Chapter 15 Windows GUI Subsystem, Part II
Part II of the Windows graphical user interface (GUI) subsystem analysis covers detection of message and event hooks, inspection of the USER
object handle tables, extraction of data from the Windows clipboard, and various additional topics. You will also read through some in-depth case studies that leverage memory forensics and highlight the unique ability of the Volatility Framework to detect malicious code in RAM.
Window Message Hooks
Applications can place hooks into the Windows GUI subsystem to customize the user experience, receive notification when certain actions take place, or record everything the user does—for example, to create a computer-based training (CBT) video. As you probably expected, this type of access and control is often exploited by malware to capture keystrokes, inject malicious dynamic link libraries (DLLs) into trusted processes, and perform other nefarious actions.
When a user presses a key, the system generates a WM_KEYDOWN
message and delivers it (along with additional information, such as the exact key, whether SHIFT
was down at the time, etc.) to the target window’s queue. The target window is usually the foreground window (in focus). When the message hits the queue, the thread that owns the window wakes up and processes the message—which could mean appending the typed character into a text edit field, taking some special action if the key is a “hot key,” or even just ignoring it. Figure 15-1 shows a ...
Get The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.