I was going to post this on the main board but figured its not really assembler related and I may even answer my own questions but confirmation might help, or an education by a more experienced coder.

Here goes:

I was sitting on the train the other day looking at my f1 keys wondering why. So I figured i'll write some functionality for them, from bits of basic knowledge (i've only been win32 api and assembler coding for about 8 months) I figured i would have to hook the keyboard. So I did. first bits of testing I was catching the z key and processing on that.

Then I thought hmmm, what happens if I write this to a file? bang a key logger. :( I figured that next time my AV kicked in it would play holy hell and wanna delete it, it didn't, I though fair do's its only avg free, i'll use a paid for version, still nada, so I gave symantec a bash, again nada. So I wandered over to iczelion's site and found some keylogger source code, my AV wasnt happy and shouted at me.

Now you've all probably guessed which functions I have called. So here are the questions:

1) As these are genuine win32 api calls and have legimate uses is this why the AV is passing it over?
2) As I am a complete noob to win32 api and assembler (and anything above adding two numbers in c) I am sure this has been done n^n times before so how would one defend against such actions and detect such actions?

Cheers :D
Posted on 2009-03-03 15:33:32 by sidey1234
There is no real way to prevent hooking, except running all apps as nonpriviledged user. And even that isn't much of an obstacle.
Posted on 2009-03-04 14:17:59 by ti_mo_n
Hmm, ok :d thanks for the reply, I have found http://www.qfxsoftware.com/ which encrypts all key strokes, creating a replica piece of software will give me something to do. :D

Though I'm thinking the hooks may override this, but we'll see how I go, I'm hope i'm proved wrong :D
Posted on 2009-03-08 14:00:14 by sidey1234