5

I do own Kaspersky Internet Security (KIS) and BestCrypt Volume Encryption (BCVE) (unrelatedly) and both offer some mechanism (KIS) to "protect my passwords while I enter them". Kaspersky primarily does it when I use my browser while BCVE offers this only when entering the password that protects data volumes.

Also Kaspersky's solution doesn't really change any behavior in any way that I could notice while BCVE effectively blocks my password manager (KeePass) from entering the password for me. A similar strange behavior applies when I enter the self-protection password for Kaspersky to change its settings.

So my question is now:
How does (/can) this password protection "technology" work (conceptually)?

The only (ways) I can imagine this works is by temporarily disabling the keyboard hook system in Windows as well enforcing the clipboard to be empty, but I think they do more (in a clever way).

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • 1
    Related: [How secure is “Secure Keyboard Entry” in Mac OS X's Terminal?](https://security.stackexchange.com/q/47749/32746) (equivalent feature tightly integrated within the OS X operating system). – WhiteWinterWolf Sep 10 '16 at 13:57

1 Answers1

2

It's all a matter of API level: if you intercept an event using a (usually privileged) low-level API, you are then able to hide it to higher (unprivileged) level APIs.

Thus, these two solutions most-likely rely on low-level APIs so intercept keystroke events so they remain undetected to key loggers (hopefully) relying on higher level API.

In the case of BCVE, their own screen seems pretty self-documented and explicitly confirms the technique used, "Anti-Keylogger uses low-level Windows functions":

enter image description here

In this case, the implementation is relatively easy since BCVE can directly use the captured keystrokes destined to itself. The thing is a bit more tricky for Kaspersky since captured keystrokes must then somehow be sent to an HTML form field in a standard browser.

To implement this, Kaspersky injects a JavaScript file in user's web pages. This script then acts as a client and contacts a Kaspersky service running locally. This allows the script to fetch the key strokes as they come and fill the protected input field accordingly, thus effectively bypassing the standard keyboard input stack.

Here is a few information from Kaspersky people confirming this, but it seems that they do not publish a lot of documentation regarding their products internals.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104