Hi,

I've created an app witch monitors keystroke. It works well but I still have a problem:

When I press CTRL-ALT-DEL on my Xp box my JournalHook Procedure seems to stop receiving windows messages and therefore stops recording keyz (thought the app don't crashes).

Any ideas to get rid of that bug ?
Posted on 2002-07-18 14:09:30 by Axial
Before you start blaming windows I suggest you take another look at your code. The odds are against you.
Posted on 2002-07-18 16:38:38 by MArtial_Code
AFAIK that's not a bug, it's a security feature against password snooping.
Posted on 2002-07-18 16:49:43 by Hiroshimator
For Password "snooping" on WinNT/2K/XP just write your own GINA.DLL (not Gina Wild).
Posted on 2002-07-18 16:53:42 by bazik
It is not a bug, you are not supposed to hook the ctrl-alt-del sequence, due to its security implications. If you go to your %system32% directory, you will see a file called msgina32.dll. That is the file that handles that sequence.
Posted on 2002-07-18 17:00:39 by sluggy
In these next two posts are the screenshots of the exports from msgina.dll. As you can see, more than half of them are exported by ordinal only, good luck trying to work with that :grin:
Posted on 2002-07-18 17:26:48 by sluggy
and the second one:
Posted on 2002-07-18 17:27:23 by sluggy
Thanks everyone ! :alright:

Sluggy :

I 'll do some research on that file !

Regards.
Posted on 2002-07-18 18:01:36 by Axial
I 'll do some research on that file !
Have fun checking it out :grin: Expect progress to be slow however, MS have been known to 'protect' certain key functions to prevent normal apps from Ring3 calling them, i.e. you have to be running at Ring 0, or be calling from certain other modules.
Posted on 2002-07-18 20:08:43 by sluggy
Axial,

Standard documentation for the JournalHook techniques say that Ctrl+Esc and Ctrl+Alt+DEL both terminate the hook so its actually behaving according to documentation. The normal termination of the technique is through Ctrl+Break but the two system based combinations over-ride the local application.

Regards,

hutch@movsd.com
Posted on 2002-07-18 22:19:38 by hutch--
If anyone is interested, I can post some source for a minimal replacement of the GINA dll. It's written in PowerBASIC (and not by me), but it's easy to convert to assembly. Just didnt have the time yet :/

Edit: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/gina.asp
Posted on 2002-07-18 23:58:51 by bazik
Hutch:

Thank you very much,
I got nuts with this dissassembly:grin:
I'll try KeyboardProc with a hook.dll.

Bazik

I'm interested !
Posted on 2002-07-19 00:17:12 by Axial
Here it is. It's a really basic example, wich passes all unused functions to the original GINA dll and just shows Password & Username after login.
This "CALL DWORD" thing is just a call to the function you loaded via GetProcAddress.
As mentioned above the code is not written by me (and I didn't have the time to translate it yet :( ). Better use something like VMWare or a second machine for testing... else you will trash your System :rolleyes:
Or install WinNT/2K/XP on a FAT32 disk so you could replace the corrupt DLL with the original from DOS.


P.S.: Before someone of the "I know it better"-Guys yells, you can also use NTFSDOS Pro for replacing the corrupt dll with the original one ;)

P.P.S.: Or use Linux ;

I better stop now before I confuse you even more :grin:
Posted on 2002-07-19 01:02:45 by bazik
Linux with NTFS? Oh yeah, very good idea with current versions of linux.
At least do yourself the favour and don't try to do write access ot NTFS
partitions. It might work... and it might trash your partition severely.

If you're serious about rescuing NTFS stuff, get ERD commander from
winternals.
Posted on 2002-07-19 09:02:29 by f0dder

Linux with NTFS? Oh yeah, very good idea with current versions of linux.
At least do yourself the favour and don't try to do write access ot NTFS
partitions. It might work... and it might trash your partition severely.


Hehe, I know... nothing is perfect! :tongue:
But serious, I never trashed a partition... even read/write access WinXP partitions work fine with the newest NTFS drivers.
I copied over 10 GB of Mp3 files from a XP NTFS partition to my XFS /home partition without trashing it ;)
Posted on 2002-07-19 09:09:13 by bazik
well, copying 10 gigs of MP3s *from* NTFS is read-only... which ought to be safe :).
But really, be very careful if you're going to do write access... NTFS is an advanced
filesystem, not officially documented, and thus the linux drivers involve RE and
guessing. Especially the "guessing" part is not something I feel particularly comfortable
about when dealing with important data ;)
Posted on 2002-07-19 09:32:11 by f0dder