2

The one of technique of input emulation protection with automation toools like AutoIt or ACTools used most of simple game bot programs is SetWindowsHookEx usage WH_KEYBOARD_LL flags. This solution is not silver bullet and (for example) the bot software can use PS/2 driver to emulate hardware input. Is this question let's assume that the PS/2 problem has already been solved.

WH_KEYBOARD_LL installs a hook procedure that monitors low-level keyboard input events. For more information, see the LowLevelKeyboardProc hook procedure.

WH_KEYBOARD_LL is used (instead of WH_KEYBOARD) because of just LowLevelKeyboardProc contains pointer to KBDLLHOOKSTRUCT with event-injected flags, context code, and transition-state flag. The sample protection code is quite simple:

LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam) {
  if (code < 0)
    return CallNextHookEx(_hookKeybrd, code, wParam, lParam);

  KBDLLHOOKSTRUCT& ll = *(KBDLLHOOKSTRUCT*)lParam;
  if (ll.flags & LLKHF_INJECTED)
    return 1; //emulation case

  return CallNextHookEx(_hookKeybrd, code, wParam, lParam);
}
...
SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, GetModuleHandle(NULL), 0);

But if application uses this code it sould be system wide.

Questions:

  • If any way to limit this to specific application?
  • Is any other ways to prevent input emulation in specific application?
Nick Bondarenko
  • 71
  • 6
  • Which way are you looking to limit it to specfic application? From a developer point of view? If your the developer, you could use dll injection and use SetWindowsHookEx with WH_KEYBOARD for local process rather than global like WH_KEYBOARD_LL. – Paul Feb 01 '16 at 09:43
  • I mean if my application filter input from system (and other software) is any way to filter input sended from specific application? For example input from remote terminal is allowed but input from unknown software disallowed. Also WH_KEYBOARD do not contains any information about input nature. WH_KEYBOARD_LL allow to differ software generated input from software generated. – Nick Bondarenko Feb 01 '16 at 09:48
  • I'm putting this in a comment because being wrong in a comment is MUCH less embarrassing than being wrong in an answer. What about the null hypothesis? If I can show that you can't stop an emulation from happening, then the answer would be that you can't stop everything. SetWindowsHookEx can't detect joystick input. And joystick input can't be blocked. Joystick input via WM_INPUT isn't in the same format as keyboard input anyway, so it doesn't matter whether you use different methods to detect them. What if you create a joystick profile that emulates a keyboard http://joytokey.net/en/ – Everett Feb 02 '16 at 05:20
  • SetWindowsHookEx can detect joystick input because it sends like software mouse/keyboard. Also joytokey can be blocked by disable they driver. Any way using SetWindowsHookEx stops most of middle level attackers. – Nick Bondarenko Feb 02 '16 at 08:51
  • @misterion Does it matter if it's an impractical solution? – Mark Buffalo Feb 05 '16 at 03:10
  • @MarkBuffalo No, it does not matter. – Nick Bondarenko Feb 05 '16 at 08:08
  • @misterion Does the application already use `SetWindowsHookEx`? Or do you expect it to be injected? – Mark Buffalo Feb 05 '16 at 12:28
  • We already use this solution to prevent all types of software emulation input in application. – Nick Bondarenko Feb 05 '16 at 13:33
  • @misterion Okay, if I understand you correctly, you already have a solution to the problem, but you want to see if others can come up with the same solution? – Mark Buffalo Feb 05 '16 at 21:40
  • @MarkBuffalo no, i mean we already use code in sample from my question but want prevent all software not from all applications. For example do not block input from software like TeamViewer or Radmin. – Nick Bondarenko Feb 06 '16 at 11:47
  • It's possible. You need to inject checking code into every single running process, and you need to get there before anything else. You can also sandbox every app and do that. – Mark Buffalo Feb 06 '16 at 14:42
  • @MarkBuffalo this not always possible - you can prevent SetWindowsHook in your application and this check do not work :( So i`l at least in theory want to undertant is in possible without inject in every process. Any way - with drivers, with kernel patching. Any ways to do this. – Nick Bondarenko Feb 08 '16 at 07:36

0 Answers0