windows' hooks

[deadbird]

I'm searching for a method to get a pointer to windows' hooks linked lists. No information on MSDN, no information anywhere, no one knows how to...

I really don't want to get user32 disassembled, it'd really p*** me off.

Can anyone help?

[#rootworm]

i guess there are a few different kinds of hooks.

found this page which gives a simple explanation of the different hook techniques and a tool called APIHookCheck.

http://www.security.org.sg/code/apihookcheck.html

the tool comes with source & makefile too

Edited May 20, 2007 by #rootworm

[deadbird]

Thanks!

A very interesting tools, but what I was talking about was the other kind of hooks, such as keyboard/mouse hooks...

[#rootworm]

are you working on an antikeylogger?

you have a really good question actually, i've never thought about that before. please share what you find out.

[deadbird]

I'm working on a keylogger in fact, and I want to implement a real stealth mode. I'm not really convicted by the solutions I'v foud, such as switching to kernel mode (an thus installing a driver) to make the keylogging process invisible to the task manager.

Another solution is to hook the Process32Next function to make it jump over the keylogger, but I thinks that most antivirus can detect such hooks (which are definitely different from keyboard hook!!). The code below help finding these kind ogf hooks.

But for regular keyboard hooks things are different. Windows manages a linked list by type of hook (one for keyboard hook, one for mouse hooks, one for windows hooks...) and dispatches events through these chains. A hook installed on a chain can intercept the event and modify it, block it...And windows has pointers to the beginning of each linked list. My goal is to find a way to these pointers. And it seems that no one knows how to get them.

More news to come

Bye

[#rootworm]

i knew exactly what you meant. and i would still like to know what you find out

good luck

another thing to keep in mind is how you store your log. one of the more low tech ways to detect a keylogger is to watch the filesystem and keep an eye out for logs.

i think an ingenious way to log the info would be using unicode registry keys with embedded nulls.

Edited May 24, 2007 by #rootworm

[deadbird]

I found a very nice loophole in NTFS support that allows to completely hide files behind others using a malformed filename. I fact I don't really think it's a loophole...maybe a feature...

But I know about hidden registry keys, it's a really great idea too

[jdoe]

deadbird,

You're lucky that this board is not a really programming board because if it was, this topic could have been closed.

Keylogger are often used for malicious purpose and should not be allowed to discuss here at msfn.

It's my opinion.

Edited May 27, 2007 by jdoe

[Yzöwl]

I have allowed this conversation to continue only as part of the building of the structure and ideas for the project. However no coding, which can be utilized by others will be allowed and posts will be monitored in order to stay 'safe'.

[#rootworm]

i want to know about the list of windows hooks so that i can make an antikeylogger based on it.

so before you get up on your high horse take that into consideration.

the more knowledge that is shared on creating the perfect keylogger the more knowledge that is shared on how to defeat it.

[deadbird]

I have allowed this conversation to continue only as part of the building of the structure and ideas for the project. However no coding, which can be utilized by others will be allowed and posts will be monitored in order to stay 'safe'.

I totally agree your opinion, keylogger sources should not be leaked so easily. And I won't. Keyloggers a way too dangerous. Especially in lamers' hands...