The task was to implement the system for protection against unauthorized data exchange via the Clipboard as well as to protect data from Print Screen operation.
It is a good example of the proactive Corporate Security Software functioning task.
In our solution user and application specific rules should be used for the system management. When forbidding rule is activated Warning Message should be inserted instead of the original content. This Warning Message should have the same type as the original content: text, unicode string, rtf, html.
Work with the Application Clipboard takes place at the different system levels: kernel level which works with a «raw» buffer and performs work with transactions; Microsoft COM object for the high level work with the clipboard, this object stores different representations of the buffer (image, text, unicode etc.); and finally each application can use its own Clipboard Exchange Manager to insert from the buffer to itself. As it is described below we had to organize work at all of these three levels.
The initial task was divided into 2 main stages: Copying Prohibition and Substitution of content by Warning Message.
At the first look the task of Copying Protection added up to the patching of NtUserSetClipboardData, NtUserGetClipboardData for the direct analysis and transition of data, and also implementation of the user-mode application for the creation and proceeding of necessary rules.
For this variant we would have got simple realization with minimum intruding into the system and its loading. But this variant also contained some important minuses: this solution didn’t intercept Print Screen operation and thus we should design a separate model for this purpose; this variant didn’t allow the substitution of content; some copying transactions were lost. Therefore described variant appeared to be insufficient for this problem.
The next variant included the patch of lower level functions, implementation of concept of the patch of user-mode processes in the kernel mode, realization of methods for editing the different representations of the content. This solution had the advantages: the general scheme of functions interception, including the work with Print Screen; implementation of substitution of text content feature.
To implement this variant the additional research of lower level functions were held, different operation systems were investigated from this point. Also there were some problems with driver verifier caused by the usage of the undocumented functions of the system. Here we stress again that that was a narrow implementation yet - only for basic text types of content.
After this implemented variant had been tested with various versions of the operating system a question about Content Substitution aroused.
To obtain access to the data in the Clipboard we had to patch the undocumented functions, for example _SetClipboardData. The problem consisted in different realization of these functions in the different operating systems with the subsequent collection of the unique ASM signatures.
When we were solving the task of the content substitution a number of additional difficulties appeared. Here are some of them:
- Each process has its own set of functions for working with the clipboard so we should monitor processes and patch all functions in the each process.
- Each session has its own clipboard so we should monitor sessions and analyze data accordingly to the session.
- As soon as we should analyze and substitute content in each process we needed a patch for the user mode processes in the kernel mode.
- As it was already mentioned some applications, such as Ms Office, use their own OLE clipboard which works sometimes even without the participation of the system clipboard. It caused the situation when some transaction could stayed principally unmonitored.
To implement the content substitution in the situation where OLE Clipboard was used we developed the patch of some special functions such as IsClipboardFormatAvailable, EnumClipboardFormats, GetPriorityClipboardFormat.
The matter was that an application to which the copying was performed decided itself what format of content representation should be taken from the OLE object. So for example when user copies an HTML page from Explorer we should insert a Unicode text (content or Warning Message) in Notepad.
Support of RDP resulted in the necessity of session monitoring and restructuring of storing of information about the clipboard usage. At the same time we had got a possibility to monitor all of operations with clipboard with taking into account OLE clipboard, RDP and multisessions. Unfortunately the processing of content type functions and content proprietor resulted in the visible load of the system.
In the resulting solution we implemented the combined scheme: it includes both the patch of low-level functions of the kernel mode for monitoring of copying and Print Screen operations and patch of API-functions of working with the clipboard in the user mode for the substitution of clipboard content and information about its type.
We also had to implement the dispatch of WM_DESTROYCLIPBOARD and WM_DRAWCLIPBOARD messages for providing of correct substitution of content during the work with some applications.
The user mode application was also developed to perform the work with monitoring and substituting rules. To minimize the loading of the system caused by the frequent requests to the user application from the driver the mechanism of cashing was implemented.
Visual Studio, Driver studio, IDA, Windbg, ProcMon, APISpy32, own driver lib in C++, XML editor.