Hook chain using TEB->Win32ThreadInfo
in [Win32 Kernel]
|
From: pawar.dipali on 1 Jun 2007 10:14 Message Queue of an application can be hooked using SetWindowsHookEx function. I want to develop an key logger detection software. Not a key logger monitor tool. Many links speak of accessing the Hook Chain using TEB- >Win32ThreadInfo. The TEB is wel documented but I am unable to get Win32ThreadInfo structure.
From: Anton Bassov on 8 Jun 2007 19:12 > Message Queue of an application can be hooked using SetWindowsHookEx > function. > I want to develop an key logger detection software. > Not a key logger monitor tool. > Many links speak of accessing the Hook Chain using TEB- > >Win32ThreadInfo. Pointless idea...... The only thing that you can do this way is to detect hooks that are invoked in context of the target thread . However, besides this, there are also low-level hooks that are invoked in context of a thread that has installed them. You are not going to see them. In addition to that, keyloggers may operate in the kernel mode as well... To summarize, there is a very good chance that keykogger(s) will be invisible to a "detector" that takes so simplistic approach..... Any reliable keylogger detector requires much more serious approach. I wrote the one for CSD, but it does quite a few "dirty" tricks (basically, it simulates a keystroke at the hardware level, and traces its processing all the way to the destination window, thus detecting anyone who is somehow related to keystroke processing in both kernel and user modes)..... Anton Bassov "pawar.dipali(a)gmail.com" wrote: > Message Queue of an application can be hooked using SetWindowsHookEx > function. > I want to develop an key logger detection software. > Not a key logger monitor tool. > > Many links speak of accessing the Hook Chain using TEB- > >Win32ThreadInfo. > The TEB is wel documented but I am unable to get Win32ThreadInfo > structure. > >
|
Pages: 1 Prev: Hook chain using TEB->Win32ThreadInfo Next: Using SetConsoleCtrlHandler |