You are not logged in. Please login or register.
i was wondering wich is the best tehnic to write a keylogger: using window hooks or GetAsyncKey() ? or is there any other method,so its not so visible to AV . thanx
Hooks are detectable by mostly all AVers, you should use GetAsyncKey.
> or is there any other method
You can write driver 
Concerning Windows kernel keyloggers you could have a look to 'Klog' by Clandestiny :
hxxp://www.rootkit.com/board_project_fused.php?did=proj21
And another project (by Chpie) : hxxp://rootkit.com/board_project_fused.php?did=proj38
Have fun.
Last edited by bramz (2010-04-04 23:20:16)
Hookings...Eh o.o...Injecting...Well you can look at Counter Strike Wallhacks and Aimbots for that(DETECTED!)
A low level solution : hook interruption table.
Example : IRQ1 is generally linked to PS/2 keyboard. You hook this interruption and then you have to deal I/O ports : 0x60 and 0x64 for i8042 compatible Keyboard Controller.
Concerning Windows kernel keyloggers you could have a look to 'Klog' by Clandestiny :
hxxp://www.rootkit.com/board_project_fused.php?did=proj21And another project (by Chpie) : hxxp://rootkit.com/board_project_fused.php?did=proj38
Have fun.
best way
kernel keylogger POC code:
[Register or log in to view the URL]
bramz wrote:Concerning Windows kernel keyloggers you could have a look to 'Klog' by Clandestiny :
hxxp://www.rootkit.com/board_project_fused.php?did=proj21And another project (by Chpie) : hxxp://rootkit.com/board_project_fused.php?did=proj38
Have fun.
best way
Good luck getting it stable though ;D The Chpie solution creates quite a few headaches in terms of kernel stability as does the IRP hook solution.
Concerning Windows kernel keyloggers you could have a look to 'Klog' by Clandestiny :
hxxp://www.rootkit.com/board_project_fused.php?did=proj21And another project (by Chpie) : hxxp://rootkit.com/board_project_fused.php?did=proj38
Have fun.
"Klog" is definitely what I would suggest looking at. GetAsyncKeyState is ridiculous due to resource consumption. If you want to make a good/serious keylogger, definitely start looking into drivers. Hooking is the best way to go about it. If you use GetAsyncKeyState then the computer owner will definitely realize their computer is going slower.
Dear friend Kelogging old now we want to see remote desktop
Direct Video transfer!
Personally, I'd stay out of kernel mode for a keylogger, unless you just really, really need it in the kernel. Same with modifying the IDT. Especially since that knocks out PG protected systems.
There's many nice examples for GetAsyncKeyState() style. Check the metasploit source. While I've never had a problem with this method slowing down the computer, I have had it miss keys (or improperly capitalize them) if the user is typing too fast, or if the user is on a slower machine.
The SetWindowsHooks method is my preferred way (albeit, most obvious and easiest caught). But hey, who really uses AV that you can't easily disable for them?
Good workings, but please try to respect the date and not revive years old threads, the original author may not be on this forum and may not see it.
