1

This question Receive Windows Messages in a Service addresses the problem I have, and advises against creating a wndProc to avoid Shatter Attacks. The problem is that I have a Windows application I want to convert to a service that uses Asynchronous Winsock, and therefore requires a wndProc to operate.

Given that I don't care about showing the window, will the following make it secure against shatter attacks? I copy the wndProc over as is, but replace the default handler (currently the call to DefWindowProc() ) with a simple return 0; .

Community
  • 1
  • 1
dgnuff
  • 3,195
  • 2
  • 18
  • 32
  • Another possible attack vector is SetWindowsHook(). Can that attack a wndProc in a service? – dgnuff Sep 11 '14 at 15:54
  • Asking for security advice on an Internet Q+A site is a rather unwise way to go about it. Basic approaches are realizing that there's just no point in async winsock because services do not have a user interface, using a message only window that can't be enumerated, relying on session 0 isolation and not worrying about it because UIPI already blocks this. – Hans Passant Sep 11 '14 at 16:07

1 Answers1

1

Unless marked "interactive", each service runs in its own window station, so shatter attacks against the service itself are not an issue unless your code does something odd like changing the window station association or messing with the permissions on the window station and/or desktop.

In other words, you don't need to change anything; just make sure that you don't set the "interactive" flag when installing the service. The answer you refer to is misleading in this respect.

(Even if the "interactive" flag is set, the risk is severely restricted in Windows Vista and later by session 0 isolation; a shatter attack would only be possible if untrusted code is running in the context of a less privileged service, or if a less privileged service has been successfully compromised by an attacker.)

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158