04-11-07 - 3

Random thoughts on how you might actually make an app safe from snooping in Windows :

First of all, you can't call any OS functions with data that you want protected. It's very easy to hook any OS calls. Now, lots of things in the C std libs go to OS calls - even things like strcpy (!!) - so if you want to write a program in C you probably need to write your own "safe CRT" that doesn't call to the OS. Now, you can of course still call to the OS (you have to) but you should only call it with data that's protected, for example when you send network packets they should be already encrypted.

It's possible that any happen which uses HWND's is unsafe. It's easy too hook HWNDs and manually send various messages and such. I'm not sure about this but if you really want to be safe you might have to do all of your own windowing. You could do this in an OS-friendly way by making a separate app which just maintains a blank window with a title bar. That way people can still alt-tab and z-order this blank window, and then your real secure app which is in its own process just gets the location of that window and draws in it manually.

Now, any drawing with GDI can be hooked & screen capped, so that's not safe. You might just be in trouble here because pretty much any drawing is going to require an OS call which can be hooked. There are things you can do, such as YUV overlays which don't go through the normal GDI and can't be screen-capped, however to fill them you would still have to pass in the bitmap to draw and someone could hook that call to grab your bits.

One thing you might be able to do is detect hooking. I'm not sure how you could do this but conceivably instead of just calling to the OS you could GetProcAddress on the calls, and then look at the code you could be calling and scan for jumps in it to see if it's a thunk out to non-kernel space, then just don't make the call.

Of course your memory is still exposed. Memory in windows is totally unsafe and other apps can even get your list of virtual memory pages AND change the protection on them. You might think you could make yourself safe by taking all your pages and setting them to NOACCESS , but anyone can grab the page and change it, so this is pretty retarded.

Other apps can also CreateRemoteThread on you to insert code into your process and I'm not sure if there's any way to forbid that.

The easiest way to get code to run in another process is with a windows hook, but I think it is possible to write an app that simply doesn't cause any hookable events.

No comments:

old rants