- Keyloggers is an archaic method used by malware authors its basically record everything you type on a keyboard.
-
the API we are hacking is
GetAsyncKeyState, its one of the most common APIs that used by Keyloggers ,it Determines whether a key is up or down at the time the function is called ,it takesintin arguments, and returnsSHORT -
as you can see
GetAsyncKeyStateis just a wrapper aroundntUserGetAsyncKeyState -
ntUserGetAsyncKeyState -
if you perform a
GetAsyncKeyStatethe execution will be like this :- The real code of
ntUserGetAsyncKeyStatefunction runs in Kernel Mode. - When a user-mode application calls the Nt or Zw version of a native system services routine, the routine always treats the parameters that it receives as values that come from a user-mode source that is not trusted .
- The real code of
-
first thing we do is locate
GetAsyncKeyStatein memory then we overwrite the first 12 bytes and make it jump to our fake function . -
if the specified key is down/pressed
GetAsyncKeyStatereturns 0x8001 or -32767 in decimal to abuse it ,we create an array of characters of our choice and return -32767 in every character so the keylogger log it sequentially ,then we returns 0 everytimeGetAsyncKeyStateget called so the keylogger get blocked from logging .unsigned char msg[] = { 'T','R','O','L','L','E','D' };
-
our function in memory:
20558.mp4
- im planning to make a highly effective program that detect all ( high/low ) level and both direct/indirect syscalls keyloggers and shut them down .