Which hooks are dangerous?

Discussion in 'ProcessGuard' started by JayTee, Jan 16, 2005.

Thread Status:
Not open for further replies.
  1. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    A question:

    Which hooks are dangerous? Are all hooks dangerous? I have Process Guard 3.10 Full and basically have blocked all global hooks (me being paranoid).

    However, I use ObjectDock and have been notified that PG has blocked a global mouse hook, a global CBT hook and a global Shell hook. However, ObjectDock still runs as per normal as far as I can see.

    I am also trying out ManageDesk and PG has blocked a global CallWndProc and a global GetMessage hook. But ManageDesk cannot do certain things like minimize/restore windows.

    As far as I understand, hooks are dangerous in the sense that it can be used to hijack an app. I can understand how CallWndProc hook is dangerous, but are global mouse hooks dangerous?

    Thanks
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Not all hooks are "dangerous". Microsoft provided the ability for programs to add hooks due to the great functionality it can offer. By allowing a program to install a hook, you allow a DLL to be "injected" into other processes, if the DLL was malicious then it could present a big problem. If you trust the application installing the HOOK then you should allow it.

    Alternatively if you can live without the functionality that the program offers through hooking then you can always block it. However some programs will not work at all if you do this, so it needs to be investigated on a program to program basis whether or not you can do this.
     
  3. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    I have found that in order for various functions of ObjectDock to work correctly such as icon magnification on mouseover, animated icons etc, then Global Shell, CBT and Mouse hooks have to be allowed in ProcessGuard.

    For example, if I disable the allowance of hooks to be installed for ObjectDock and then unload and restart ObjectDock, then I get the error message as seen in the attached screenshot. Which then leads to it not working correctly.

    But as Jason already stated, it needs to be investigated on a program to program basis to make sure that the program still functions correctly.


    Regards,
    Jade.
     

    Attached Files:

  4. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia

    Yes and in most cases unless you are an advanced user, you should ALWAYS allow any trusted program to install Global Hooks. Just in case there is issues like the one mentioned by Jade. :)
     
  5. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    There is an old little tool very easy to use (even for newbies) if someone wants to test a basic hook.

    Zapass is a trojan demonstrator originally used for testing firewalls.
    It consists in injecting an implant(dll) in a running process.
    You could use it to check the strength capacities of PG for instance:

    http://www.whirlywiryweb.com/article.asp?id=/trojanimplant

    On the end of the page, there's also an old link about API hooking.

    Regards
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I haven't tried Zapass but just from your description I can tell that ProcessGuard would walk all over it :)

    Incidentally, our freeware Advanced Process Termination tool actually has anti-usermode-hook capabilities to clear any usermode hooks that might try to get in the way of termination (for example, if a trojan tries to prevent itself from being terminated by hooking calls to the usermode function TerminateProcess in kernel32.dll). Usermode hooks are a lot easier to create than kernelmode hooks, but they're also a lot easier to remove. Very easy, in fact, and should not be used for any security-related purposes (as APT proves).

    Best regards,
    Wayne
     
  7. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Tried injecting into explorer.exe with Zapass and ProcessGuard stopped it dead of course - see screenshot.

    Alternatively, DiamondCS also have a little application to test against this called keyhook.exe and is available to download here.


    Regards,
    Jade.
     

    Attached Files:

  8. JayTee

    JayTee Registered Member

    Joined:
    Nov 2, 2004
    Posts:
    166
    Thanks for the clarifications.
     
Thread Status:
Not open for further replies.