WinPatrol global hook

Discussion in 'other anti-malware software' started by avboy, Feb 29, 2008.

Thread Status:
Not open for further replies.
  1. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Hi,

    Today I got a warning from ZASS that WinPatrol was trying to monitor every keystroke, mouse movements etc, which is very risky. Is it a normal thing?
    I got the same for Snoopfree some days back. So can i conclude that all programs that provide protection against keyloggers/low level disk access or more specifically install global hooks, will be termed as risky by default by some HIPS/behavior blocker?

    Avboy
     
  2. Matern

    Matern Registered Member

    Joined:
    Nov 20, 2007
    Posts:
    102
    It's the job of these Programms to Monitor your System, if you don't understand this it is better to unistall some tools, because Software you coudn't manage is useless.
     
  3. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    And how would I increase my understanding without installing and using them? May be you can suggest a better way, other than being a Luddite for the rest of my life!

    Best Regards,
    Avboy
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    When u install more than one such applications( HIPS, Behav blockers etc), they might warn about eagh other. That,s usuall. Just allow it.
     
  5. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    WinPatrol has added keylogger detection.

    http://billpstudios.blogspot.com/2008/01/winpatrol-14-enhances-keylogging.html
     
  6. BillPStudios

    BillPStudios Security Expert

    Joined:
    Sep 15, 2004
    Posts:
    23
    Location:
    Scotia, NY
    Programs like Zass are just being over zealous in how they detect keyloggers.
    They will alert you to any program which uses a particular Windows API function called "SetWindowsHook" (or SetWindowsHookEx).

    This function has been around since Windows 3.1 and can be used to monitor a variety of actions within the operating system. In WinPatrols case it uses SetWindowsHookEx is to help us detect anytime someone tried to create a new window. That allows WinPatrol to sleep and not interfere at all until something triggers a new change event. There is no monitoring of keystrokes or mouse movements.

    A 1993 article by Kyle Marsh details the useful capabilities of setting a Windows hook.
    http://msdn2.microsoft.com/en-us/library/ms997537.aspx
    I've listed some of the uses below...

    • Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for an application or system
    • Process or modify all messages (of any type) whenever a SendMessage function is called (WH_CALLWNDPROC).
    • Process, modify, or remove keyboard events (WH_KEYBOARD).
    • Process, modify, or discard mouse events (WH_MOUSE).
    • Respond to certain system actions, making it possible to develop computer-based training (CBT) for applications (WH_CBT).

    WinPatrol actually uses WH_CBT.
    Obviously, not all programs using this function are malicious key loggers. By flagging all applications that use this function as keyloggers programs are needlessly scaring the crap out of their users and giving a black eye to many legitimate programs.

    Thanks for trusting WinPatrol! Our goal like the folks here is definitely to help increase your understanding.

    Bill
    BillP Studios
     
  7. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,056
    Location:
    Las Vegas
    I use WinPatrol Plus and would not be without it. It is one of the best programs I have ever used-and I have used many.
     
  8. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    If you run some of the rootkit scanners mentioned in the forum, they will give you a good idea how many programs have hooked the kernel. I ran one particular scanner a while back (may have been rootkit unhooker, not sure). Some hooks were obviously legitimate, others I really could not be certain. Discretion being the better part of valor, I left things as is.
     
  9. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Thanks aigle and others for replying to my queries. Aigle, you have replied to most of my queries patiently.
     
  10. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Thanks a lot Bill. It is nice to see the guy himself taking time to explain the nuts and bolts. And your link will definitely enhance my understanding.

    Avboy
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks too and U r welcome.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So u think there is a way for a behavior blocker to analyze this hook and decide whether the hook is being used for keylogging or some other purpose and then not to give a false alert( without using a white list)?

    Thanks
     
  13. BillPStudios

    BillPStudios Security Expert

    Joined:
    Sep 15, 2004
    Posts:
    23
    Location:
    Scotia, NY
    Well, yes anything is possible. There is a couple ways, but doing so tends to make the security program a little bit too intrusive for my liking.

    One method would be to hook each API call and check the parameters. Many applications do this but I've tried to stay away from this method because it can slow things down. It can also create problems when you have more than one security programs doing it.
    Another method is for the security program itself to become a rootkit. This can be more efficient but users typically don't like it. Again, compatibility with other security programs can be a problem.

    Bill
     
  14. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    IMO the easiest way considering responsiveness and compatibleness, have to be the whitelist approach for excluding the most common security applications using WH_*.

    /C.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    All I mean to say is that it might not be the fault of a behav blocker to give such alerts. A user must know to trust his security application and he should mark them trsuted to any other HIPS or behav blocker he is using on his system. A simple approach.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    You´re talking about stuff unrelated to this topic. Kernel hooks are something else. ;)
    It is already possible to block global hooks from spying on you, take for example Keylogger Hunter. It will block the keylogging method, without breaking any functionality of the hooks. Also, don´t forget about KeyScrambler.

    http://www.softpedia.com/get/System/System-Miscellaneous/Keylogger-Hunter.shtml
    http://www.softpedia.com/get/Security/Keylogger-Monitoring/KeyScrambler-Professional.shtml
     
Loading...
Thread Status:
Not open for further replies.