Search adware malware

Tuesday, June 30, 2015

How to detect and avoid keyloggers (hooking)

What is Keylogging 

   keylogging is monitoring of key pressed by user either from physical keyboard or from virtual keyboard

How it works 
As per my knowledge there four ways to do it .
The base for all is hooking , you can find more information on Hooking on Microsoft official website: Hooking 
1. Injecting dll globally in all process or in particular process by finding it window name.
     In this method hooking process can read all messages of all processes .
2. Injecting low level global hook using WH_KEYBOARD_LL.
      This method don't required a separate DLL , in this hooking process can read keyboard messages such as key up , key down , char messages .

Note : both of above method of can be prevent from key logging by using Anti Keylogger
here is example of good free Anti key logger :Zemana AntiLoggerFree
 But Anti Keylogger are  not capable of detecting of above two hooking method for that we need to use either Good Antivirus or Memory reading software like Mandiant. redline.

Further i will discus how to use this Mandiant Redline for detecting hooks and rootkits.
Now let continue on types...
3. Driver level hooks called as Rootkits . These kind of hooks seats between the kbdclass or kbdhid(for usb keyboard)/i8042ptr(for PS2 keyboard) and low level hook , so very difficult to detect for many of antivirus also.

follow the below steps to find your PC may infected by such a hooked keyboard driver other than kbdclass or kbdhid
1. Press Win key + 'R' key . A run prompt will open type "devmgmt.msc" in than and device manager will open.
2. Follow the steps as shown in below images

 below dialog will open in that Go to driver tab and click on "driver details" button as shown below.

below dialog will open in this dialog first see if there is file present other than "kbdclass.sys or kbdhid.sys or i8042ptr.sys" if present then that can of either keylogger or of anti keylogger . Go to that file path and see if it belong to any trusted software or untrusted software by seeing it's properties and digital signature. for that right click on that file and go to "Properties" and go to "Digital Signature" if that is not signed by Microsoft then try to find on internet if it signed by any trusted source or not.

  Completing Soon...

1 comment: