Intercepting Windows System Messages

Posted by: ecko

Intercepting Windows System Messages - 12/16/05 12:55 AM

I've spent the last several days investigating a specific topic and have hit a lot of dead ends. I've been reading a lot of articles and forums at sites such as UGN Sec, Packet Storm Security, and Insecure.org and really have not come up with much. I hope someone can help me, here's what I've been looking for:

As part of a research project I've been investigating how to intercept System Messages. More specifically, I'm looking for a program that can reside in memory outside of the Windows environment while retaining the potential to intercept and alter any messages passed back and forth between windows and hardware. In essence, it acts like a wrapper, or VM ware, with windows running inside it. (The key is that windows would be unaware of its existance.)

It's possible something like this at one point existed and is now obsolete, but if anyone's heard of something like this, or anything fairly similar, I'd love to know. Even if it is really old and out-of-date. Thanks in advance.
Posted by: Gremelin

Re: Intercepting Windows System Messages - 12/16/05 06:35 AM

I'm not sure if it's possible with recent versions of window$ as it's had "dos" irraticated; in older versions (95/98 and prior) you could just imbed a program like you're looking for in the autoexec.bat and it'd run like a choo choo...

However in modern versions of window$ i believe that any running applications are purged once windows starts up (thus allowing you to still run programs on startup through autoexec.bat for error testing and stuff like that, but maintaining a secure enviroment).

What it would look like you'd need after all would be a keylogger of sorts (perhaps something designed to capture strings of data vs just inputed data) which would hide from the task manager (which is technically possible on some level) however most keyloggers are found by antivirus programmes now adays, including the little one that Neo and I designed and never really released publicly lol...
Posted by: ecko

Re: Intercepting Windows System Messages - 12/16/05 08:03 PM

Thanks for the info, it's been helpful. It does bring me to other questions though.

When a typical Master Boot Record program fires up it gets dumped into memory address 0000:7c00. It then copies itself into address 0000:0600 and then load the windows boot partion into address 0000:7c00.

The MBR program at 0000:0600 is about 86 bytes, and the partition table resides at 0000:07be to 0000:07fd. This leaves 226 bytes to play with in the MBR program, (0000:06db to 0000:07bd.) I've 'altered and expanded' the MBR program in the past for specific needs.

So here's my question: When Windows XP, Win Server 2003, etc boot-up they start at 0000:7c00. Does the boot sequence wipe the memory at the lower address spaces thus stopping my alterations? Also, any 'keylogger' applications running within windows would be locked out of the 'ctrl+alt+del' login screen. That's why I need something running outside of the Win Enviornment. Any thoughts?

THanks in advance. You've been very helpful.
Posted by: Infinite

Re: Intercepting Windows System Messages - 12/18/05 01:01 AM

I think that you already hit on a decent way to go about it. Something like vmware or Xen sounds like the way to go. Xen is even opensource so you can potentially modify it to dump the info you are looking for.

Quote:
So here's my question: When Windows XP, Win Server 2003, etc boot-up they start at 0000:7c00. Does the boot sequence wipe the memory at the lower address spaces thus stopping my alterations?
I'm a little outta my element here, but I would theorize the way to go about it would be to write a "bootloader" or simple OS that sits there, and then runs windows on top of itself in higher memory addresses... I have no idea if this is even possible.
Posted by: ecko

Re: Intercepting Windows System Messages - 12/30/05 10:10 PM

Hey, thanks for the information. I've been busy reading through most of the Xen documentation. (I've also been pouring into VMWare too.) For what I plan on building though these two have a lot of overhead, (ie they have way too much functionality for what I'm looking for.)

I think what I'm going to do is build my own custom VM Application. I'll be referencing a lot of books along with Xen and VMWare (withOUT stealing/using their code or intelectual property.) So would you happen to know of any other good sources I might look into?

For instance, WinXP on Xen has a cost metric of over 4600 (and growing) lines for the porting comodity. I'd hate to have to discover and deal with each issues one at a time. So I'm looking for anything that could help expidite this process. Got any ideas?

And thanks so much, you both have been very helpful.
Posted by: jonconley

Re: Intercepting Windows System Messages - 12/31/05 05:30 AM

To start off, more specifically, what do you mean by systems messages?

There are several applications that can monitor windows behavior inside the operating system, and ways to get around a program showing up in the Task Manager such as using a rootkit method that Sony has recently made headlines with.

Even VMware has a host operating system that is was developed for. I would find the attempt to develop a similar program, let alone one that isn't noticeable to an end user, to be an enormously challenging task.
Posted by: ecko

Re: Intercepting Windows System Messages - 01/03/06 05:42 PM

By system messages I mean the communication between hardware and the OS, (such as scancodes from the keyboard.) And you're right, taking on that task would be enormous.

Rootkits seem likely but they do run within the OS environment. Maybe I should spend more time looking into them. Basically here's what I've been researching: I'm looking for as many ways theoretically possible, (a proof of concept,) to capture the "ctrl+alt+del" login sequence for Windows. I don't need to capture keystrokes in a web browser, that's been done to death. Something that runs stealthly would be a nice feature but is not manditory on all concepts.

If I remember correctly, the loging seqence is locked down by Windows so most keyloggers, (the ones I looked into and studied,) don't work. So, would you have any other possible methods/sugestions/theories of how this capture could be acheived?

Thanks again for your time and Good article about Sony's rootkit too. I remember reading about it back in early Nov.
Posted by: Gremelin

Re: Intercepting Windows System Messages - 01/04/06 12:04 AM

Completely possible, in PcAnywhere if you hit Control Alt Delete you get a popup "Would you like to execute this command on the local or remote pc?"
Posted by: ecko

Re: Intercepting Windows System Messages - 01/05/06 03:35 PM

Excellent information guys. I also found a whitepaper published eEye, Remote Windows Kernel Exploitation , that I found to be very useful too. Worth checking out.