most of malwares (I mean advanced ones) are written in ASM or C++. A lot of them use Windows high level APIs to hook keyboard key pressing activities among with current window when user pressed key.
For example for keyboard activity mostly they use SetWindowsHookEx function with WH_KEYBOARD_LL hook
Also they use GetActiveWindow API in order to detect current active window's title. So in keyloggers, mostly you'll see something like this:
[Gmail - Google Chrome Browser]
testuser#gmail.com {TAB} testpassword
So the person who receives the keylogs will read it as you can see above.
Another method is injecting some specially writted DLLs or extensions in browsers, I've seen it mostly for Internet explorer, they use BHO DLLs in order to receive ALL GET/POST data, so you don't need any actively running EXE file, just a DLL which runs as you open Internet explorer and the DLL will send directly all your POST/GET data as it is to hacker's server. It's mostly done in same time and BHO doesn't store anything (mostly) and sends same POST/GET data you've sent to your bank in same time to hacker's server. But other keyloggers mostly store keylogs until it reaches a size, for example 5kb, then trojan submits the keylog to hacker.
There is some also "not so common" tricks to capture keystrokes and that is having a low level driver which runs in ring-0 (kernel mode) and captures keyboard data, it's more sophisticated and hard to detect, but also hard for hacker to use, you need another co-operative ring-3 (user-mode) application to get current window, current keyboard layout (English, Chinese, Arabic, etc.) in same time as kernel receives keyboard, because without knowing keyboard layout and window which user pressed those keys, it will be "almost" useless.
I've also seen an "unprofessional" way of capturing key strokes, that's using GetAsynKeyState API. They mostly write a loop function and they capture key events by calling this API every 100 milliseconds (for example).
So I think I've covered a lot of techniques which keyloggers use to capture pressed keys, if you have more specific question, just let me know.
Related
I am a doctor who is seeking a solution for my patients. I often receive medical CDs from my patients which contain their radiological data. What I need is a web solution which I can integrate with my web site. But the caveat is that I dont want this to happen via Choose File. Most of my patients are old people who doesnt know much about internet or computers. So I want a single button on my web site which will copy the entire CD in the CD drive and send it to me without any user intervention. Is it possible?
Update:
OK thank you all. I did not intend to break copyright issues. Actually, I thought a user who will hit that "button" will also give permission to access their files. I completely understand your concerns and I completely agree however - as an end-user - this is the problem requiring a solution in my case. After the COVID none of my patients can come to clinical visits and I need to see their follow-up. In neurosurgery, this is very important. I do not know if it is OK to send links (and sorry if it is not) here but for example, this web site makes something similar to my idea but it is not free and it is so complicated for my -low socioeconomic - patient profile.
My target population mostly deals with brain tumors and their level of concern for copyright issues is so low for that reason. I don't mean taking everything from them without their will but this is the case. So again thank you all for enlightening me and I am again sorry if I break the rules of this website.
Introduction
I'm going to go through the reasons as to why the specification as stated, cannot be implemented, and also as to why older technologies that may have allowed this implementation cannot be used.
Do note that even older technologies, would have required some sort of installation or agreement from the user- as a minimum 1 click.
Also note: It is possible to get files from a users system, but you still have to get their agreement through an action or prompt from their part!**
As to what you could do? Tukan already covers some nice alternatives but if I do think of something I will add it!
Basic Explanation
The most basic explanation is that this would be a giant unprecedented security hole. It would mean that browsers would allow a site to access files from a users computer hardware (DVD) without the permission of the user or the active actions of the user.
In your case you do have a valid non-malicious use for it. Imagine however all the malicious websites that would use this mechanism to steal stuff off the DVD/CD that is in the users tray. Imagine the privacy issues, security breaches, and even minor stuff like copyright issues.
Finally, and even worse, if the specific requested allowed access to the whole file system (including all drives like C:), a malicious site could steal everything on a user's system.
The positive (and negative for you) is that browsers have been incrementally locked down over the years and technologies/plugins/extensions/features have been incrementally either locked down, or deprecated/removed. Such technologies include: active X, java applets, and flash.
Finally, browsers like chrome and internet explorer themselves now'a'days run in sandboxes. See for example the article (and this is from 2013!!): Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
They’re restricted to running in your browser and accessing a limited set of resources — they can’t view your webcam without permission or read your computer’s local files. If websites you visit weren’t sandboxed and isolated from the rest of your system, visiting a malicious website would be as bad as installing a virus.
Other programs on your computer are also sandboxed. For example,
Google Chrome and Internet Explorer both run in a sandbox themselves.
These browsers are programs running on your computer, but they don’t
have access to your entire computer. They run in a low-permission
mode. Even if the web page found a security vulnerability and managed
to take control of the browser, it would then have to escape the
browser’s sandbox to do real damage.
Active X (Deprecated) (Internet Explorer)
Let's start by saying that Active X would require the user to change their Internet Explorer Security Settings so we can strike it off immediately.
If a user did change their settings (see: Enable ActiveX controls in Internet Explorer ) and Enable for IE 11, a developer could use active x to access files on a users system.
Also note Active X is deprecated and rumour has it that it may not be around for long.
Java Signed Applets
Java Signed Applets could access the local file system.
However, Applets are no longer supported in firefox and chrome. They do run in Internet Explorer though IE is deprecated as well (since people are moving to Edge).
There's a very well written answer on the topic here: How do I run Java applets? [duplicate] and Why is the Java plugin (JRE) disabled in Chrome?
Adobe Flash (Previously Macromedia)
First off, flash has been removed from most Internet Browsers and is officially considered dead. Additionally, after Flash Player 10 it was possible to load a file but the user had to select it himself through a dialog (see: Can Flash action script read and write local file system? ).
FileSystem and FileWriter APIs
You can read and write using this API. However, it again requires the user to interact with the webpage and to select the files themselves.
References
Is it possible to access local file via javascript?
Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
Enable ActiveX controls in Internet Explorer , Enable for IE 11, and active x to access files on a users system
Java Signed Applets could access the local file system, How do I run Java applets? [duplicate], Why is the Java plugin (JRE) disabled in Chrome?
Can Flash action script read and write local file system?
As Andrew mentioned this SO is used for Q&A from/to developers. I'll try to give you a general idea what could be done.
Who should do it?
I think you need some freelancer who would create a code for you.
The mechanism you are describing is not possible due to security issues.
Web page should not have access to the HW, as you would like, without user
interaction.
What is then feasible?
I think what is feasible is an application (thick - meaning .exe file) which would be executed by your patients which would search for a CD/DVD drive, pack it and send it via secure channel to your server. They would need to download it and execute it.
If you have elderly patients you need to visually confirm that the data has been send using some clear message.
Something like: Thank you for sending the data to Dr. Jones. All data has been received.
Secure channel can be for example: ftps, sftp, https, etc.
On your side you would a have a daemon which would serve as endpoint for your patient's data. After receiving the data it should be moved immediately outside the uploading folder.
Edit
One more option that came into my mind would be to distribute a tailored USB key to your patients with such application, which would be executed upon insertion.
I am working on an educational e-commercial website .. In which the user need to authenticate and then the videos on particular topics will be available.. so how can I prevent my video to be screen-recorded...
Different OS's and applications support different mechanisms to try to tackle this - for example:
Microsoft Edge on Windows 10 uses integrated 'Protected Media Path' for encrypted content which will stop simple screenshots working
Website and web app developers may use a number of CCS 'tricks' to achieve a similar affect, although these can usually be workaround with standard web developer and debug tools.
Mobile video typically uses protected memory for encrypted content which will usually give a black screen on capture.
As mentioned in comments and other answers these are all 'barriers' but they don't make it impossible to copy the content - the best example being pointing a camera at the screen a copying that way.
The idea is generally to make it hard enough compared to the value of the content so that people are not prepared to invest the time to work around your barriers.
It is not possible, for a variety of reasons:
There is no Web API for that.
Even if there was, it would be possible to reverse engineer the browser/OS to allow for screen recording.
Even if, for some reason, you couldn't access and modify the software running on the computer, you could connect the computer to a capture card instead of your monitor.
And if you also couldn't do that, you could just point a camera at the screen and start recording.
To give a brief backstory to bring things up to my current position / reason for my question:
I originally wanted to use sendkeys to send keyboard presses to a Citrix Xenapp Remote Terminal Application (VT320 Emulator).
This does not work.
After some investigation it became apparent that this has been a reasonably common issue.
I eventually found a work-around that involved opening the windows 'On-Screen Keyboard' application and sending mouseclicks using VBA to the OSK app itself. The key transmissions would be successfully received in the remote terminal application.
This solution is a rather awkward and not very practical solution as it relies on many factors e.g. screen resolution, co-ordinates / current position of the OSK etc.
With the above in mind, I am looking to achieve a more full proof method and here's my thoughts:
Rather than using simulated mouseclicks I would ideally like to be able to either 'embed' the OSK app into the excel instance and reference each key
or hide the app and find a way to make the application receive the VBA keys requested.
I'm aware that Sendkeys has its limitations so I have also tried using SendInput via a Keyb_Event and this also didn't work.
To any half experienced expert, I'm clearly a beginner so I'm suffering from a lack of knowledge here perhaps.
If anyone can point me in the right direction for solving this issue, I'd really appreciate it!
Many thanks.
EDIT
I've looked into this a little more and found this post:
Finding the class name of the On-Screen Keyboard?
Which would suggest that if I know the class of the on screen keyboard, I could use its commands within excel VBA?
I did try to use the code within the question but couldn't get it to work.
So hopefully my question is a little easier to answer?
Can I use the class name of the on-screen keyboard app / declare an API function that will allow me to send simulated key functions as if it's the OSK app being clicked by the mouse?
Hopefully someone can help!!
Trying to automate apps locally can be quite fiddly. Doing it through a Citrix HDX connection is just painful.
Do you have any say over the Citrix environment? If so I'd try writing an automation app that actually runs on the Citrix server in the same session as the published app you're trying to automate. This has the advantage that you're effectively automating a local app which would make life easier.
Depending on how your automation works you may need to communicate between your automation app running in the Citrix session and your client. You could use WCF to bridge the two together.
So that's how I would try and do, as regarding your specific question I've provided some thoughts below...
OSK automation thoughts
I've done some limited automation of the OSK. There are actually two OSKs if you're using Win8. Osk.exe is the old one which has been around a while. TabTip.exe is the new Win8 specific OSK.
One problem to keep in mind is that both of these processes run as high integrity processes which means normal (medium) integrity processes have very limited abilities to automate them. So while I could automate some stuff, many messages would just get ignored. So this maybe why you are finding the OSK is not responding like you expect.
You can work around this by running your automation app as a high integrity process, but this generally means you need local admin (or local system) privilege to start the high integrity process. I never looked into the specifics of how you create high integrity processes. I know there's a command line tool you can use to force a process to run at a certain level (icacls.exe), e.g.
https://msdn.microsoft.com/en-us/library/bb625960.aspx
I imagine there would be APIs to do this as well.
I recently had an argument with someone regarding the ability of a website to take screenshots on the user's machine. He argued that using a GUI-program to simulate clicking a mouse really fast to win a simple flash game could theoretically be detected (if the site cared enough) by logging abnormally high scores and taking a screenshot of those players' desktops for moderator review. I argued that since all website code runs within the browser, it cannot step outside the system to take such a screenshot.
This segued into a more general discussion of the capabilities of websites, through Javascript, Flash, or whatever other method (acceptable or nefarious), to make that step outside of the system. We agreed that at minimum some things were grabbable: the OS, the size of the user's full desktop. But we definitely couldn't agree on how sandboxed in-browser code was. All in all he gave website code way more credit than I did.
So, who's right? Can websites take desktop screenshots? Can they enumerate all your open windows? What else can (or can't) they do? Clearly any such code would have to be OS-specific, but imagine an ambitious site willing to write the code to target multiple OSes and systems.
Googling this led me to many red herrings with relatively little good information, so I decided to ask here
Generally speaking, the security model of browsers is supposed to keep javascript code completely contained within its sandbox. Anything about the local machine that isn't reflected in the properties of the window object and its children is inaccessible.
Plugins, on the other hand, have free reign. They're installed by the user, and can access anything the user can access. That's why they're able to access your webcam, upload files, do virus scans, etc. They're also able to expose APIs to javascript code, which pokes a hole in the javascript sandbox and gives javascript code some external access. That's how tools like Phonegap give javascript code in web apps access to phone hardware (gps, orientation, camera, etc.)
In Windows Vista, I am unable to drag/drop files onto my application's window because it is running as a high integrity level process. I need to run it as high, but I also need to be able to accept dropped files from low/medium integrity level processes like Windows Explorer. I believe it is UIPI that is blocking the drag/drop operation. I know that I can use the ChangeWindowMessageFilter function to allow certain Windows messages to bypass UIPI, but I'm not sure which messages to add to allow the drag/drop operation. Is ChangeWindowMessageFilter the right approach to permit this, or is there a better way? Thanks!
Considering the title of this blog entry:
"Why you shouldn’t touch ChangeWindowMessageFilter with a 10-ft pole…",
I guess it is not the best approach ;)
Now, this might seem like a great approach at first - after all, you’ll only use ChangeWindowMessageFilter when you’re sure you can completely validate a received message even if it is from an untrusted source, such that there’s no way something could go wrong, right?
Well, the problem is that even if you do this, you are often opening your program up to attack unintentionally.
Consider for a moment how custom window messages are typically used; virtually all the common controls in existence have “dangerous” messages in the custom class message range (e.g. WM_USER and friends).
Additionally, many programs and third party libraries confuse WM_USER and WM_APP, such that you may have programs communicating cross process via both WM_USER and WM_APP, via “dangerous” messages that are used to make sensitive decisions or include pointer parameters.
In the comments of this blog entry, an alternative approach was discussed, but with pretty much the same conclusion:
I would use RegisterWindowMessage and then allow that via ChangeWindowMessageFilter.
However, be aware that you cannot design a cross-process window message interface that passes pointers or other untrusted values or you are creating a security hole.
For this reason, I would tend to avoid using window at all messages for most cross-process IPC (if possible), as it is typically very difficult to do non-trivial things in a secure fashion using them.
Note: this entry "So, who wants to design a feature today?" illustrates the same problem, and points to the insightful articles of Raymond Chen:
Why aren't console windows themed on Windows XP?
Windows Vista has more extended options on the context menu
which both detail the issue.
This ServerFault question "Why can’t I drag/drop a file for editing in notepad in Windows Server 2008?" also includes some answers, but no quick-win.
See also this article on IE