Re: Intercepting hooks and API Calls
- From: "cristalink" <cristalink@xxxxxxxxxxxxx>
- Date: Sat, 4 Jun 2005 09:35:56 +1200
The whole Windows architecture is inherently flawed in terms of security.
It's just pointless trying to block/remove trojans instead of preventing
them to get installed on your PC in the first place. As Maxim already said,
there are too many ways to install hooks, and it's virtually impossible to
guarantee your PC is 100% clean. You can remove 99% of trojans, but one left
behind is enough, isn't it?
All the existing anti-malware is nothing more than an illusion of security.
It can make your infected computer appear working OK again, but it's unable
to guarantee your Internet browser does not send your banking password out
in HTTP headers while connecting to an innocent website.
With Windows, the security is a matter of trust. Say, you believe that this
particular word processor or a toolbar won't add a keylogger hook to your
OS. You go ahead and install one, believing that your PC is still secure.
Now you're a bit suspicious about that particular screen saver. You refrain
from installing it.
A few days ago I bought a WiFi USB adaptor for my laptop for $30. The device
installed a driver and an application. What a great way
to distribute trojans! It does not matter whether the software is signed or
not - the signature is a matter of trust, too.
--
http://www.cristalink.com
"Cleber P. de Souza" <nospam@xxxxxxxxx> wrote in message
news:efNL7fDaFHA.3528@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I have been studying about techniques that could intercept Hooks and API
> call to select what would be normal operation or illegal call, example:
> If detected an hook that monitor the Keyboard, this could be considered a
> trojan and need be blocked. The same could be said about some API calls
> that don't have necessity instead when came from the system or a knew
> application.
>
> I think the best way to implement something to do this would be creating a
> device driver in kernel mode that implements ways to intercept hooks and
> messages before it get the target window and decide blocked or no based in
> a internal database with the rules.
>
> What do you think about this and would be it possible?
> Are there some job on this area? Any suggestion?
>
> Thanks,
>
> Cleber P. de Souza
.
- Follow-Ups:
- Re: Intercepting hooks and API Calls
- From: Maxim S. Shatskih
- Re: Intercepting hooks and API Calls
- References:
- Intercepting hooks and API Calls
- From: Cleber P. de Souza
- Intercepting hooks and API Calls
- Prev by Date: Re: Trying to get an IM filter driver to bind to my IM MUX driver at install time
- Next by Date: Enjoyed NDIS, how to move to Bluetooth?
- Previous by thread: Re: Intercepting hooks and API Calls
- Next by thread: Re: Intercepting hooks and API Calls
- Index(es):
Loading
