[Winpt-users] WinPT global hook(?)
Timo Schulz
twoaday at gmx.net
Thu Aug 3 10:08:27 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
david gunnells wrote:
> "c:\gpg\WinPT.exe has loaded WinPT.exe into procexp.exe using a global hook which
> could be used by keyloggers to steal private information."
I really think it is important to ask if you are unsure what's going on.
The reason is, that trojan or other evil programs might be able to write
itself into the process space of a trusted process. In the past this was
a problem and some personal firewalls were not able to handle it.
> While I implicitly trust WinPT (or I wouldn't be using it), what are the
> details of this global hook? What file(s) is/are being used to hook processes
> and what is happening behind the scenes?
So let me explain some of the details. The PTD.dll uses a hook to
remember the current window, but this hook cannot be used for any
key logging. It is called a CTB - Computer Based Training hook and
only called when another window gets the focus or a window is created.
For details, please see the PTD.cpp (or the MSDN for details about the
CTB hook).
In newer WinPT versions, a modified edit control is used to make the
passphrase handling more secure. This code uses a hook to break the
chain of global defined hooks. Actually there is no real code, just
a return value which indicate that other (possible previously defined)
hooks shall _not_ be executed. But this hook is only active when the
passphrase dialog is active. After the passphrase is successfully sent
to GPG, the dummy hook will be released.
In short, the only active hook, I mean all the time, is the CTB hook
to store the current window.
If you need more details, please feel free to ask. I don't want to hide
anything and of course you can also study the code (or let someone else
do it) if you want to see the implemtation.
Timo
-----BEGIN PGP SIGNATURE-----
iQDVAwUBRNGu+iDzd2on820UAQL0iwYA83P8owlNeIFfV4RijoZvp1OedtDThFhC
GdCxcU6uPKsm9ZQkKmzfVqmVeXBZ1CpeJUw6cQ41XxRC5crNeaDQC5U2E9uIHiEA
0AWH+BWeGLLUYE8CbyaCfhnZTC6cGMnkM9jc2OnxjBJXvlkoWc56Tqz5K3iqktYw
teaPWuVo8+8EWrVnlf1xFruJDkhYKTSyUiK2y2f8M7H0UNSKGx5owA2ITzmN4nM+
cCcBZ+pL/NS+K5z/liHDm5SkhRZeVLqF
=KVDu
-----END PGP SIGNATURE-----
More information about the Winpt-users
mailing list