Thread: Keyloggers (none rule breaking)

  1. #1
    Registered User
    Join Date
    Oct 2004
    Posts
    100

    Keyloggers (none rule breaking)

    Hi all,

    First of all id like to point out that this topic is not breaking any rules! For my thesis at university im required to develop a keylogger detector. So far my project successfully scan the computer for keyloggers and updates its keylogger list over the internet.

    However the next part of my project is to do the following.

    1. Detect the presence of keyloggers
    2. Mislead keyloggers
    3. Disable keyloggers

    Im quite stumped on how to achieve any of these. Im not looking for code examples just the theory behind how to do them. I.e. fo point 1 it might be possible to check the message queues for all running processes to see if any of the WM_KEYDOWN messages are being processed before the application they are destined to. But what if the keylogger is using the GetKeyAscii method and not dll injection?

    For point 2 misleading means if a keylogger is active then the keylogger detector will send it "fake" keys so the keylogger records the fake keys as well the keys the user is typing.

    These are just examples of how to achieve this. I would be very gratefull if you could share your ideas or know of methods how this could be done.

    Also if you could suggest other functionality that you would expect in a keylogger detector then please say.

    Thankyou very much for your time.

    Cloudy

  2. #2
    Registered User
    Join Date
    Jan 2005
    Posts
    847
    You could add your own keyboard hook with SetWindowHookEx and then avoid calling previous hooks in the chain or call them but modify the keypress data. This data might be read only so I think you'd need to make a Kernel mode driver.

    Check the addresses of APIs,. The import tables can be ajusted so that APIs can be redirected.

    You could also do some heuristic checks, there are only so many ways a program can save keypresses to a file.

  3. #3
    Registered User
    Join Date
    Oct 2004
    Posts
    100
    Quote Originally Posted by Quantum1024
    You could add your own keyboard hook with SetWindowHookEx and then avoid calling previous hooks in the chain or call them but modify the keypress data.
    Thats an excellent idea and I believe i can programme it with relative ease, my only concern is i think SetWindowsHooxEx will inject my keylogger detector dll into the message queue before both the keylogger and the intended receiving application, so if i change say the key 'e' to 'f' it may trick the keylogger but wont it also have the same effect on the reciving application?

    Quote Originally Posted by Quantum1024
    This data might be read only so I think you'd need to make a Kernel mode driver.
    I better hope its not read only because i have no idea how to do that lol.

    Check the addresses of APIs,. The import tables can be ajusted so that APIs can be redirected.
    This sounds good, what would it involve?

    I'll be doing some research into the heuristic checks now. If you come up with any other ideas then please say or if someone else does then again please say.

    Thankyou so much for your help, it is very much appreciated.

    Cloudy

  4. #4
    Registered User
    Join Date
    Jan 2005
    Posts
    847
    Quote Originally Posted by cloudy
    Thats an excellent idea and I believe i can programme it with relative ease, my only concern is i think SetWindowsHooxEx will inject my keylogger detector dll into the message queue before both the keylogger and the intended receiving application, so if i change say the key 'e' to 'f' it may trick the keylogger but wont it also have the same effect on the reciving application?
    I never though of that. You could modify the keypress data, call CallNextHookEx and then restore the origional data before returning from the hook procedure.

    If you use the Journal record hook you don't have to place the hook procedure in a dll.

    This sounds good, what would it involve?
    Have a look at the PE file format. The import table is filled with the addresses of API functions when the executable is loaded. Some programs can modify the addresses to point to a hook function. You can scan the addresses in an application's import table and compare with the actual address to see if they've been changed.
    Last edited by Quantum1024; 01-25-2006 at 07:53 AM.

  5. #5
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    havent used hooks in years, but here goes...

    Quote Originally Posted by cloudy
    However the next part of my project is to do the following.

    1. Detect the presence of keyloggers
    AFAIK there's no documented user mode way of enumerating installed windows hooks.

    You could use a techique called API hooking, but that means creating a kernel mode program.

    Quote Originally Posted by cloudy
    2. Mislead keyloggers
    Set your own hook with the WH_DEBUG flag. This will then be called before other hooks allowing you to change values or not pass them on.

    Quote Originally Posted by cloudy
    3. Disable keyloggers
    Hell, if you solve 1, UnhookWindowsHookEx

  6. #6
    Registered User
    Join Date
    Oct 2004
    Posts
    100
    Progress made.

    I have managed to mislead a keylogger that uses dll injection by setting up a system wide hook to monitor both WH_KEYBOARD and WH_CBT and editing the CallNextHook wParam value. It works fine.

    I am about to check out WH_DEBUG to see how I can incorporate that

    However this technique only works for misleading dll injection. What if the keylogger was using the more basic GetKeyAscii command in a loop?

    Would it be possible to:

    1. detect if a running process was continuely calling GetKeyAscii
    2. Mislead a process that I knew was running the GetKeyAscii method?

    Thanks both of you for your help

  7. #7
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    Tis a fine line between poacher and game keeper....

  8. #8
    Registered User
    Join Date
    Oct 2004
    Posts
    100
    what do you mean by that?

  9. #9
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,268
    You could use a techique called API hooking, but that means creating a kernel mode program.
    No it doesn't. Hooking user mode API functions is done in user mode, not kernel mode.

    Progress made.

    I have managed to mislead a keylogger that uses dll injection by setting up a system wide hook to monitor both WH_KEYBOARD and WH_CBT and editing the CallNextHook wParam value. It works fine.
    Won't that method only work on hooks that are installed after your program is run? If a hook is installed before you run your program, then its hook procedure will be called before yours.

    Would it be possible to:

    1. detect if a running process was continuely calling GetKeyAscii
    2. Mislead a process that I knew was running the GetKeyAscii method?
    I've never heard of a API function called GetKeyAscii

  10. #10
    Registered User
    Join Date
    Oct 2004
    Posts
    100
    Thanks for the reply mate
    Won't that method only work on hooks that are installed after your program is run? If a hook is installed before you run your program, then its hook procedure will be called before yours.
    When you inject into a message queue then your injeciton is added to the beginning of the queue and not the end. Meaning the trick will work on all the keyloggers ran before my keylogger detector, which is ideal because the keylogger detector can be stopped and started so it will always be added to the top.


    The GetAsciiKey you might be right and does not exist (it might be another programming language function but im sure there is a c++ equivelent). Im not looking for the actual name of this function because as i said im making a keylogger detector and not a keylogger and the keylogger detector wouldnt need to use this function (and im also aware that as your rule is not to discuss how to make keyloggers then you may not want this function discussed incase others take advantage of it). However what I am interested in is if there is a tell tale sign of a keylogger using this function to trap keys then id like to know how to implement it for my keylogger detector.

    Thanks for your help mate, it is very much appreciated

    cloudy

  11. #11
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,268
    You may be thinking of GetAsyncKeyState(), but no one makes a keylogger with that. All you need to worry about is SetWindowsHookEx().

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Misra Rule 11.2
    By hammer1234 in forum C Programming
    Replies: 1
    Last Post: 04-06-2006, 07:28 AM
  2. Binary Search Trees Part III
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 16
    Last Post: 10-02-2004, 03:00 PM
  3. Rule of 72
    By sonict in forum C++ Programming
    Replies: 12
    Last Post: 01-23-2003, 08:31 PM
  4. Who should rule the world?
    By CoderBob in forum A Brief History of Cprogramming.com
    Replies: 7
    Last Post: 02-07-2002, 07:01 AM