First let me say that I am a Network Administrator, and I do have a legit, moral reason for needing a keylogger. Specific activity requires investigation, and this is my way of doing it. This code is rather old. I was curious why it is not working on NT/XP OS's? It worked fine on 95/98/ME systems. Hopefully it is just some minor error in the code. Looking forward to your posts
Posted on 2004-09-15 15:53:43 by Nokturnal
Hi, Nokturnal,
on Windows NT and above the hooking procedure (your JournalLogHook) must be coded in a separate DLL, which will be injected by the operating system in all the address spaces of the existing processes. In Windows 98 this was not necessary, because the address space was unique.
You can find another keylogger which uses SetWindowsHookEx (but with parameter WH_KEYBOARD instead of WH_JOURNALRECORD) here:
h..p://www.geocities.com/chuonyuen_ooi/files/KeySpyv1.zip

Regards, bilbo
Posted on 2004-09-16 03:19:37 by bilbo
Thanks a ton Bilbo!

That is exactly the type of app i was aiming on creating. What you said makes sense after looking over the code. Your program seems more efficient also. Awesome work! Looking forward to seeing version 2.0 8)


Thanks again,
-Nok
Posted on 2004-09-16 12:23:24 by Nokturnal
he's using a journal hook, which does not require an external dll, as opposed to WH_KEYHOOK. i've seen this same piece of code ripped countless times.
Posted on 2004-09-16 18:26:56 by Drocon
he's using a journal hook, which does not require an external dll, as opposed to WH_KEYHOOK. i've seen this same piece of code ripped countless times.


It's exactly the opposite, on Windows NT platforms! WH_JOURNALRECORD is a "system only" hook, which means that the filter function must always be packed in an external DLL. On the other hand, WH_KEYBOARD can also be a thread hook, so it can be resident in the same application which sets the hook, but in that case it will not have a systemwide scope.
Now, since a keylogger must have a systemwide scope, both kinds of hooks must be resident in an external DLL. Again, this is true for Windows NT and above, for the reason that the address spaces of the processes are separated.

Have a look for example at h..p://widgetech.com/howto/hooks.shtml, the first page which pop-ups from a simple google search.

Regards, bilbo
Posted on 2004-09-17 05:10:10 by bilbo
What does this have to do with address spaces? Are you saying that your Windows 98 did not have separate address spaces? That would be strange, because everyone else's Windows 98 does :P
Posted on 2004-09-17 12:15:14 by Sephiroth3
i don't need some shitty 3rd-party anti-microsoft wannabe who has absolutely no idea what they're talking about. all *_LL hooks, WH_JOURNALRECORD and WH_JOURNALPLAYBACK do not require externel DLLs.

just to prove my case, i've coded a simple 'example' keylogger using journalhooks, all keys will be outputted to sdout, via printf(). i could also easily make an WH_KEYBOARD_LL hook, but that's 2k/xp only.

the example uses scancodes, not virtcodes, therefore some keys on foreign keyboards may not log correctly.
Posted on 2004-09-17 19:59:02 by Drocon
:roll:

The low-level hooks (*_LL) don't work under Win9X. It has nothing to do with address spaces, they're simply not implemented in those platforms.
Posted on 2004-09-19 17:08:15 by QvasiModo
Sorry, mates, this time I was wrong :oops:
Next time I will be more careful before posting something.
Thanks for the code, Drocon, it has been a good lesson...
bilbo
Posted on 2004-09-20 03:42:51 by bilbo
I've seen a keylogger exe that kept the (normally dll-based) hook code within the same exe - but then went on to load ITSELF AS A DLL ;)
This solution was ingenious imho.
The only thing which distinguished this exe from any other was a couple of exported functions (silly, huh) and the fact that it had a BSS data segment marked as Shared - not sure why.
Posted on 2004-10-06 01:04:55 by Homer
I once coded a keylogger using the API GetAsyncKeyState running in a loop that checks every key. This does not need any hook procedure things but I'm not sure about performance...does anyone have additional info on using this API?
Dominik
Posted on 2004-10-06 04:55:50 by Dom
hi Dominik
i too designed a keylogger with the api GetAsyncKeyState it works fine as far as keylogging is concerned but a keylogger using system hooks can has an advantage over it.Asystem hook type keylogger can actually manipulate keys punched and send other keys or some commands instead of that. As for GetAsyncKeyState is concerned it can only read keys punched in.
i think this is one difference on perfomance.please lemme know if u know some more.
Also correct me if i am wrong. i ll love to correct myself.
Nickdigital
Posted on 2004-10-06 09:37:46 by nickdigital
Well actually I tried to point on more "performance"-related stuff....
Sure the hooking thing gives more control over keystroke processing but I only want to log.
When you coded such a keylogger, too, you might have recognized that your routine doesn't log EVERY key. Even when setting the timer quite short a very fast sequence of keys can show that not every key is really recognized...
Another point is that when I run my keylog prog twice on one machine, the second instance cannot log any key....
So is the way through GetAsyncKeyState "dirty programming"???
Dominik
Posted on 2004-10-06 13:11:52 by Dom
I've seen a keylogger exe that kept the (normally dll-based) hook code within the same exe - but then went on to load ITSELF AS A DLL ;)
This solution was ingenious imho.

Clever indeed! :)
The only thing which distinguished this exe from any other was a couple of exported functions (silly, huh) and the fact that it had a BSS data segment marked as Shared - not sure why.

Probably to store the hook handle, maybe some other data (a window handle to forward messages to, for example). It's easier to keep those in a shared section than going the filemapping way.
Posted on 2004-10-06 13:36:30 by QvasiModo