Hello! I'm trying to make a userland keylogger detector in C++ for Win32 (I'd like it to work for 2000 and XP, but solely XP would be tolerable), which detects all main userland keylogging methods (SetWindowsHookEx() and GetAsyncKeyState()).
My problem is that I'm trying to detect which process(es) have set a windows hook, and I've found that it is harder than I originally thought. At first, I tried to set a global WH_DEBUG hook to catch any WH_KEYBOARD hooks that were set, but it wouldn't allow me to view the process or thread id that set the original hook.
After a great deal of research, I came to the conclusion that I'd have to use an undocumented structure called the TEB (Thread Environment Block) to access the hook chain for every windows hook, and then I could get the process information from there. The information I found is located here:
The problem is that it's an undocumented structure, and I'm also messing around with the win32k subsystem, which I really shouldn't be doing. I was wondering three things: 1) Is this is the only way to go about it, and if it is, 2) how would I find out more information about the hook chains within Windows so that I could safely get access to the information I need? I'm doing this project simply to expand my knowledge about Windows programming and to get more experience, so 3) would it even be worth it to finish this project?
On a side note: I know this is possible, because I found a keylogger detector (that is for sale) that does this, but the original site was taken down for some reason. It can be found here: