Click here to Skip to main content
Click here to Skip to main content

PasswordSpy - Retrieving lost passwords using Windows hooks

, 16 Dec 2003
Rate this:
Please Sign up or sign in to vote.
A practical application of setting Windows hooks

Due to the nature of this program, your anti-virus program may mark this download as a virus. Download at your own risk.

PasswordSpy

Introduction

As long as computer hardware and software have used passwords there have been people trying to crack those passwords. Just as there have been people working to increase security for those passwords. This article takes a look at Windows passwords from both sides.

In Windows 3.x there was a little know bug with the password control. If you select the "****" text displayed in a password control and copy the text, the text copied into the clipboard is the actual password, not the displayed "****" text. Microsoft found this bug and fixed it starting in Windows 95. But people found ways to copy passwords from Windows 95, and wrote programs to do it. These programs are not password crackers, instead they use a security hole in Windows to copy the password from another running program. I downloaded one of these programs and found it intriguing, so I wrote my own version. Later, once Windows 2000 was released, I was disappointed to see Microsoft again fixed the "bug" and so programs like these didn't work on Windows 2000 (and now a days Windows XP). But after several failed attempts, I finally found a way to copy the password while running on any 32-bit Windows OS.

Use

PasswordSpy is a very simple program to use. You simply start the program that contains the forgotten password as well as PasswordSpy. Then drag the magnifying glass from PasswordSpy over the "****" field and PasswordSpy will display the password. It should be noted that PasswordSpy is not intended for mischievous purposes. PasswordSpy has been tested on Win95/98/ME and WinNT/2K/XP.

Features

In addition to being a useful application, PasswordSpy demonstrates some useful and interesting code.
  • A single instance application. If the user starts a second copy of PasswordSpy, the first copy is brought to the foreground instead of starting a second copy.
  • OS detection. Shows how to detect which OS the program is running on, Windows 95/98/ME/NT/2K/XP.
  • "Always on top" With a single line of code you can set or remove the "always on top" state from your application.
  • Inter Process Communication. PasswordSpy uses several forms of IPC including the WM_COPYDATA message as well as memory-mapped files.
  • Setting windows hooks. In order to extract the password on Win2K/XP you must set a hook into the remote process.

Code Details

PasswordSpy works by taking advantage of a security hole in Windows. If you send a WM_GETTEXT message to a password control, the text returned is the actual password not the "****" displayed in the control. This sneaky technique works great on Windows NT/95/98/ME, but on Win2K/XP Microsoft has added security. On Win2K/XP if you send a WM_GETTEXT message to a password control, it first checks the calling process to determine if it has access. If the calling process is the same process as the one that created the password control, the WM_GETTEXT message still returns the password. However, if the calling process is different, then the return is ERROR_ACCESS_DENIED. So the key to retrieving the password in Win2K/XP is to get your WM_GETTEXT message to come from the same process as the password control and not from PasswordSpy. One way to execute your code in the context of another process is through the use of Windows hooks.

By far the most interesting aspect of PasswordSpy is the technique of setting a Windows hook with the SetWindowsHookEx API. With this function you can install a hook into either the whole system or a specific process. There are a dozen different types of hooks to install, each type monitors for a specific set of events. When one of those events happens, your hook code gets called. PasswordSpy uses the WH_GETMESSAGE hook, which monitors for calls to GetMessage and PeekMessage. For more background info on hooks please read the MSDN on SetWindowsHookEx.

I have found several examples of hooks on the Internet, in books, and in the MSDN. But every example I saw had at least one bug in the code. Here I'll address the problem as well as my solution.

The hardest part about using Windows hooks is properly storing the handle to the hook. Before you can set a hook you need two things.

  1. A DLL containing the hook function, and 
  2. the ID of the thread you want to hook. 

Now supposing Process A sets a hook into Process B. After hooking Process B, the hook handle is returned to Process A and the DLL is mapped into Process B's address space. When one of the hooked events in Process B happens, your hook code gets called from Process B (It should be noted, your hook code gets called from the remote process! In your hook code if you call GetCurrentProcessId, you get the PID of the hooked process, not your original program that set the hook). From the hook code you can do whatever you want, but before your hook code exits you are supposed to call CallNextHookEx. If you fail to call this function, any other hooks that might be installed will fail to get the message. The problem is CallNextHookEx requires the handle to the hook, but that handle was returned to Process A and we're currently in Process B. Thus some sort of Inter Process Communication is needed to transfer the hook handle.

Most hook samples solve this problem by creating a "shared" section in the DLL.

#pragma data_seg("Shared")
HHOOK g_hHook = NULL;
#pragma data_seg()
#pragma comment(linker, "/section:Shared,rws")

In a nutshell, this creates a single variable that is shared by all loaded instances of that DLL. So if five processes load this DLL, all five have access to that variable. But there are a few problems with this method. For starters, some compilers may not support this option. Second, what if Microsoft decides to change how "shared" sections work in future versions of Windows; that would mean this technique would no longer work. Also, this method has no thread synchronization, and since you have multiple threads accessing this variable thread synchronization is important.

To solve these problems I used memory mapped files for the IPC, and a mutex for thread synchronization. I encapsulated all this code into a class I called CIPC. By using memory mapped files I solve the problem of special compiler options because none are needed, it's done using nothing but Win32 API calls. Plus MMFs are a supported way of sharing data between multiple processes, so Microsoft is not likely to change that in future versions of Windows. And the mutex ensures that thread access is synchronized.

//***********************************************
// IPC.h
//***********************************************
#ifndef _IPC_H_
#define _IPC_H_

#define IPC_SHARED_MMF  _T("{34F673E0-878F-11D5-B98A-00B0D07B8C7C}")
#define IPC_MUTEX       _T("{34F673E1-878F-11D5-B98A-00B0D07B8C7C}")

// Class for Inter Process Communication using Memory Mapped Files
class CIPC
{
public:
    CIPC();
    virtual ~CIPC();

    bool CreateIPCMMF(void);
    bool OpenIPCMMF(void);
    void CloseIPCMMF(void);

    bool IsOpen(void) const {return (m_hFileMap != NULL);}

    bool ReadIPCMMF(LPBYTE pBuf, DWORD &dwBufSize);
    bool WriteIPCMMF(const LPBYTE pBuf, const DWORD dwBufSize);

    bool Lock(void);
    void Unlock(void);

protected:
    HANDLE m_hFileMap;
    HANDLE m_hMutex;
};

#endif


//***********************************************
// IPC.cpp
//***********************************************
#include "IPC.h"

//***********************************************
CIPC::CIPC() : m_hFileMap(NULL), m_hMutex(NULL)
{
}

//***********************************************
CIPC::~CIPC()
{
    CloseIPCMMF();
    Unlock();
}

//***********************************************
bool CIPC::CreateIPCMMF(void)
{
  bool bCreated = false;

  try
  {
     if(m_hFileMap != NULL)
        return false;    // Already created

     // Create an in-memory 4KB memory mapped 
     // file to share data
     m_hFileMap = CreateFileMapping((HANDLE)0xFFFFFFFF,
         NULL,
         PAGE_READWRITE,
         0,
         4096,
         IPC_SHARED_MMF);
     if(m_hFileMap != NULL)
        bCreated = true;
  }
  catch(...) {}

  return bCreated;
}

//***********************************************
bool CIPC::OpenIPCMMF(void)
{
    bool bOpened = false;

    try
    {
        if(m_hFileMap != NULL)
            return true;    // Already opened

        m_hFileMap = 
          OpenFileMapping(FILE_MAP_READ | FILE_MAP_WRITE,
            FALSE,
            IPC_SHARED_MMF);
        if(m_hFileMap != NULL)
            bOpened = true;
    }
    catch(...) {}

    return bOpened;
}

//***********************************************
void CIPC::CloseIPCMMF(void)
{
    try
    {
        if(m_hFileMap != NULL)
            CloseHandle(m_hFileMap), m_hFileMap = NULL;
    }
    catch(...) {}
}

//***********************************************
bool CIPC::ReadIPCMMF(LPBYTE pBuf, DWORD &dwBufSize)

{
  _ASSERTE(pBuf);

  bool bSuccess = true;

  try
  {
     if(m_hFileMap == NULL)
         return false;

     DWORD dwBaseMMF = (DWORD)MapViewOfFile(m_hFileMap,
                FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
     _ASSERTE(dwBaseMMF);

     // The first DWORD in the MMF contains the size of the data
     DWORD dwSizeofInBuf = dwBufSize;
     CopyMemory(&dwBufSize, (LPVOID)dwBaseMMF, sizeof(DWORD));

     if(dwSizeofInBuf != 0)
     {
         if(dwBufSize > dwSizeofInBuf)
             bSuccess = false;
         else
              CopyMemory(pBuf, 
                  (LPVOID)(dwBaseMMF + sizeof(DWORD)),
                  dwBufSize);
     }

     UnmapViewOfFile((LPVOID)dwBaseMMF);
  }
  catch(...) {}

  return bSuccess;
}

//***********************************************
bool CIPC::WriteIPCMMF(const LPBYTE pBuf, const DWORD dwBufSize)
{
    _ASSERTE(pBuf);

    bool bSuccess = true;

    try
    {
        if(m_hFileMap == NULL)
            return false;

        DWORD dwBaseMMF = (DWORD)MapViewOfFile(m_hFileMap,
            FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
        _ASSERTE(dwBaseMMF);

        // The first DWORD in the MMF contains the size of the data
        CopyMemory((LPVOID)dwBaseMMF, &dwBufSize, sizeof(DWORD));
        CopyMemory((LPVOID)(dwBaseMMF + sizeof(DWORD)), 
                            pBuf, dwBufSize);

        UnmapViewOfFile((LPVOID)dwBaseMMF);
    }
    catch(...) {}

    return bSuccess;
}

//***********************************************
bool CIPC::Lock(void)
{
    bool bLocked = false;

    try
    {
        // First get the handle to the mutex
        m_hMutex = CreateMutex(NULL, FALSE, IPC_MUTEX);
        if(m_hMutex != NULL)
        {
            // Wait to get the lock on the mutex
            if(WaitForSingleObject(m_hMutex, INFINITE) == WAIT_OBJECT_0)
                bLocked = true;
        }
    }
    catch(...) {}

    return bLocked;
}

//***********************************************
void CIPC::Unlock(void)
{
    try
    {
        if(m_hMutex != NULL)
        {
            ReleaseMutex(m_hMutex);
            CloseHandle(m_hMutex);
            m_hMutex = NULL;
        }
    }
    catch(...) {}
}

Countering PasswordSpy

Now that you know how to programmatically "copy" the password from another application, the next logical question is how do you prevent PasswordSpy from copying passwords from applications you write. If your application stores and displays passwords, and especially if you are concerned about security, then you probably want to protect your application from programs like PasswordSpy.

Since PasswordSpy can copy passwords out of other programs, the solution to protecting your own programs is to never display the real password in the first place. The best solution is to display a bogus password in the password control. That way if someone uses PasswordSpy to retrieve the password, all they get back is a bogus password, not the real thing. Included in the download is a program AntiPwdSpy. This program shows how to protect your password controls from being "spied." The program AntiPwdSpy behaves exactly the same as the Windows NT Services dialog and the Windows NT User Manager.

There are other ways to counter programs like PasswordSpy. One way is to intercept the WM_GETTEXT message. This works, but using the bogus password method has other benefits. By replacing the real password with a bogus one, it is not possible to determine the length of a password by looking at the password control. If a program displays the text "***" in a password control, right away you know that password is only three characters in length. This greatly compromises the security of that password by revealing the passwords length. But if that password control displayed "**************" as is done in most Microsoft programs, you do not know anything about the password.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Brian Friesen
Web Developer
United States United States
No Biography provided

Comments and Discussions

 
Generalmfc42ud.lib LINK Pinmemberpku200931-Aug-08 22:56 
GeneralWow PinmemberDagaen12-May-08 16:24 
QuestionHow to use Right-Click of mouse & Function keys in my program? PinmemberDebasish Mondal14-Mar-07 17:53 
QuestionCan someone convert this code to VB 6 PinmemberAmr ElSaqqa30-Jan-07 19:29 
AnswerRe: Can someone convert this code to VB 6 Pinmemberdyntryx25-Aug-07 12:18 
GeneralScan Level Query PinmemberBig Al R9-Dec-04 2:27 
GeneralRe: Scan Level Query PinmemberBrian Friesen9-Dec-04 6:10 
GeneralRe: Scan Level Query PinsussAnonymous9-Dec-04 13:00 
GeneralOther applications Pinmembersammyc15-Nov-04 21:13 
GeneralRe: Other applications PinmemberBrian Friesen16-Nov-04 6:31 
Generalno other way Pinmemberkhurram a1-Oct-04 10:12 
GeneralDrag and Drop hooking PinsussCollin Parker9-Jul-04 11:51 
GeneralAn easier way could be used PinsussSirguan4-Jul-04 23:23 
GeneralRe: An easier way could be used PinmemberBrian Friesen6-Jul-04 7:57 
GeneralRe: An easier way could be used PinmemberGuanLiang23-Aug-04 22:38 
GeneralDoes not work on winzip8 Pinmemberdharamgaram24-Dec-03 3:03 
Hi
I tried the sw on Winzip 8. It displays a blank.
 
Regds
 
Confused | :confused:
GeneralPwdSpy, NAV, and Power Spider PinmemberBrian Friesen7-Dec-03 11:09 
GeneralRe: PwdSpy, NAV, and Power Spider PinmemberZhefu Zhang17-Dec-03 3:54 
GeneralRe: PwdSpy, NAV, and Power Spider PinmemberChris Meech17-Dec-03 8:38 
GeneralRe: PwdSpy, NAV, and Power Spider PinmemberZhefu Zhang18-Dec-03 8:32 
GeneralNot only NAV Pinmemberlaser6-Jan-04 23:23 
GeneralRe: Not only NAV PinmemberBrian Friesen7-Jan-04 6:41 
GeneralRe: Not only NAV PinsussAnonymous2-Mar-05 10:42 
GeneralRe: Not only NAV PinmemberBrian Friesen2-Mar-05 12:49 
GeneralNorton AntiVirus detects this entry as a virus PinsussAnonymous4-Dec-03 14:38 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberBrian Friesen4-Dec-03 15:18 
GeneralRe: Norton AntiVirus detects this entry as a virus PinsussAnonymous5-Dec-03 8:58 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberZhefu Zhang18-Dec-03 9:36 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberHackerBoy13-Jan-04 12:13 
GeneralRe: Norton AntiVirus detects this entry as a virus PinsussAnonymous13-Jan-04 12:17 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberZhefu Zhang13-Jan-04 16:59 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberArch4ngel2-Dec-04 8:36 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberBrian Friesen2-Dec-04 8:54 
GeneralRe: Norton AntiVirus detects this entry as a virus PinmemberArch4ngel2-Dec-04 17:31 
GeneralHelp with hooks Pinmembermarkaa1234529-Nov-03 11:27 
Generalloading dll to my project.cpp Pinsussarun_moyal15-May-03 23:45 
QuestionDoesn't work with IE Browser? PinsussAnonymous3-Sep-02 11:08 
AnswerRe: Doesn't work with IE Browser? PinsussAnonymous29-Oct-02 1:56 
GeneralRe: Doesn't work with IE Browser? PinmemberBrian Friesen30-Oct-02 15:07 
GeneralRe: Doesn't work with IE Browser? PinsussAnonymous9-Jan-03 8:54 
GeneralRe: Doesn't work with IE Browser? PinmemberXingGanXiaoJie17-Dec-03 17:35 
GeneralThis utility will work ! Source code in VB included. Pinmembervelhochico17-Jan-03 12:28 
GeneralHI Pinsussgono2bed28-Jul-02 11:35 
GeneralRe: HI PinsussDevilDudeXP16-Oct-03 20:58 
GeneralRe: HI PinmemberDaFrawg12-May-04 3:06 
GeneralLinking VC6 with assembler Pinmemberjordan_m23-Jul-02 0:41 
GeneralRe: Linking VC6 with assembler PinmemberSantosh M. P.31-Jul-02 10:02 
GeneralDivine Work PinmemberPedro Miranda27-Jun-02 2:36 
GeneralVB Translation PinmemberJames Johnston20-Apr-02 21:06 
GeneralA fix!! PinmemberIdrassi Mounir14-Apr-02 7:21 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.1411022.1 | Last Updated 17 Dec 2003
Article Copyright 2001 by Brian Friesen
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid