[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 609
  • Last Modified:

Hook detector

Hello,

I need to know how can I find all keyboard hooks instaled on a computer and running.
I work on an application that should scan all running processes and find which one of them (or more) has a keyboard hook installed on Windows. It should be something like a keylogger detector.
0
bodrag
Asked:
bodrag
2 Solutions
 
2266180Commented:
that will be a hard thing to do considering the multiple ways one can do a keyboard hook (not talking about stealth and other hiding tehniques).
maybe the best way would be to:
- find all modules used by one process (dll's, ocx, etc)
- scan the image of that module (the file) for calls to api hooks (by name and reference/address - for the latter you'll need to search either in the loaded module (in memory) or do an 'executable parser)

this will be a pretty hard task and as far as I know, the success rate will still be under 90-95%.
I'll give it a thought and get back to you if I get a better idea.
0
 
calinutzCommented:
Are you looking for something like this?
http://www.styopkin.com/keylogger_hunter.html
0
 
bodragAuthor Commented:
No, Keylogger Hunter only make keyloggers to stop working correctly.
I need a way to detect if a keylogger is running.
0
 
Scay7Commented:
This is a daunting question, as some HOOKs that wish to remain hidden can be hidden...
this site explains what i mean... http://www.rootkit.com/newsread.php?newsid=360

Other wise ciuly's suggestion seems to be the best root for keyloggers that can be identified by file/name
in the end a keylogger that wants to stay will stay until such time a proper and versitile anti-program is made.

Peace Scay7

P.S Never run a program that you are not 101% of its validity... (this is the first line of defence)
0
 
DaFoxCommented:
The only documented way would be to install a WH_DEBUG hook. Otherwise you'd have to enumerate internal undocumented structures that are subject to change without notice. However, this worked quite well on Windows 9x, see MSINFO.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now