Tuesday, May 30, 2006

Catching hook based keyloggers using IceSword

Message passing is a technique used in operating system for inter-process communications. In Windows, there are some standard messages and these are named WM_XXXX, where WM stands for Windows Message and XXXX is the actual name of the message. A complete list of messages and their description can be found in this page.

Message hooking is a technique in which a message is monitored (popularly called as hooked) by a program. Because of this hook, the hooking program gets a notification whenever that message is passed. Windows provides some APIs (functions) to hook messages, such as SetWindowsHookEx. Using this API, a message hook can be installed. Similar to the messages, Windows also provides various message hooks. These message hooks are named WH_XXXX. For example, a keyboard message has the name WM_KEYBOARD and the keyboard hook has the name WH_KEYBOARD.

Now a bit about keyloggers! There are two types of software keyloggers, namely DLL based keyloggers and driver based keyloggers. DLL based keyloggers, also called as hook based keyloggers, use the keyboard message hook to intercept the communication and capture key presses. They are named DLL based keyloggers because they use a DLL to to do implement logging functions. Driver based keyloggers are also called as Kernel level keyloggers. They use a device driver to directly monitor the keyboard, at kernel level, for key presses. Most of these keyloggers will not have any additional DLLs or executables. Only a driver is enough to do the job!

We can use IceSword to capture DLL based keyloggers easily. IceSword has a section named "Message Hooks" where it displays all the message hooks in the system along with the hooking program. There can be some hooks used by legitimate processes (for example, firewall, antivirus and even IceSword). But as we have seen earlier, keyloggers use the WH_KEYBOARD hook to hook the WM_KEYBOARD messages.

So, in this section of IceSword, just look for the WH_KEYBOARD hook. If this hook is present, note the process associated with it. In this example, we can see a process named Keylogger.exe is using WH_KEYBOARD. In this case, the process name is pretty straight forward. If you are not sure what really the hooking process is, just use Google to find information about the file. If there are no reliable information about that particular file, then upload and scan the file at any of the online file scanner sites (like VirusTotal or Jotti's Malware Scan). If the file is found to be "bad", then it should be removed immediately. IceSword's "Process" section can be used to locate and terminate the keylogger process. Once the process is killed, just navigate to the file location in Windows Explorer and delete the files.

The advantage of using IceSword to catch the keyloggers is that, it can show even "rooted" keyloggers, i.e. IceSword can detect message hooks even if, say, keylogger uses rootkit technology to hide. There may be additional files, related to the keylogger, in the system. Hence it is advised to update all the security software and do a full system-scan.

Since driver based keyloggers don't use Message hooks, they are not displayed in the "Message Hooks" section of IceSword. As we have seen earlier, these types of keyloggers use a device driver. Actually, this driver can also be detected using the "Kernel Modules" section of IceSword. But, in a system there will be large number of drivers, and it may become very tedious to go through the driver list shown by IceSword.

Download IceSword 1.18 English Version from here


Blogger jörg said...

Greetings swatkat,

a good article.

Note that KEYBOARD is not the only hook you can use to spy on users. MSGFILTER or GETMESSAGE among others can do that too. IceSword itself monitors the keyboard (for Ctrl-Alt-D, S) with no KEYBOARD hook.

Also why does csrss.exe has a MSGFILTER installed in your screenshot? That seems quite strange.

I have written a somewhat related article (in German) and linked yours.


4:27 PM  
Blogger blanjo-antivirus said...

Nice Blog, Best Information and Best Article!!!
we Wait new posting from this blog.

Find another Best & complete links :

Before you buy Laptop/Notebook or If you want to buy Laptop/Notebook, we give you Tips To Buy Laptop/Notebook. This tips can help you , how to choise your dreams Laptop/Notebook. Here is tips to buy laptop , so Find best laptop before you buy laptop, we give you Info for choice best laptop and you can find what is a best from best seller laptop. more ...
Tips To Buy Laptop

All Information About Laptop/Notebook
Find Best Seller laptop and Top 10 Laptop ( Laptop toshiba, laptop acer, laptop ibm, laptop nec and much more ... ), include best Laptop photos, laptop Bag, Laptop Accessories, Laptop DVD, We give you many choice laptop, tips to buy laptop or tips to buy notebook and info best laptop & Notebook computer, We give too best laptop for gammers, laptop for businessman, laptop for student, business laptop computer ultraportable systems and tablet computers to budget laptops & much more ...
Best Laptop

Our Antivirus Group can Help you if your computer have problem with many Virus , Worm, trojan, trojan horse.So, find now antivirus for ...
Download Free Antivirus Software

If you Interrest Make Money on internet you can learn here and we give tutorial how to make money on internet. When you have no ideas more, to make an extra income, you can start with our internet make money / make money online, to earn money from internet and work at home.Here is many sites for tutorial and how to create website for make money online. Actualy many idea for make money on internet, Here we give you tips and trick making money online find our tutorial for make money on internet ...
Online Business

With Website Promoter you can know how to promote your site, how to make rangk on internet search engine ...
Website Promoter

Our Antivirus Center : here you can free Download Software Antivirus for remove all virus , trojan, worm virus W/32. You can choise, what is a good software antivirus for your computer specification.
Best Antivirus For Pc/ PDA/ Smartphone/ Laptop n Notebook

you can find here, If you want to learn more about internet, website, homepage.Ex: Here you can learn how to build website with html template ,complete with tutorial how to make quickly website, so ...
Free Template For Website Builder

If you want looking girl, partner for live, dreams woman, man , boy you can find, looking and dating online here, this dating online service is best for find your dreams ...
Fun Dating Online

If you have still problem with virus rontokbro / brontok, rontokbro.eq, decoil, w32/khillav/w32/killav you can find here new antivirus for remove all virus brontok, new virus brontokvirus brontok here.many software for remove brontok virus ( antivir,antivirus Norman, Mc affe antivirus,Pc cilin antivirus ). you can choice and click your anti virus for brontok virus.So, don't be afraid for brontok virus, we give you here antivirus for brontok. our antivirus new and updated
New Antivirus Brontok/AntiRontokbro

If you have still problem with virus decoil, dkernel, dekernel you can find here new antivirus for remove all virus decoil on your computer.so, find software for remove virus decoil ...
Antivirus Decoil, Decoil Removal

By : Blanjo Antivirus Company
Best Partnert This Blog

11:30 AM  
Anonymous Anonymous said...

WH_KEYBOARD isn't the only Keyboard hook type that should be searched for. WH_KEYBOARD_LL (Low-Level) and WH_JOURNALRECORD (This does not need a DLL to install a hook) can also capture keys.

12:29 AM  
Blogger 三重古天樂 said...

Dans une tribune intitulée “Gaulliste je suis,酒店經紀 gaulliste, je resterai”,酒店打工 publiée sur Facebook,酒店工作 Nadine Morano est revenue sur son dérapage dans l'émission de Laurent Ruquier.酒店上班 Non Stop People vous en dit plus.酒店兼差
Mise en avant depuis quelques semaines,酒店兼職 à cause de son affaire avec l'humoriste Guy Bedos,飯局 Nadine Morano a une nouvelle fois créé le buzz à cause d'un discours qualifié d’“indécent” par Yann Moix dans “On n'est pas couché”.招待所 En effet, alors que la députée ,台北酒店 elle s'est aussi laissée aller à donner son avis sur la laïcité.酒店應徵 Celle qui désire être 禮服店 : “Je n'ai pas envie que la France devienne musulmane, car dans ce cas, ce ne serait plus la France”.酒店
Nadine Morano, qui a été défendue par Gilbert Collard, a continué dans sa lancée en comparant la France à un pays de race blanche 高雄酒店 : “Nous sommes un pays Judéo-Chrétien de race blanche. La France un pays de race blanche, c'est sa grandeur d'accueillir des personnes qui viennent d'Afrique et d'autres continents”.會館 Laurent Ruquier et ses .傳播
“Je ne savais pas que le mot race était interdit d’usage”
Mais ce lundi 28 septembre, Nadine Morano a décidé une nouvelle fois de confirmer sa pensée en publiant une tribune sur Facebook.便服店 L'ancienne mi sujet : “François Fillon, 酒店時間, je n’entends pas le même tollé… Ni quand Christiane Taubira a déclaré (…)Plus de sept ans après avoir décroché la couronne de Miss France,酒店薪水 Ce dimanche 27 septembre 2015, 酒店內容se déroulait l'élection de Miss Picardie 2015 (à Beauvais), à l'approche de l'élection de Miss France 2016.커피 Comm

11:05 PM  
Blogger smart buzz said...

Hello All
I'm offering following hacking services
..hacking Tools
..Spamming Tools
..Scam pages
..spam tools scanners make your own tools

Other hacking svs
..Western union Trf
..wire bank trf
..credit / debit cards
..email hacking /tracing
..Mobile hacking / mobile spam

fully proof work
Availability 24/7 only given below addresses
Contact info
Icq: 718684828
Skype: live:Salvrosti

4:51 PM  

Post a Comment

<< Home