WinPatrol global hook

Hi,

Today I got a warning from ZASS that WinPatrol was trying to monitor every keystroke, mouse movements etc, which is very risky. Is it a normal thing?
I got the same for Snoopfree some days back. So can i conclude that all programs that provide protection against keyloggers/low level disk access or more specifically install global hooks, will be termed as risky by default by some HIPS/behavior blocker?

Avboy

 

It's the job of these Programms to Monitor your System, if you don't understand this it is better to unistall some tools, because Software you coudn't manage is useless.

 

And how would I increase my understanding without installing and using them? May be you can suggest a better way, other than being a Luddite for the rest of my life!

Best Regards,
Avboy

 

When u install more than one such applications( HIPS, Behav blockers etc), they might warn about eagh other. That,s usuall. Just allow it.

 

WinPatrol has added keylogger detection.

http://billpstudios.blogspot.com/2008/01/winpatrol-14-enhances-keylogging.html

 

Programs like Zass are just being over zealous in how they detect keyloggers.
They will alert you to any program which uses a particular Windows API function called "SetWindowsHook" (or SetWindowsHookEx).

This function has been around since Windows 3.1 and can be used to monitor a variety of actions within the operating system. In WinPatrols case it uses SetWindowsHookEx is to help us detect anytime someone tried to create a new window. That allows WinPatrol to sleep and not interfere at all until something triggers a new change event. There is no monitoring of keystrokes or mouse movements.

A 1993 article by Kyle Marsh details the useful capabilities of setting a Windows hook.
http://msdn2.microsoft.com/en-us/library/ms997537.aspx
I've listed some of the uses below...

• Process or modify all messages meant for all the dialog boxes, message boxes, scroll bars, or menus for an application or system
  
• Process or modify all messages (of any type) whenever a SendMessage function is called (WH_CALLWNDPROC).
  
• Process, modify, or remove keyboard events (WH_KEYBOARD).
  
• Process, modify, or discard mouse events (WH_MOUSE).
  
• Respond to certain system actions, making it possible to develop computer-based training (CBT) for applications (WH_CBT).

WinPatrol actually uses WH_CBT.
Obviously, not all programs using this function are malicious key loggers. By flagging all applications that use this function as keyloggers programs are needlessly scaring the crap out of their users and giving a black eye to many legitimate programs.

Thanks for trusting WinPatrol! Our goal like the folks here is definitely to help increase your understanding.

Bill
BillP Studios

 

I use WinPatrol Plus and would not be without it. It is one of the best programs I have ever used-and I have used many.

 

If you run some of the rootkit scanners mentioned in the forum, they will give you a good idea how many programs have hooked the kernel. I ran one particular scanner a while back (may have been rootkit unhooker, not sure). Some hooks were obviously legitimate, others I really could not be certain. Discretion being the better part of valor, I left things as is.

 

Thanks aigle and others for replying to my queries. Aigle, you have replied to most of my queries patiently.

 

Thanks a lot Bill. It is nice to see the guy himself taking time to explain the nuts and bolts. And your link will definitely enhance my understanding.

Avboy

 

Thanks too and U r welcome.

 

So u think there is a way for a behavior blocker to analyze this hook and decide whether the hook is being used for keylogging or some other purpose and then not to give a false alert( without using a white list)?

Thanks

 

Well, yes anything is possible. There is a couple ways, but doing so tends to make the security program a little bit too intrusive for my liking.

One method would be to hook each API call and check the parameters. Many applications do this but I've tried to stay away from this method because it can slow things down. It can also create problems when you have more than one security programs doing it.
Another method is for the security program itself to become a rootkit. This can be more efficient but users typically don't like it. Again, compatibility with other security programs can be a problem.

Bill

 

IMO the easiest way considering responsiveness and compatibleness, have to be the whitelist approach for excluding the most common security applications using WH_*.

/C.

 

All I mean to say is that it might not be the fault of a behav blocker to give such alerts. A user must know to trust his security application and he should mark them trsuted to any other HIPS or behav blocker he is using on his system. A simple approach.

 

You´re talking about stuff unrelated to this topic. Kernel hooks are something else.

It is already possible to block global hooks from spying on you, take for example Keylogger Hunter. It will block the keylogging method, without breaking any functionality of the hooks. Also, don´t forget about KeyScrambler.

http://www.softpedia.com/get/System/System-Miscellaneous/Keylogger-Hunter.shtml
http://www.softpedia.com/get/Security/Keylogger-Monitoring/KeyScrambler-Professional.shtml