Trillian attempting a "Global Hook"?

Discussion in 'ProcessGuard' started by spy1, Jan 25, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Why?

    Does blocking it with PG affect anything?

    What (if anything) should I do with Trillian's settings in PG? Pete
     

    Attached Files:

  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Just give Trillian "allow global hooks" in Options
    Dolf
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    yes, if it is a trusted program you can allow it.

    Personnally i have a video game which need it, as well as a network voice speach program, BTW very usefull to speak with people all other the world without spending a single $ :)
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I dunno, guys - Trill's working fine without it, apparently, so I think I'll just leave it alone.

    I only "trust" things for about a second (on a GOOD day). Pete
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, On reboot I get a single spate of three "requests" for global hooks from cftmon.exe which is to do with speech & alternative user interfaces, So far I have not added this to the PG list as it is not a file that is known to do any service for malware.

    I have had no detrimental effects so far :)

    I think some programmes just send the command but do not actually need a reply to run correctly. :)

    There will probably be many anomalies found during the coming weeks as more users test PG with a whole variety of programmes.
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I don't think this is a good idea.
    Before you had the global hooks protection, Trillian did whatever it thought it needed to do, so if Trillian will be blocked from such actions, it only can have unpredictible results.
    Dolf
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Most hooks are to do with certain menu operations or mouse based recording stuff that a lot of applications do, all the time. In 99.9% of cases you won't need to add an "allow global hooks" to an application because the only issues it will bring are minor ones, if any are noticable. It is up for you to see what each application does with you blocking or allowing hooks on it, but in general it isn't THAT BAD to block them even on legit applications.

    As an easy to see example, if you take away Internet Explorer's ability to Allow Global Hooks, then left click on its menu once, then try and move the mouse over the other top level menu items, it won't work as it should. You have to click on each item for it to bring up the list, instead of just moving the mouse over it. That is the only hook I have seen IE try to install, it also might be one we allow by default in coming versions, a lot more testing is needed with a few thousand machines to see if we can allow this through though. :)

    -Jason-
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the clarification Jason :)
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Is _any_ global hook is loading a DLL in every running processes ??
    It sounds very abusive for me that an application need a "global" hook, or may be PG display "gobal hook" for all global and local ?
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gkweb, I don't think I understood your question correctly, but local hooks (which don't load the DLL into all processes with user32.dll) call SetWindowsHook, which isn't protected by Process Guard as there is no need - local hooks don't have any known security implications and it's unlikely there every will be any. Global hooks (which do load their DLL into all processes that use user32.dll) call SetWindowsHookEx, which is protected by Process Guard, so there should never be any issues with local hooks, only global ones. However, to throw a spanner in the works, please be aware that some SetWindowsHookEx hooks can only create thread hooks - others can only create global hooks, and others can create both. Is that the info you were after, or ... ? :)

    PS. As already mentioned by others it's usually OK to block global hooks in most programs (i usually block all hooks, only enabling them if i notice lack of program functionality (rarely), such as menus not working properly), but it can also actually be beneficial in terms of system resources, because by blocking the call to SetWindowsHookEx (which prevents the global hook from being created), you're preventing the hook DLL from being loaded into all processes that have user32.dll (which will be most of your processes).

    Here's some official documentation regarding the SetWindowsHookEx function from MSDN:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp
     
  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Just a further clarification, SetWindowsHookEx is sometimes used for local based hooks, which Process Guard doesn't interfer with, it always allows them.

    There is a lot of functions that Microsoft use in some of their products which they have not documented which we are investigating at this stage. I am pretty sure Internet Explorer's hook is only trying to be local but it is getting seen as global.

    -Jason-
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    that was my concern... to save system ressources by blocking legit global hook ;)

    What i wanted to know was if all global hook blocked by PG was the loading of a DLL in every running processes, which is the case from your answer.

    A global hook hunter is born :cool:
     
Thread Status:
Not open for further replies.