The death of shatter attacks?

From: Mohsen Hariri (mohsen_hariri@yahoo.com)
Date: 10/31/02 

Date: Wed, 30 Oct 2002 22:56:06 -0800 (PST)
From: Mohsen Hariri <mohsen_hariri@yahoo.com>
To: focus-ms@securityfocus.com

Hi

WindowsXP Service Pack 1 seems to have fixed the
WM_TIMER message bug, which was the base for all
shatter attacks.

How was it fixed? as Matt Pietrek had written in his
1997 MSJ article a list of all registered timer
functions is saved, and any WM_TIMER message is
checked against that list.

I traced DispatchMessage api and found a function
named _NtValidateCallbackProc which seems to do the
checking(You need to have XP SP1 debug symbols
installed to see its name). The attached program shows
how a timer function is validated.

MSJ article address :
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0397/hood/hood0397.htm&nav=/msj/0397/newnav.htm

bye

-------------
Mohsen Hariri

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

// settimer.cpp : show the death of shatter attacks!
// programmed by : Mohsen Hariri (mohsen_hariri@yahoo.com)

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

VOID CALLBACK MyTimerProc(HWND,UINT,UINT_PTR,DWORD)
{
        return;
}

int _tmain(int argc, _TCHAR* argv[])
{

        DWORD (WINAPI *_NtValidateCallbackProc)(HWND, WPARAM, LPARAM);
        // this function is just valid in WindowsXP SP1
        *(DWORD *)(&_NtValidateCallbackProc) = 0x77D442F4;

        // if you comment out this line, timer proc is no longer valid
        SetTimer(NULL, 0, 0x10000, (TIMERPROC)MyTimerProc);

        DWORD ret = _NtValidateCallbackProc(NULL, 10, (LPARAM)MyTimerProc);
        if(ret)
                printf("TimerProc is valid.\n");
        else
                printf("TimerProc is not valid.\n");

        // just to force user32.dll to be loaded
        // cause _NtValidateCallbackProc is in that module
        IsWindow(NULL);

        return 0;
}