Anti-Keylogger program

I was brainstorming a program which would assist in catching any kind of keylogger no matter what method they used, my idea was to just have a program emulate keypresses as fast as it can, my question is if I just create a normal window and use the send key command on this window will the keylogger still detect the keystrokes even though there is no actual input area?

oh this helps decide wether or not you have a keylogger running by overloading the poor little keylogger >:) what you look for (and I'll probably have my program graph this for you) is changes in your HDD's size, and also monitor the ram usage of your programs, any sudden increase in either of these stats would represent the pressence of a keylogger.

Well you should take a look on how various key logger works. Without knowing the problem you won't be able to find a solution for this.

http://www.codeguru.com/Cpp/W-P/syst...cle.php/c5699/
http://www.codeguru.com/Cpp/W-P/syst...cle.php/c2891/
http://www.codeguru.com/Cpp/W-P/syst...cle.php/c2891/

But your solution above sounds a little bit more overhead. But it could work though... Then you would need API Hooking...

May be a bit over head but it's the only method that can, IMHO, catch any kind of keylogger no matter how they capture keys :)

thanks for the link, and what does the nts stuff in your sig mean?

Quote:

---

Originally Posted by barrensoul

May be a bit over head but it's the only method that can, IMHO, catch any kind of keylogger no matter how they capture keys :)

---

Your problem is quite interesting and I understand all your effort, I will sleep over it, maybe I will find something.

Quote:

---

Originally Posted by barrensoul

thanks for the link, and what does the nts stuff in your sig mean?

---

That's the secret language used by the dark side of the Squirrel Imperium. Only choosen one's can understand this language. The text in my signature means "Bunny will rule the world"

I though of that approch but I think there is any easier way but haven't tried it yet. What you do is setup a debug hook so it is called before anything else and just see what type of hook is to be called next. Problem is, you have to now what kinds of hooks are installed by legit apps. May need some kind of training mode.

The debug hook code must be in a DLL since it is global. I tried to put a debug hook in my code, but it crashed. I was able to do global low level key board hook in my code but not a debug hook.

Quote:

---

Originally Posted by barrensoul

May be a bit over head but it's the only method that can, IMHO, catch any kind of keylogger no matter how they capture keys :)

---

Sorry to burst your bubble, but this won't detect any hardware keylogger that has been inserted between your keyboard and your PC ;)

this is true, how ever it will overlfow the hardware controller ;) and if you can't find a hardware keylogger on your comp I'd have to peg you as retarted, unless it's integrated INTO the keyboard :D (or not easily dicernable, all I know of so far is the USB versions, and I think there was a verion that goes between your PS2 mouse and your tower.)

and mines only designed for software so far :D

This is a good idea; you could use a blank window and use postmessage to send hordes of useless keystrokes; the log would have the real keystrokes scattered between the useless gibberish.

that's pretty much a side effect of my program, the true purpose is to use those hordes of crap to fish out a mysteriously increasing resource ussage which would symbolize a keylogger :)

Ah, but you forget a good keylogger would have rootkitted itself and otherwise be hidden completely from the user, which means you couldnt monitor it through normal means.

what?? I don't care how they do it, as long as they are using a resource I can detect the presence of one, thats all it's supposed to do, not detect "where" or "what" but just if ones there or not -_-'

if I make millions of keypresses per minute and they store to the HDD you will notice the HDD size going up up up, even the ram would be going up up up, or network usage if they broadcast is right away, either way you look at it somethings going to increase so once you know it's there you can take proper steps to finding and removing it, I'll figure out some detection methodes, including the hook detector that RoyK mentioned, mabe a display like Spy++ shows since it shows keyboard hooks threads and everything :D

That's true. You wont be able to identify what's causing it, but you WILL know it's there...

well if one knows that there is a problem then one can fix it can't they? otherwise not klnowing about it means you can't fix it :)

Perhaps this might also be an interesting subject for a codeguru.com article. :cool:

This has been very interesting reading. Here's the downfall of your plan. Firstly a keyboard hook is event driven - there is no timer polling for activity - so no key presses - no CPU usage. If you emulate key presses, I am sure your emulation code will use more CPU cycles than the keylogger trap code. Even if not, the two events occur virtually simultaneously, so you would not really detect whats using CPU resources. Then, a really good keylogger would compress the databuffers in realtime. It would collect data in memory (sas up to perhaps 100k - thats a lot of keystrokes - and then compress the data in an idle thread VERY quickly - it wouldn't even make your resource meter blink. This disk write is just as quick. To demonstrate, write a small app that produces 1000,000 keystroke chars, then write that to a txt file. next zip the file using Winzip. The size you are left with is an indictation of how the keylogger will play with your data. That file size (probably less than 100k) is insignificant on a 40GB drive. Your virtual swap file can grow 10x faster and larger through normal PC usage.

Just a thought!