Which hooks are dangerous?

A question:

Which hooks are dangerous? Are all hooks dangerous? I have Process Guard 3.10 Full and basically have blocked all global hooks (me being paranoid).

However, I use ObjectDock and have been notified that PG has blocked a global mouse hook, a global CBT hook and a global Shell hook. However, ObjectDock still runs as per normal as far as I can see.

I am also trying out ManageDesk and PG has blocked a global CallWndProc and a global GetMessage hook. But ManageDesk cannot do certain things like minimize/restore windows.

As far as I understand, hooks are dangerous in the sense that it can be used to hijack an app. I can understand how CallWndProc hook is dangerous, but are global mouse hooks dangerous?

Thanks

 

Not all hooks are "dangerous". Microsoft provided the ability for programs to add hooks due to the great functionality it can offer. By allowing a program to install a hook, you allow a DLL to be "injected" into other processes, if the DLL was malicious then it could present a big problem. If you trust the application installing the HOOK then you should allow it.

Alternatively if you can live without the functionality that the program offers through hooking then you can always block it. However some programs will not work at all if you do this, so it needs to be investigated on a program to program basis whether or not you can do this.

 

I have found that in order for various functions of ObjectDock to work correctly such as icon magnification on mouseover, animated icons etc, then Global Shell, CBT and Mouse hooks have to be allowed in ProcessGuard.

For example, if I disable the allowance of hooks to be installed for ObjectDock and then unload and restart ObjectDock, then I get the error message as seen in the attached screenshot. Which then leads to it not working correctly.

But as Jason already stated, it needs to be investigated on a program to program basis to make sure that the program still functions correctly.


Regards,
Jade.

 

Yes and in most cases unless you are an advanced user, you should ALWAYS allow any trusted program to install Global Hooks. Just in case there is issues like the one mentioned by Jade.

 

Hi,

There is an old little tool very easy to use (even for newbies) if someone wants to test a basic hook.

Zapass is a trojan demonstrator originally used for testing firewalls.
It consists in injecting an implant(dll) in a running process.
You could use it to check the strength capacities of PG for instance:

http://www.whirlywiryweb.com/article.asp?id=/trojanimplant

On the end of the page, there's also an old link about API hooking.

Regards

 

I haven't tried Zapass but just from your description I can tell that ProcessGuard would walk all over it

Incidentally, our freeware Advanced Process Termination tool actually has anti-usermode-hook capabilities to clear any usermode hooks that might try to get in the way of termination (for example, if a trojan tries to prevent itself from being terminated by hooking calls to the usermode function TerminateProcess in kernel32.dll). Usermode hooks are a lot easier to create than kernelmode hooks, but they're also a lot easier to remove. Very easy, in fact, and should not be used for any security-related purposes (as APT proves).

Best regards,
Wayne

 

Tried injecting into explorer.exe with Zapass and ProcessGuard stopped it dead of course - see screenshot.

Alternatively, DiamondCS also have a little application to test against this called keyhook.exe and is available to download here.


Regards,
Jade.

 

Thanks for the clarifications.