How to detect KeyBoardLogger Program - Spy app?

[DoDucTruong]

Hello everyone, I would like to ask a question:
Is there any way to detect if there would be any Spy app running in back ground which installed LL Keyboard Hook to steal User's password?

Thanks a lot,

http://www.codeguru.com/forum/showth...hreadid=267170

[galathaea]

Unfortunately, on the NT systems (which are the only ones that support the low-level keyboard hook you mention), there is no documented way of enumerating global hooks. You would need to probably go down to ring0 and program a kernel mode driver to spy on whatever internal table the user32 module uses to track such things, which means you will need to figure out the format of that table and deal with synchronisation, etc.

There are known methods for Consumer windows enumeration, however. Other than that, I think your only option would be to use an API interception scheme as detailed in the thread you link to, and ensure that your interception either gets created first or that an alternate hook which does not call up the chain gets installed after the API hooks are set.