mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Jul 2003
Posts: 40
H
HadS Offline OP
Ameglian cow
OP Offline
Ameglian cow
H
Joined: Jul 2003
Posts: 40
Hello,

Actually there is 2 way for an external programm to communicate with mIRC: DDE and SendMessage.

The mIRC DDE's server can be disabled (mIRC Options->Other->DDE) preventing any possibles malicious programm to run mIRC routines (command, $eval).

So why there is'nt the same disabling switch for SendMessage ?

The DDE's Server and SendMessage have the same purpose so it doesn't make sense to "secure" one and not the other.

Thank you


Last edited by HadS; 05/06/14 12:51 PM.
Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
Disabling dde and sendmessge doesn't provide any security. If there's malicious code running on your machine the game's already over.

Joined: Jul 2003
Posts: 40
H
HadS Offline OP
Ameglian cow
OP Offline
Ameglian cow
H
Joined: Jul 2003
Posts: 40
Hi Loki12583, your remark is not relevant, if we would be able to disable this either "DDE" and "SendMessage" mIRC will be more secured, it's a fact.

Why ? Because even with an malicious code running, this one won't be easyly able to do things like: "send a SendMessage at mIRC to performs in all channels a spam message".

Let these two doors opens is not good because these doors let every programm execute mIRC Commands, and with mIRC command you can do many things on your favourite's active IRC network and earn a ban (eg: if malicous program flood or spam).

Last edited by HadS; 05/06/14 03:50 PM.
Joined: Jan 2004
Posts: 1,358
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Jan 2004
Posts: 1,358
A program can just activate mIRC and send keystrokes to it. If they wanted to they could open the options and enable dde and sendmessage, not that they'd need to. Even if there were no way to interact with mIRC directly, a program could kill the process and edit mirc.ini to enable those options.

Joined: Jul 2003
Posts: 40
H
HadS Offline OP
Ameglian cow
OP Offline
Ameglian cow
H
Joined: Jul 2003
Posts: 40
Lol, I didn't come here to say "Hey, by adding a disabling switch to SendMessage mIRC will be 100% secured".

I don't want to discuss to much about "how a malicious's program can execute mIRC command and other", I already know how that could be done.

I've just noticed that mIRC allows on the one hand disabling "DDE's Server" and on the other hand doesn't allow the same with SendMessage. To let program comunicate with it, mIRC offers those twice possibilities. So the functionnality "disable official program-mIRC's communication" is at 50%. That's the point of my "feature suggestion".

Using a third unofficial method like keystroke (as you've said) is a hacky way and it's not included in the mIRC.chm.

When someone wants to hack a program, he will always choose the easiest security breach. In case of mIRC it will be "SendMessage" or "DDE". If these ones will be disabled, the hacker will need to find another breach (keystroke, editbox, ...) but that will be not easy compared than before (DDE or SendMessage).

Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
His remark was sure relevant, it's rather what you are saying that is irrelevant.
The request is ok, DDE can be disabled, perhaps sendmessage() could/should too, just for consistency, now arguing that you want it because of a security issue is a bit irrelevant, as pointed out, if you are concerned with external programs interacting with mIRC in a bad way because of sendmessage(), you should be already concerned with what the externals programs can currently do (see loki's list). And if you trust the program you are using for now about not enabling DDE to use it maliciously, you also trust them for sendmessage, so the security risk is quite irrelevant imo, though present.

edit: Sendkey is not a part of mIRC just like regular expressions, so they are not documented in the help file, as expected.

Last edited by Wims; 05/06/14 05:03 PM.

#mircscripting @ irc.swiftirc.net == the best mIRC help channel
Joined: Jul 2003
Posts: 40
H
HadS Offline OP
Ameglian cow
OP Offline
Ameglian cow
H
Joined: Jul 2003
Posts: 40
Stop kidding kids.

"now arguing that you want it because of a security issue is a bit irrelevant",

--> you need to improve your reading and your understanding's skills..
I've never fully said that is a security issue, moreover I quoted the word "secure" in my first post.

"His remark was sure relevant, it's rather what you are saying that is irrelevant."

--> stop trolling, if you both think that "a prog with 62 security breach" and "a prog with 61 security breach" have the same level of security, it's your choice but factually your are wrong ! (I've used random number for the example).

Joined: Jul 2006
Posts: 4,145
W
Hoopy frood
Offline
Hoopy frood
W
Joined: Jul 2006
Posts: 4,145
No kidding, the only argument/words you used in all your posts were about security and malicious stuff, I have nothing against the suggestion but you first talked about that and when we talked about it, you said it was irrelevant.
Quote:
I've never fully said
Ok:
Quote:
Hi Loki12583, your remark is not relevant, if we would be able to disable this either "DDE" and "SendMessage" mIRC will be more secured, it's a fact.
Quote:
if you both think that "a prog with 62 security breach" and "a prog with 61 security breach" have the same level of security..
Did he/we fully say the opposite? Adding that would surely make mIRC more secure but it's not what will prevent a malicious external program from executing commands inside that mIRC, that's all.


#mircscripting @ irc.swiftirc.net == the best mIRC help channel
Joined: Apr 2010
Posts: 969
F
Hoopy frood
Offline
Hoopy frood
F
Joined: Apr 2010
Posts: 969
There's a big difference between DDE and SendMessage():

DDE is essentially mIRC polling a configurably named interface to see if it has new messages. These messages can be initiated from anywhere by any program that supports DDE and knows the name of mIRC's DDE server.

SendMessage() is *quite* a bit different:

First, mIRC *must* initiate the communication. You can't use SendMessage() to communicate with mIRC without mIRC first knowing what/where it should be reading for new 'messages'. As far as I know, the only way to do this is via the use of DLL or COM commands/identifer's from within mIRC; both of which can be disabled via mIRC's options. Otherwise the program would have to do some memory editing, and at that point, it'd just be easier to completely bypass SendMessage()

Next, SendMessage() is quite obscure as it requires the program, not only to force mIRC to initiate communication, but the program has to create and maintain the conduit for passing data and issuing commands. This conduit has a very specific format that minimizes dangerous code to the point that 'messages' are no more dangerous than issuing commands via the editbox (even to the point of enforcing the $dll, $com, and $decode options).

It'd be far easier for a malicious program to either edit mirc.ini or hack memory than to attempt abusing SendMessage().

-

As far as SendKey() is concerned, there's not a concise way to disable the functionality as it is handled by windows and when a SendKey() is issued, without a few kludges there's no way the program knows the difference between user input and SendKey()

Last edited by FroggieDaFrog; 05/06/14 09:04 PM.

I am SReject
My Stuff
Joined: Dec 2002
Posts: 5,411
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 5,411
Thank you all for your comments. If I recall correctly, the option to disable DDE was mainly added to allow users who ran multiple copies of mIRC to disable DDE in all but one copy of mIRC, as otherwise their DDE requests would interfere with each other. It was not added for security reasons.

Disabling DDE or SendMessage would be a minor barrier but if a malicious application is running on your computer and it is aware of mIRC, it can already do anything it wants, which includes modifying your mIRC settings and scripts or sending messages to the interface. In any case, I will add this to my to-do list - it should be easy to add it as an option to the Lock dialog "disable commands" list.


Link Copied to Clipboard