Help finding hook dll
-
I've written a program that detects the presence of a keylogger on a process ... If I detect one - I wish to scan the process and find the location of the dll who's being using as a logger .. So far I've detected a logger - and have the list of dll's which are loaded in the process memory .. but how can I know which one is the hook dll ?? I haven't got a clue so far and whereever I look I find myself emtyhanded - can any1 please help me ?? michaelnoam@hotmail.com Michael Noam
-
I've written a program that detects the presence of a keylogger on a process ... If I detect one - I wish to scan the process and find the location of the dll who's being using as a logger .. So far I've detected a logger - and have the list of dll's which are loaded in the process memory .. but how can I know which one is the hook dll ?? I haven't got a clue so far and whereever I look I find myself emtyhanded - can any1 please help me ?? michaelnoam@hotmail.com Michael Noam
Check for the following string in each of the dll's : "SetWindowsHook" You can open the dll's in notepad.exe .. most of the compiled code will be garbled .. however imported function names are always in text form.
-
Check for the following string in each of the dll's : "SetWindowsHook" You can open the dll's in notepad.exe .. most of the compiled code will be garbled .. however imported function names are always in text form.
thank you for your quick answer -- however .... The string "setwindowshook"/"setwindowshookex" isn't nessecarely in the dll !! the function might have been called from an exe file (for a global hook!) and the only function in the dll is the callback function !! But thank you nevertheless .. I'll try thinking of a function which has to be in the dll ... (b.t.w. the callback function name is up to the programmer - therefor it's of no help!)
-
thank you for your quick answer -- however .... The string "setwindowshook"/"setwindowshookex" isn't nessecarely in the dll !! the function might have been called from an exe file (for a global hook!) and the only function in the dll is the callback function !! But thank you nevertheless .. I'll try thinking of a function which has to be in the dll ... (b.t.w. the callback function name is up to the programmer - therefor it's of no help!)
Correct... my mistake. But the dll must call "CallNextHookEx" ..inside the callback function( whatever the programmer decides to name it). So you can search for this string instead.
-
Correct... my mistake. But the dll must call "CallNextHookEx" ..inside the callback function( whatever the programmer decides to name it). So you can search for this string instead.
What if they use a WndProc that doesn't directly call "CallNextHookEx"? They could pass the arguments back to the EXE file and call it from there. Also, a hook does not even need the DLL file to hook the keyboard. I've writen a hook that is completely contained in an EXE. The way it's done is to use WriteProcessMemory() to copy the WndProc function as well as a control function into the target process. (SAS Window class in my case) Then call CreateRemoteThread() to the control thread to start the hook. The control thread then hooks the keyboard through the WndProc() function. Completely contained in an EXE.
-
What if they use a WndProc that doesn't directly call "CallNextHookEx"? They could pass the arguments back to the EXE file and call it from there. Also, a hook does not even need the DLL file to hook the keyboard. I've writen a hook that is completely contained in an EXE. The way it's done is to use WriteProcessMemory() to copy the WndProc function as well as a control function into the target process. (SAS Window class in my case) Then call CreateRemoteThread() to the control thread to start the hook. The control thread then hooks the keyboard through the WndProc() function. Completely contained in an EXE.
Your original poser was about about locating the correct hooking DLL. I assume you inject SAS to hide taskmanager/ capture change passwords sequence/ capture ALT-CTRL-DEL. If so, then the method you use (quite tricky to code correctly) seems ok. To capture system-wide keybd input for all threads/windows(except SAS input) one can also do without DLLs in far simpler fashion.. check this http://neworder.box.sk/newsread.php?newsid=10952
-
Your original poser was about about locating the correct hooking DLL. I assume you inject SAS to hide taskmanager/ capture change passwords sequence/ capture ALT-CTRL-DEL. If so, then the method you use (quite tricky to code correctly) seems ok. To capture system-wide keybd input for all threads/windows(except SAS input) one can also do without DLLs in far simpler fashion.. check this http://neworder.box.sk/newsread.php?newsid=10952
munawar1968 wrote: _Your original poser was about about locating the correct hooking DLL. I assume you inject SAS to hide taskmanager/ capture change passwords sequence/ capture ALT-CTRL-DEL. If so, then the method you use (quite tricky to code correctly) seems ok. To capture system-wide keybd input for all threads/windows(except SAS input) one can also do without DLLs in far simpler fashion.. check this http://neworder.box.sk/newsread.php?newsid=10952_ I use it to capture CTRL+ALT+DEL. It works well. I've also done basically the same thing as you linked to. I use that to create hotkeys on my keyboard and mouse. It works really well. As for the OP, I don't know if there's a way to catch a keylogger since it's possible to completely contain it in an exe file. One thing you could try is to append a hook function on the end of the callback chain. In it you could peek at the stack and see if there are any hooks that aren't normally there in a clean windows installation. If you find one, you might be able to use the address on the stack to find out the thread that hooked the keyboard. note: the preceeding may or may not actually be possible to do. I haven't tried it and I'm no expert on hooks. :-)