-
October 10th, 2003, 12:00 AM
#1
How to prevent keyboard hook? Hard question:-/
I am deverloping a security app now, my app has a input-password form, so I need a module to prevent another spy program stealing my password. Hence, there is a HARD question in my mind now, that is, how can detect if there is any spy program running in back ground which uses low level keyboard hook to steal my password.
I have worked hard and asked a lot of questions to try to solve this, but I still can not. But I think you - Experts - could give me a solution, so I submit this Q to Codeguru.com and hope some of you could help me.
Thanks so much,
Here is one sample of spy program:
Sample KeyLogger
and my job is to detect this kind of software, which currently running in back ground?
Below is one victim sample:
Experts, please help me!
Thanks very much,
-
October 10th, 2003, 01:50 AM
#2
This question was asked a few months ago and I think there were answers. I think I don't know any more than what is in the answers. So see if you can find the previous answers.
-
October 10th, 2003, 04:40 AM
#3
Hi,
you can register your own low level hook before showing your input-password form and NOT call CallNextHookEx, thus preventing the other hooks from getting notifications.
You will release your hook when the form closes.
Anyway, I can't guarantee your hook will be always called before any other one installed... you'll have to try it.
-
October 10th, 2003, 06:20 AM
#4
Registering your own hook and not passing on notifications would not prevent an eavesdropper from installing a hook after you have done so.
Take a look at CreateDesktop.
Last edited by Dave McLelland; October 10th, 2003 at 06:24 AM.
Dave Mclelland.
-
October 10th, 2003, 06:49 AM
#5
Thanks, pls give me more help
Thanks, Puzzolino,
But the psy App I said above (Sample KeyLogger), it has a timer, and re-hook every one second, so it allways stay in lower layer than me. I don't think it is good way to create my timer with smaller interval and do the same (rehook every ticktime).
So now I am thinking about installing API Hook to detect if any spy app which calls function "SetWindowHookEX", if yes I will reinstall my KeyBoard Hook to put it in lower level and note user about Spy App. But I am not sure that I can do it and maybe it is very dificult for me. So I need more help?
Right now I could not find out another way (the best), could any one of you known, please tell me?
Thanks,
-
October 10th, 2003, 07:22 AM
#6
Search for previous answers.
-
October 10th, 2003, 01:04 PM
#7
The API interception technique is a powerful possibility, but I might suggest the possibility of just not processing the hook request of other apps instead of fighting for supremacy in the hook chain, as that could easily cause the hook chain to grow unbounded if the other app does verifications that its hook is receiving messages...
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
"It's hard to believe in something you don't understand." -- the sidhi X-files episode
galathaea: prankster, fablist, magician, liar
-
October 10th, 2003, 07:38 PM
#8
So how can I do to solve it?
Thanks AlanMason very much for your long reply,
But actually, I look puzzled now, I don't known how can do it now. I develop it in both Windows 9X and NT(2000/XP), so what is the best solution for me.
AlanMason, you meant that I can use Hook API to detect spy app-which uses LLKeyboardHook? But Galathaea suggeted that I should not! So, really, I am not able to find out the best solution.
I have also followed the suggestion of Sam Hobbs, but until now I could not find the fit answer for my question - poor my searching skill.
Anyway, thank you very much and hope you could give me more help.
Thanks in advance,
-
October 10th, 2003, 08:29 PM
#9
Take a close look at the SetWindowsHookEx function documentation. I think there is something there that will do what you need.
-
October 10th, 2003, 08:36 PM
#10
That still does not take care of hardware loggers or unauthorised modifications like keyboard drivers.
Dave Mclelland.
-
October 10th, 2003, 08:39 PM
#11
Originally posted by Dave McLelland
That still does not take care of hardware loggers or unauthorised modifications like keyboard drivers.
That is not what the question is asking for.
-
October 10th, 2003, 08:48 PM
#12
Originally posted by Sam Hobbs
Take a close look at the SetWindowsHookEx function documentation. I think there is something there that will do what you need.
Ive looked at the MSDN documentation for SetWindowsHookEx and cant see anything that would help here. Can you be a bit more specific about you answer, youve got me intregued.
Dave Mclelland.
-
October 10th, 2003, 10:34 PM
#13
Thanks, I would like to ask more...
AlanMason, Thank you very much,
You gave me much help. You understand deeply about OS, more more deeper than I can.
About solution for windows2000/XP I have a new Ideal and would like to have your opinion?
I have just visit http://www.madshi.net and tried to run some Demos in http://www.madshi.net/madCollection.exe , it is good sample about API Hook. So, now I plan to do like below:
When ever I show my input-password form I will do the followings before that:
-register my own low level keyboard hook and and NOT call CallNextHookEx when users type in my form - as Puzzolino mentioned.
-also before this time, I will hook the API function: SetWindowsHookEx to detect if any spy app try to install keyboard hook (call SetWindowsHookEx) within the user-typing-password time. If yes, I will re-register my own low level keyboard hook to make sure it is in lower layer than spy app, and also let user known about the spy app (kill it or not).
But I don't known is it OK or not, so I need more opinions from you.
Thank you in advance,
If any of you have a Ideal, please let me know, it will be helpful for me.
-
October 11th, 2003, 03:17 AM
#14
Hey , here is one more idea ..
Develop your own password box , (which dont support giving text to anybody with WM_GETTEXT, this can be done very easily and I will leave this on you). Then have a thin keyboard filter driver which waits on EVENTs , now whenever your password box has focus then you triger the event so that the keyboard filter driver start's reading the keys , ( it should read the keys but not let 'em reach to any app,I mean dont pass the keystokes onwords from filter driver ) this will cause a problem ,that your password box wont get any key stroke events .But as user completes typing password and press enter you send anather triger to event , now the Filter driver can safely store the keys pressed which your password box can read.
Regards,
Ramkrishna Pawar
-
October 12th, 2003, 08:15 PM
#15
Thank Krishnaa!
From your ideal, I have just googled the word "keyboard filter driver" and found this program is very good one, using keyboard filter driver: http://www.anti-keylogger.net
It can detect any program that tends to monitor keyboard actions, and ask user for dicision...
I wish I could do like this, but I think it is very dificult for me, right now I don't know how to do, where to start.
So, if you have any experience please give me advices. It would be very useful for me.
Thank you very much,
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|