KR101057474B1 - How to prevent user information leak by screen hack - Google Patents

Abstract

The present invention relates to a method of preventing user information leakage by screen hacking, and in particular, by providing a user interface independent from the operating system, preventing user information leakage by screen hacking to securely protect user information from screen hacking through the operating system. It is about a method.

The method for preventing user information leakage by screen hacking according to the present invention is performed by a virtual interface module on a network-accessible computer, and whether a cursor is positioned on an edit box of a web page displayed on a screen by a browser. (A) determining; (B) if the cursor is located on the edit box, controlling a video interface on behalf of an operating system to display a virtual keyboard including a fake edit box on a screen; (C) controlling the browser to display fake information through the fake edit box instead of information input by the user through the virtual keyboard; And (d) controlling the browser to transmit information input by the user through the virtual keyboard to the website.

Browser, BHO, Screen Hack, Security, Operating System, Virtual Keyboard, Overlay, Hooking

Description

Method for preventing user information leakage by screen hacking {method for preventing user information from hacking}

The present invention relates to a method of preventing user information leakage by screen hacking, and in particular, by providing a user interface independent from the operating system, preventing user information leakage by screen hacking to securely protect user information from screen hacking through the operating system. It is about a method.

Today, the proliferation of personal computers (PCs) and the spread of the Internet have led to the popularization of Internet use. In recent years, the commercialization of 'Wireless Internet' (WiBro or WiMax), a wireless Internet service that provides high-speed Internet access even during stationary or low-speed travel at an ADSL level of quality and cost, has helped to widen the range of use of the Internet. In other words, the virtual world implemented on-line becomes a huge sea of information that can easily and quickly share a variety of information anytime, anywhere.

According to such popularization of the Internet, various financial and product transactions are actively performed through the Internet. However, behind the scenes, hacking into other computer systems and extracting information is becoming increasingly intelligent. In particular, hacking to extract user information is the most serious in that the e-commerce order can be destroyed.

Accordingly, the computer is provided with various security programs for preventing hacking from the outside through the network, for example, a keyboard security program for encrypting important data input by the user using the keyboard.

On the other hand, as is well known, an operating system allows applications to be connected to hardware in a computer, i.e., memory or an interface (e.g., keyboard, monitor, LAN card, etc.). In other words, various applications installed on a computer, that is, a security program, perform their functions on the basis of an operating system.

If so, if a hacking program is given access to user information known by the operating system, there is no guarantee that any security program can keep the user's information secure.

After all, according to the conventional security program, there is a problem that the user information input through the keyboard is not free from the risk of hacking. Of course, the user information can be protected by a virtual keyboard program that allows the user to input the user information indirectly using a mouse. However, since the interface screen by the virtual keyboard is also output by the operating system, it can never be free from hacking through screen capture.

The present invention has been made to solve the above-described problems, by allowing the user to input information to the web browser through a virtual keyboard that does not capture the screen, thereby ensuring that the user information is safely protected from screen hacking through the operating system Its purpose is to provide a method for preventing user information leakage by screen hacking.

In order to achieve the above object, a method of preventing user information leakage by screen hacking according to the present invention is performed by a virtual interface module on a network-accessible computer, and is an edit box of a web page displayed on a screen by a browser. (A) determining whether a cursor is positioned on the image; (B) if the cursor is located on the edit box, controlling a video interface on behalf of an operating system to display a virtual keyboard including a fake edit box on a screen; (C) controlling the browser so that fake information is displayed through the fake edit box instead of information input by the user through the virtual keyboard; and transmitting information input by the user through the virtual keyboard to the website. (D) controlling the browser.

The step (a) may include finding an edit box in a web page displayed on the screen by a browser, and determining whether a cursor is located on the found edit box.

In step (b), when the cursor is located on the edit box, the step (b) of controlling the browser to display a message window for asking the user whether to execute the security input and the user to open the message window. In the case of clicking, the method may include controlling the video interface on behalf of the operating system to display a virtual keyboard including a fake edit box on the screen.

The step (d) may include encrypting information input by the user through the virtual keyboard, and controlling the browser to transmit the encrypted information to the website.

The method of preventing leakage of user information by screen hacking according to the present invention further includes the step of controlling the video interface on behalf of the operating system to display the information input by the user through the virtual keyboard on the fake edit box displayed on the screen. Can be done.

The method of preventing leakage of user information by screen hacking according to the present invention may further include controlling the browser such that fake information is displayed through the edit box instead of information input by the user through the virtual keyboard.

According to the method of preventing user information leakage by the screen hacking of the present invention, by controlling the video interface independently of the operating system to output a virtual interface screen and receiving information input from the user by using the virtual interface screen, Even if hacked, since the virtual interface screen cannot be monitored, user information is secured.

Hereinafter, a method of preventing user information leakage by screen hacking according to a preferred embodiment of the present invention with reference to the accompanying drawings will be described in detail.

First, a method for preventing user information leakage by screen hacking according to the present invention may be performed by a desktop or notebook computer, and the functions and configurations of known computers will be briefly described with reference to FIG. 1.

1 is a block diagram of a computer device (hereinafter referred to as a user information security device) that performs a method for preventing user information leakage by screen hacking according to the present invention.

As shown in FIG. 1, a user information security device according to an embodiment of the present invention may include a central processing unit (CPU) 100, a system bus 300, a main memory unit 400, and a peripheral device. (peripheral device), and various types of interfaces connecting the peripheral device and the central processing unit 100 can be made.

In the above-described configuration, the main memory unit 400 provides the central processing unit 100 with the ROM 410 and the operating system 421 in which the BIOS 412 is stored, various application programs, and various data. It may be configured as a RAM 420 for storing the processing result by the unit 100.

The peripheral device may include an output unit, an input unit, a secondary memory unit, and a network connection unit 542 for connection with the Internet 544. Here, a monitor 600, a speaker 532, a printer 534, etc. are representative for the output unit, and a keyboard 522, a mouse 524, a scanner, etc. are representative for the input unit, and a hard disk (for the auxiliary storage unit). 510, a floppy disk 514 and an optical disk 518, and the like, the network connection unit 542 is a typical modem or LAN card.

Here, the hard disk 510 includes a virtual interface module that controls the video interface 200 independently of the operating system 421, the general application program 422 assigned with screen resources by the operating system 421, and the operating system 421 ( 426 and the virtual keyboard module 424 allocated to the screen resource by the virtual interface module 426 rather than the operating system 421 may be stored.

In detail, the virtual interface processing module 426, which is a feature of the present invention, controls another video interface 200 independently of the operating system 421 in outputting a screen according to the execution of the virtual keyboard module 424. To be the operating system for the output.

In addition, the operating system 421 is loaded into the RAM 420 from the hard disk 510 and started as the computer system is booted. For example, the operating system 421 may be a Windows that supports a Graphical User Interface (GUI) and a multitasking environment.

In addition, the general application program 422, the virtual keyboard module 424, and the virtual interface module 426 are loaded and operated in the RAM 420 during execution.

The interface may include a video interface 200 connected with the monitor 600, a HDD interface 500 connected with the hard disk 510, a drive interface 510 connected with the magnetic disk drive 512 or an optical disk drive 516, An input interface 520 connected to the keyboard 522 and a mouse 524, an output interface 530 connected to the speaker 532 or the printer 534, and a network interface 540 connected to the network connection unit 542. It may be made, including.

Video interface 200, often referred to as a graphics card, includes a graphics processor unit 210, video memory 220, random access memory digital to analog convert (RAMDAC) 240, and monitor 600. It may include an output port 230 connected to.

Here, the graphics processing unit 210 serves as a graphics acceleration function for solving the bottleneck caused by the graphics work of the central processing unit 100, and controls the operation of the video interface 200 and the processing of the graphic data. In charge.

In addition, the graphic processing unit 210 performs a video overlay (hereinafter, referred to as an “overlay”) using the graphic acceleration function described above. Here, as is well known, the overlay means displaying a plurality of images by overlapping them, and splitting the images and outputting them to the monitor 600.

In addition, the video memory 200 serves as a frame buffer for temporarily storing image information to be displayed on the monitor 600. Since each storage unit of the frame buffer corresponds to one pixel on the screen, the larger the capacity of the video memory 200, the higher the resolution.

In addition, the RAM DAC 240 converts digital information stored in the video memory 200 into analog information and outputs the analog information to the monitor 600.

Next, the function and configuration of the virtual interface module 426 according to the characteristic aspect of the present invention will be described in detail with reference to Figs.

2 is a view showing a screen displayed by the user information security device according to an embodiment of the present invention.

As shown in FIG. 2, the video memory 220 is an area allocated for screen display of the operating system 421 or the general application program 422, and a general area 222 and a virtual area in which the general screen data 224 is stored. An area allocated for screen display of the keyboard module 424 may be divided into an overlay area 226 in which the virtual interface screen data 228 is stored.

The video interface 200 monitors the general screen data 224 stored in the general area 222, such as the desktop data 612 and the general application screen data 614, under the control of the operating system 421. ) To provide.

In addition, the video interface 200 may control a virtual interface screen stored in the overlay area 226 so that a part of the screen of the monitor 600 may be replaced with the screen of the virtual keyboard module 424 under the control of the virtual interface module 426. The data 228 is provided to the monitor 600. Accordingly, the virtual interface screen 616 by the virtual interface module 426 may be displayed on the top of the monitor 600.

That is, the virtual interface module 426 according to the characteristic aspect of the present invention provides the virtual interface screen 616 independently of the operating system 421 using the overlay area 226 of the video memory 220. In other words, the overlay area 226 of the video memory 220 is used as an independent video output channel for displaying the virtual interface screen. The virtual interface screen 616 may be a screen configuration such as a virtual interface background image 616a, an input box 616b for data input, a control box 616c for screen control, and a virtual keyboard box 616d. Can be.

As a result, the operating system 421 may not know what is output on the virtual interface screen 616. In other words, the virtual keyboard module 424 operates in an inactive state from the standpoint of the operating system 421. Therefore, when a user performs a print screen or requests a screen output from the external network to the operating system 421 to the monitor 600, the operating system 421 only provides general screen data 612 and 614.

3 is a block diagram illustrating a function and configuration of a virtual interface module according to a characteristic aspect of the present invention in a user information security device according to the present invention.

As shown in FIG. 3, the general screen data according to the execution of the browser 422a, that is, the document 224 received by the browser from the website, is monitored through the video driver 427 that controls the general area 222. 600). More specifically, first, the browser 422a downloads image information to be output to the monitor from a website. Then, the operating system 421, for example, Windows transfers the image information to the display device interface (DDI) by using a graphics device interface (GDI). Accordingly, the DDI transfers the image information to the video driver 427 according to the priority. As a result, the graphic processing unit 210 stores the image information received from the video driver 427 in the general area 222.

On the other hand, as shown in FIG. 3, the virtual interface screen data 228 according to the execution of the virtual keyboard module 424 is output to the monitor 600 through the overlay driver 428 controlling the overlay area 226. . More specifically, first, the virtual keyboard module 424 generates image information (virtual keyboard) to be output to the monitor. Then, the virtual interface module 426 is received from the virtual keyboard module 424 by using an application program interface (API) that allows direct control to the video interface 200 without passing through the operating system 421. The virtual keyboard is passed to the overlay driver 428. As a result, the graphics processing unit 210 stores the virtual keyboard received from the overlay driver 428 in the overlay area 228. Here, the virtual interface module 426 is an API that can directly control the video interface 200 and use the graphic acceleration function of the video interface 200. For example, the virtual interface module 426 may use DirectDraw, DirectShow, OpenGL, or Glide SDK. In addition, the positions of the keys of the virtual keyboard may change randomly every time they are displayed.

Meanwhile, as shown in FIG. 3, the virtual interface module 426 of the present invention includes a video interface control module 426a, a message processing module 426b, an encryption module 426c, and a BHO (Browser Helper Object). Module 426d.

The operating system 421 receives an event generated by the user input interface 520, the network interface 540, or another interface and generates a corresponding message.

Then, the message processing module 426b hooks a message generated by the operating system 421, and if the hooked message is related to the virtual keyboard module 424, the message processing module 426b or the video is processed. If the message is transmitted to the interface control module 426a and is not a related message of the virtual keyboard module 424, it is bypassed back to the operating system 421.

The virtual keyboard module 424 randomly generates the key positions of the virtual keyboard according to the message received from the message processing module 426b and provides them to the video interface control module 426a. Accordingly, the position of the keys changes every time the virtual keyboard is displayed. Here, a random function for randomizing the key position is as follows.

unit MT19937;

{$ R-} {range checking off}

{$ Q-} {overflow checking off}

interface

{Period parameter}

Const

  MT19937 N = 624;

Type

  tMT19937StateArray = array [0..MT19937N-1] of longint; // the array for the state vector

procedure sgenrand_MT19937 (seed: longint); // Initialization by seed

procedure lsgenrand_MT19937 (const seed_array: tMT19937StateArray); // Initialization by array of seeds

procedure randomize_MT19937; // randomization

function randInt_MT19937 (Range: longint): longint; // integer RANDOM with positive range

function genrand_MT19937: longint; // random longint (full range);

function rand Float_MT19937: Double; // float RANDOM on 0..1 interval

implementation

{Period parameters}

const

  MT19937M = 397;

  MT19937MATRIX_A = $ 9908b0df; // constant vector a

  MT19937UPPER_MASK = $ 80000000; // most significant w-r bits

  MT19937LOWER_MASK = $ 7fffffff; // least significant r bits

{Tempering parameters}

  TEMPERING_MASK_B = $ 9d2c5680;

  TEMPERING_MASK_C = $ efc60000;

VAR

  mt: tMT19937StateArray;

 mti: integer = MT19937N + 1; // mti = MT19937N + 1 means mt [] is not initialized

{Initializing the array with a seed}

procedure sgenrand_MT19937 (seed: longint);

var

  i: integer;

begin

  for i: = 0 to MT19937N-1 do begin

    mt [i]: = seed and $ ffff0000;

    seed: = 69069 * seed + 1;

    mt [i]: = mt [i] or ((seed and $ ffff0000) shr 16);

    seed: = 69069 * seed + 1;

  end;

  mti: = MT19937N;

end;

{

   Initialization by "sgenrand_MT19937 ()" is an example. Theoretically,

   there are 2 ^ 19937-1 possible states as an intial state.

   This function (lsgenrand_MT19937) allows to choose any of 2 ^ 19937-1 ones.

   Essential bits in "seed_array []" is following 19937 bits:

      (seed_array [0] & MT19937UPPER_MASK), seed_array [1], ...,

 seed_array [MT19937-1].

      (seed_array [0] & MT19937LOWER_MASK) is discarded.

   Theoretically,

 (seed_array [0] & MT19937UPPER_MASK), seed_array [1], ...,

 seed_array [MT19937N-1]

   can take any values except all zeros.

}

procedure lsgenrand_MT19937 (const seed_array: tMT19937StateArray);

VAR

  i: integer;

begin

  for i: = 0 to MT19937N-1 do mt [i]: = seed_array [i];

  mti: = MT19937N;

end;

function genrand_MT19937: longint;

const

  mag01: array [0..1] of longint = (0, MT19937MATRIX_A);

var

  y: longint;

  kk: integer;

begin

  if mti> = MT19937N {generate MT19937N longints at one time}

  then begin

     if mti = (MT19937N + 1) then // if sgenrand_MT19937 () has not been called,

       sgenrand_MT19937 (4357); // default initial seed is used

     for kk: = 0 to MT19937N-MT19937M-1 do begin

        y: = (mt [kk] and MT19937UPPER_MASK) or (mt [kk + 1] and MT19937LOWER_MASK);

        mt [kk]: = mt [kk + MT19937M] xor (y shr 1) xor mag01 [y and $ 00000001];

     end;

     for kk: = MT19937N-MT19937M to MT19937N-2 do begin

       y: = (mt [kk] and MT19937UPPER_MASK) or (mt [kk + 1] and MT19937LOWER_MASK);

       mt [kk]: = mt [kk + (MT19937M-MT19937N)] xor (y shr 1) xor mag01 [y and $ 00000001];

     end;

     y: = (mt [MT19937N-1] and MT19937UPPER_MASK) or (mt [0] and MT19937LOWER_MASK);

     mt [MT19937N-1]: = mt [MT19937M-1] xor (y shr 1) xor mag01 [y and $ 00000001];

     mti: = 0;

  end;

  y: = mt [mti]; inc (mti);

  y: = y xor (y shr 11);

  y: = y xor (y shl 7) and TEMPERING_MASK_B;

  y: = y xor (y shl 15) and TEMPERING_MASK_C;

  y: = y xor (y shr 18);

  Result: = y;

end;

{Delphi interface}

procedure Randomize_MT19937;

Var OldRandSeed: longint;

begin

  OldRandSeed: = System.randseed; // save system RandSeed value

  System.randomize; // randseed value based on system time is generated

  sgenrand_MT19937 (System.randSeed); // initialize generator state array

  System.randseed: = OldRandSeed; // restore system RandSeed

end;

// bug fixed 21.6.2000.

Function RandInt_MT19937 (Range: longint): longint;

// EAX <-Range

// Result-> EAX

asm

  PUSH EAX

  CALL genrand_MT19937

  POP EDX

  MUL EDX

  MOV EAX, EDX

end;

function RandFloat_MT19937: Double;

const Minus 32: double = -32.0;

asm

  CALL genrand_MT19937

  PUSH 0

  PUSH EAX

  FLD Minus32

  FILD qword ptr [ESP]

  ADD ESP, 8

  FSCALE

  FSTP ST (1)

end;

end.

That is, the virtual keyboard module 424 generates a virtual keyboard by using the random function, and the program source thereof is as follows, for example.

uses

  MT19937;

const

  // image coordinates

  arrImagePoint: array [0..9] of TPoint = ((x: 15; y: 73), (x: 59; y: 73), (x: 103; y: 73),

                                            (x: 15; y: 110), (x: 59; y: 110), (x: 103; y: 110),

                                            (x: 15; y: 147), (x: 59; y: 147), (x: 103; y: 147),

                                                           (x: 59; y: 184)

                                        );

var

  // button setting flag

  numFlag: array [0..9] of Boolean;

  // number button control (0 ~ 9)

  TBtnNum: array [0..9] of TOverImgButton;

// find the location of the uninitialized button

function zHanaBank_Main_GetRandIdx (idx: Integer): Integer;

var

  i: Integer;

begin

  if (numFlag [idx] = False) then begin

    numFlag [idx]: = True;

    Result: = idx;

    exit;

  end;

  for i: = idx + 1 to 9 do begin

    if (numFlag [i] = False) then begin

      numFlag [i]: = True;

      Result: = i;

      exit;

    end;

  end;

  for i: = 0 to idx-1 do begin

    if (numFlag [i] = False) then begin

      numFlag [i]: = True;

      Result: = i;

      exit;

    end;

  end;

  Result: = 0;

end;

--- This part randomly handles numbers from 0 to 9 ---

// set button position

procedure zHanaBank_Main_NumRandomCreate ();

var

  i: Integer;

  randNum: Integer;

begin

  // Set button activation initial value

  for i: = 0 to 9 do begin

    numFlag [i]: = False;

  end;

  // initialize random value

  MT19937.randomize_MT19937;

  for i: = 0 to 9 do begin

    // get random value between 0 and 9

    randNum: = MT19937.randInt_MT19937 (9);

    // check for duplicate random values

    randNum: = zHanaBank_Main_GetRandIdx (randNum);

    // set button position

    TBtnNum [i] .Position.X: = arrImagePoint [randNum] .X;

    TBtnNum [i] .Position.Y: = arrImagePoint [randNum] .Y;

  end;

end;

The video interface control module 426a controls the overlay driver 428 based on the processing result of the message processing module 426b, the virtual keyboard generated by the virtual keyboard module 424, and information input by the user through the virtual keyboard. To the video interface 200.

The encryption module 426c encrypts the information input by the user through the virtual keyboard. For example, when the decryption module is mounted on the web site providing the document to the browser 422a, the user's input information is encrypted.

The BHO module 426d searches for an edit box in the document of the website displayed on the screen by the browser 422a, determines whether the cursor is positioned on the retrieved edit box, and the cursor is edited. If it is located on the box, it displays a message window to ask the user whether the security input is executed, that is, whether the virtual keyboard is executed. As is well known, the BHO is a plug-in type COM object provided with a function function in Internet Explorer, and refers to a DLL (dynamic linking library) module.

4 is a flowchart for schematically illustrating a method for preventing user information leakage by screen hacking according to an embodiment of the present invention, and the subject of the description is a virtual interface module 426.

Next, in step S110, it is determined whether the video interface 200 supports the overlay or if the overlay resource is available, if the overlay is supported.

If it is possible to generate the overlay as a result of the determination in step S110, the flow proceeds to step S120 to generate the overlay. Creating overlays can be done using DirectX's DirectDraw, DirectShow, or OpenGL support libraries, for example.

On the other hand, if it is determined in step S110 that the overlay resource is not left even if the video interface 200 does not support or support the overlay function, the overlay error message is output by the control of the operating system 421 and the virtual interface module 426 Is terminated (step S130 and step S140).

After generation of the overlay, in step S150, global hooking of the operating system 421 is set. For example, in Windows, you can set up global hooking using APIs such as DirectDraw. Once global hooking is established, messages for all events occurring in the system are first and foremost received by the virtual interface module 426. Here, the program source for global hooking in the user mode (application) stage is as follows.

#include <windows.h>

#pragma data_seg (". kbdata")

HINSTANCE hModule = NULL;

HHOOK hKeyHook = NULL;

HWND hWndBeeper = NULL;

#pragma data_seg ()

#pragma comment (linker, "/SECTION:.kbdata,RWS")

// Hooking procedure handled when KeyDown, KeyUp event occurs

LRESULT CALLBACK KeyHookProc (int nCode, WPARAM wParam, LPARAM lParam)

{

 if (nCode == HC_ACTION)

 {

/////////////////////////////////////

        switch (wParam)

        {

            case WM_SYSKEYDOWN: Is this a keydown event?

              case WM_SYSKEYUP: Is this a keyup event?

}

        /////////////////////////////////////

  // block window key

   If (currently blocking?) {

      Send event for virtual interface processing

     Block keystrokes from reaching Windows message procedures return FALSE

   }

  Window event handling immediately because it is not blocking

 return CallNextHookEx (hKeyHook, nCode, wParam, lParam); // pass information to next event chain

}

extern "C" __declspec (dllexport) void InstallHook (HWND hWnd)

{

 hWndBeeper = hWnd;

hKeyHook = SetWindowsHookEx ((WH_KEYBOARD, KeyHookProc, hModule, NULL); // Set hooking with SetWindowsHookEx function for events of WH_KEYBOARD

}

extern "C" __declspec (dllexport) void UninstallHook ()

{

 UnhookWindowsHookEx (hKeyHook);

}

BOOL WINAPI DllMain (HINSTANCE hInst, DWORD fdwReason, LPVOID lpRes)

{

 switch (fdwReason) {

 case DLL_PROCESS_ATTACH:

  hModule = hInst; // store DII instance handle when first loading DII file

  break;

 case DLL_PROCESS_DETACH:

  break;

 }

 return TRUE;

}

Next, the global hooking source of the kernel stage is as follows.

#pragma PAGEDCODE

extern "C"

NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {

    for (int i = 0; i <arraysize (DriverObject-> MajorFunction); ++ i)

        // Set main function of system processing at the first loading of sys file

DriverObject-> MajorFunction [IRP_MJ_READ] = Ctrl2capDispatchRead; //

    return STATUS_SUCCESS;

} // DriverEntry

NTSTATUS AddDevice (IN PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT pdo) {

    NTSTATUS status;

    PDEVICE_OBJECT fido;

    status = IoCreateDevice (DriverObject, sizeof (DEVICE_EXTENSION), NULL,

        GetDeviceTypeToUse (pdo), 0, FALSE, &fido);

if (! NT_SUCCESS (status))

    {// can't create device object

      return status;

    } // can't create device object

    PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) fido-> DeviceExtension;

    Apply the keyboard filter driver location under \\ Device \\ KdbClass // Set the keyboard filter driver

    return status;

} // AddDevice

// Receive keyboard IRP event from subordinate driver

NTSTATUS ReadComplete (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context) {

    PIO_STACK_LOCATION IrpSp;

    PKEYBOARD_INPUT_DATA KeyData;

    // save passed IRP as structure information

    IrpSp = IoGetCurrentIrpStackLocation (Irp);

    if (NT_SUCCESS (Irp-> IoStatus.Status)) {

        KeyData = (PKEYBOARD_INPUT_DATA) Irp-> AssociatedIrp.SystemBuffer;

        numKeys = Irp-> IoStatus.Information / sizeof (KEYBOARD_INPUT_DATA);

        for (i = 0; i <numKeys; i ++) {// KeyDown, KeyEvent Handling Functions Handled When KeyUp Event Occurs

            // KeyData [i] .MakeCode-> key input code value

// KeyData [i] .Flags-> Keyboard up? Is it down?

// block window key

         If (currently blocking?) {

             Send event for virtual interface processing

             Block keystrokes from reaching Windows message procedures

KeyData [i]. MakeCode = 00;

         }

        Bypass because it is not blocking

}

}

    if (Irp-> PendingReturned) {

        IoMarkIrpPending (Irp);

    }

    return Irp-> IoStatus.Status;

}

4, when the initialization process for the virtual interface is completed as described above, the virtual interface screen 616 is displayed using the overlay function in step S160.

In operation S170, it is determined whether a message is generated by the operating system 421.

As a result of the determination in step S170, when the message is received, the process proceeds to step S180 to perform a filtering process for determining whether the currently received message is a virtual interface related message.

If it is determined in step S180 that the virtual interface related message is determined, the process proceeds to step S190 to perform a virtual interface related message processing. However, if the message is not related to the virtual interface, the flow proceeds to step S200 to transmit the message to the activated general application program 422.

In step S190, the message processing module 426b provides the attribute value of the filtered message to the virtual interface display module 426a. The video interface control module 426a may display the received message attribute value on the virtual interface screen 616. The message attribute value is also passed to the virtual keyboard module 424 so that the original program function of the virtual keyboard module 424 is performed. In addition, the video interface control module 426a displays the virtual keyboard provided from the virtual keyboard module 424 on the virtual interface screen 616.

5 is a flowchart illustrating a user information leakage prevention method by screen hacking according to an embodiment of the present invention in detail, Figures 6 to 11 is a virtual interface screen displayed by the user information security device of the present invention The figure shown.

As shown in FIG. 5, in operation S310, the network interface 540 transmits a login event received through the Internet 544 to the operating system 421.

Then, the operating system 421 executes the virtual keyboard module 424 and the virtual interface module 426 based on the login event (steps S320 and S330).

Accordingly, in operation S340, the virtual keyboard module 424 starts operation by the operating system 421 and generates login image information for outputting the monitor.

In operation S350, the virtual interface module 426 checks the overlay area 350 of the video interface 200 to confirm whether the overlay function is supported. In operation S360, it is determined whether an overlay for the virtual interface can be generated.

As a result of the determination in step S360, if generation of the overlay is not possible, the process proceeds to step S370 to transmit an error message to the operating system 421.

On the other hand, if it is determined in step S360 that the overlay can be generated, the control proceeds to step S380 to directly control the video interface 200 to output the virtual keyboard generated by the virtual keyboard module 424. Accordingly, in operation S390, the video interface 200 displays the virtual keyboard. For example, the virtual keyboard as shown in FIGS. 6 to 10 will be displayed through the monitor 600. That is, the user inputs his or her login information, internet banking information, or payment information through a virtual interface provided by the virtual interface module 426 using a mouse.

Meanwhile, in step S400, the virtual interface module 426 sets up global hooking. In this case, the message generated by the operating system 421 is firstly received by the virtual interface module 426 (step S410). Accordingly, in step S420, the virtual interface module 426 determines whether the received message is related to the virtual login.

As a result of the determination in step S420, if the message is not a virtual login message, the message is transmitted to the operating system 421 (step S430).

On the other hand, if it is determined in step S420 that the virtual login message is transmitted to the virtual keyboard module 424 (step S440). Then, the virtual keyboard module 424 processes the received message to generate a virtual keyboard (step S450), and provides it to the virtual interface module 426 (step S460).

Accordingly, in operation S470, the virtual interface module 426 controls the video interface 200 to output new image information. Accordingly, in operation S390, the video interface 200 outputs the image newly stored in the overlay area 226 to the virtual interface screen 616 of the monitor 600.

For example, when the user clicks on the input box of the virtual keyboard as shown in FIGS. 6 to 11 using the mouse 524, the operating system 421 generates a message related thereto. Then, the message processing module 426b receives the message and notifies the video interface control module 426a. Accordingly, the video interface control module 426a controls the video interface 200 to display a cursor for text input in the input box. In this state, the user will again click the number or letter button of the virtual keyboard using the mouse 524. As a result, the video interface control module 426a controls the video interface 200 to display the value of the virtual keyboard in the input box. In this case, the video data stored in the overlay area 226 is preferably converted into the YUV format supported by all graphic cards and stored.

If the above embodiment uses the overlay area 226 of the video interface 200, the user information security device of the present invention may implement a virtual interface even using the miniport function of the video interface 200. Therefore, hereinafter, the virtual interface using the miniport function will be described in detail with reference to FIGS. 12 to 14.

12 is a view showing a screen displayed by the user information security device according to another embodiment of the present invention.

As shown in FIG. 12, another embodiment for implementing the virtual interface of the present invention uses two video output channels for outputting the screen of the monitor 600. The two video output channels may consist of, for example, a general video port and a video miniport. In such a method using two video output channels, the general area 222 of the video memory 200 is used to display the virtual interface screen 616. However, the general area 222 of the video memory 220 is used in common, but a part thereof is used as an independent video output channel for displaying a virtual interface.

13 is a block diagram illustrating a function and a configuration of a virtual interface module according to a characteristic aspect of the present invention in a user information security device according to another embodiment of the present invention.

As illustrated in FIG. 13, the general screen data 224 according to the execution of the general application 422 is output to the monitor 600 through the video driver 427 controlling the general area 224.

On the other hand, the virtual interface screen data 228 according to the execution of the virtual keyboard module 424 outputs the virtual interface screen 616 to the monitor 600 by the miniport driver 429 driving the miniport.

FIG. 14 is a flowchart for schematically describing a method for preventing user information leakage by screen hacking according to another embodiment of the present invention, and the subject of the description is a virtual interface module 426.

As shown in FIG. 14, the operation of the virtual interface processing module 426 using the miniport function has the same operation procedure as the case of using the above-described overlay function. However, the initialization process for the virtual interface is slightly different.

That is, as shown in FIG. 14, in operation S100, an operation is started by a user's virtual interface execution command (event) using the mouse 524 or the like.

Next, in step S110, it is determined whether the video interface 200 supports the miniport, and if the miniport is supported, whether the available resources remain.

If it is possible to generate the miniport as a result of the determination in step S110 ', the flow advances to step S120' to generate a miniport. Creating a miniport can be made and used using development tools such as, for example, the Windows Driver Development Kit.

On the other hand, if it is determined in step S110 'that the video interface 200 does not support the miniport function or there is no resource for using the miniport, the miniport error message is controlled by the operating system 421. It outputs and the operation | movement of the virtual interface module 426 is complete | finished (step S130 'and step S140).

15 to 17 are flowcharts for describing a method for preventing user information leakage by screen hacking according to another embodiment of the present invention, and the subject of the description is the virtual interface module 426. 18 to 21 are diagrams showing web documents displayed by the user information security apparatus of the present invention.

First, when the user executes the browser 422a, the virtual interface module 426 is loaded from the hard disk 510 into the RAM 420 (step S301).

Accordingly, the BHO module 426d finds the edit box in the website document (web page) displayed on the screen by the browser (step S303).

Next, in step S305, it is determined whether or not the cursor is positioned on the edit box.

As a result of the determination in step S305, when the cursor is located in the edit box for inputting the user ID and password, a message window for asking the user whether to execute the security input is shown next to the edit box, as shown in FIG. The browser 422a is controlled to display (step S307).

Next, in step S309, it is determined whether the user clicks the security input window.

As a result of the determination in step S309, when the user clicks the security input window, the script of the edit box selected by the user, that is, the cursor is located is examined to determine whether the ID starts with 'BE_' (step S311). ). Here, 'BE_' means that the virtual interface module 426 represents a fake edit box that is made to be displayed in place of the actual (real) edit box. That is, step S311 is a process of determining whether the edit box selected by the user is an original or a copy.

As a result of the determination in step S311, if the ID of the edit box selected by the user is a genuine edit box that does not start with 'BE_', the information written by the user is taken from the script of the genuine edit box (step S313). Of course, if the user does not enter information in the edit box, there is no information to import.

On the other hand, if the edit box selected by the user is a fake edit box, the script of the real edit box is found and the information written by the user is retrieved (step S315).

Next, in step S317, it is determined whether "AMHO (password) _" is present in the script of the real edit box. Here, 'AMHO_' means that encryption / decryption is shared with the website, that is, the virtual interface module 426 encrypts the information input by the user and the website decrypts the encrypted information.

As a result of the determination in step S317, if the real edit box contains 'AMHO_', the imported user information (which is encrypted) is deleted (step S319), and the flow proceeds to step S321, as shown in FIG. Is displayed. Here, the virtual keyboard is the virtual interface module 426 controls the video interface on behalf of the operating system to display on the screen.

On the other hand, if there is no 'AMHO_' in the real edit box, the process proceeds to step S323 to display the virtual keyboard with the imported user information. In other words, the imported user information is displayed in the input box of the virtual keyboard. Thus, the user can modify the previously entered information.

Next, in step S325, the user encrypts the information input through the virtual keyboard.

Next, in step S327, it is determined whether encryption / decryption is shared with the website.

As a result of the determination in step S327, in the case of sharing encryption / decryption with the website, the encrypted user information is input into the genuine edit box (step S329).

On the other hand, when the encryption / decryption is not shared with the website, the encrypted user information is decrypted in plain text and input into the real edit box (step S331).

Next, in step S333, it is determined whether the edit box selected by the user is a real edit box. In detail, step S333 is a process of determining whether the user accesses the website for the first time or selects the edit box for the first time. In other words, if the user had already selected the edit box, the browser would display a fake edit box instead.

As a result of the determination in step S333, if the edit box selected by the user is a real edit box, a fake edit box is generated, and as shown in FIG. 20, for example, as shown in FIG. 422a) (step S335). Then, the flow advances to step S337 to control the browser 422a to transmit the information input by the user through the virtual keyboard to the website. Then, as shown in FIG. 21, the user logs in to the corresponding website.

On the other hand, if the edit box selected by the user is a fake edit box, that is, a fake has already been made, the process proceeds to step S337 to control the browser 422a to transmit the information input by the user through the virtual keyboard to the website. do.

As described above, according to the method of preventing user information leakage by the screen hacking of the present invention described with reference to FIGS. Do. In addition, the hacker only hacks fake information preset by the user.

The method for preventing user information leakage by screen hacking according to the present invention is not limited to the above-described embodiments, and various modifications can be made within the scope of the technical idea of the present invention.

1 is a block diagram of a computer device performing a method of preventing user information leakage by screen hacking according to the present invention.

2 is a view showing a screen displayed by the user information security device according to an embodiment of the present invention.

3 is a block diagram illustrating a function and configuration of a virtual interface module according to a characteristic aspect of the present invention in a user information security device according to the present invention.

4 is a flowchart illustrating a user information leakage prevention method by screen hacking according to an embodiment of the present invention.

5 is a flowchart illustrating a user information leakage prevention method by screen hacking according to an embodiment of the present invention in detail.

6 to 11 are views showing a virtual interface screen displayed by the user information security device of the present invention.

12 is a view showing a screen displayed by the user information security device according to another embodiment of the present invention.

13 is a block diagram illustrating a function and a configuration of a virtual interface module according to a characteristic aspect of the present invention in a user information security device according to another embodiment of the present invention.

14 is a flowchart schematically illustrating a method for preventing leakage of user information by screen hacking according to another embodiment of the present invention.

15 to 17 are flowcharts illustrating a method of preventing user information leakage by screen hacking according to another embodiment of the present invention.

18 to 21 are diagrams showing web documents displayed by the user information security device of the present invention.

*** Explanation of symbols for the main parts of the drawing ***

100: central processing unit 200: video interface

300: system bus 400: main memory unit

421: operating system 424: virtual keyboard module

426: virtual interface module 426a: video interface control module

426b: message processing module 426c: encryption module

426d: BHO module

Claims (7)

Performed by a virtual interface module on a network accessible computer, (A) determining whether a cursor is positioned on an edit box of a web page displayed on the screen by a browser; (B) if the cursor is located on the edit box, controlling a video interface on behalf of an operating system to display a virtual keyboard including a fake edit box on a screen; (C) controlling the browser to display fake information through the fake edit box instead of information input by the user through the virtual keyboard; and And (d) controlling the browser to transmit the information input by the user through the virtual keyboard to the website. The method of claim 1, wherein step (a) comprises: Finding the edit box in the web page displayed on the screen by the browser, And determining whether or not the cursor is located on the found edit box. The method of claim 2, wherein step (b) comprises: If the cursor is located on the edit box, controlling the browser to display a message window for asking a user whether to execute security input; If the user clicks on the message window, controlling the video interface on behalf of the operating system to display a virtual keyboard including a fake edit box on the screen comprising the step of preventing user information leakage by screen hacking, characterized in that . The method of claim 3, wherein step (d) Encrypting information input by the user through the virtual keyboard; And controlling the browser to transmit the encrypted information to the web site. The method of claim 3, wherein And controlling the video interface on behalf of the operating system to display the information input by the user through the virtual keyboard on the fake edit box displayed on the screen. Way. delete A computer-readable medium having recorded thereon a program for executing the method for preventing user information leakage by screen hacking according to any one of claims 1 to 5.

Images