Detecting Keyboard Hooks

Question

Is there a way to detect which programs or modules are listening to a keyboard hook? By Sysinternals maybe?

score 4 · Accepted Answer · answered Sep 28 '09 at 13:25

4

This blog post has instructions: http://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/

answered Sep 28 '09 at 13:25

atomice

3,062
17
23

some other links as that one didn't work for me on win7, over here http://stackoverflow.com/a/15676830/107537 – Vijay Mar 28 '13 at 08:05
Your images are missing. – BrainStorm.exe Jul 13 '16 at 22:07

score 1 · Answer 2 · answered Jun 30 '10 at 08:34

It largely depends on what level of abstraction are you obtaining your key presses.
For maximum detection you could use hardware directly or go as low as possible (some hooks work at HW driver-level).

For security purposes, you could also use a virtual keyboard - hooks would have to be targeted specifically at your application to simulate key presses.

score 0 · Answer 3 · answered Sep 23 '09 at 22:41

0

Nope. You would likely have to hook into SetWindowsHookEx() itself in order to detect that.

answered Sep 23 '09 at 22:41

Remy Lebeau

555,201
31
458
770

score 0 · Answer 4 · answered Sep 24 '09 at 02:15

0

I don't think you can, there's no GetWindowsHook function that would return the hook(s). Also, I'm under the impression that the main keyboard processing routine is hooked through SetWindowsHookEx(), so even if there are no hooks, there's at least one, Windows itself.

answered Sep 24 '09 at 02:15

Marc Bernier

2,928
27
45

Thanks; I have guessed that would be at least one. But if there are no ways to do that; that might be a source of horror! – Kaveh Shahbazian Sep 25 '09 at 10:18
If you're concerned about some sort of keyboard monitoring program, maybe you could try another approach - it probably is writing to a file somewhere (or transmitting over a network connection). Filemon could help you see if there's any suspicious file I/O, Wireshark could do the same with network traffic. – Marc Bernier Sep 25 '09 at 13:21
I have McAfee security suite on my laptop and I keep it updated. Hope that helps for some automatic safety. – Kaveh Shahbazian Sep 26 '09 at 11:44
@Kaveh Shahbazian: If the program can hook the keyboard, it could just as easily disable your security suite. IIRC, you need fairly high privileges to hook the keyboard, so if a malware app does this successfully, someone ran it as Administrator. System rooted, game over, sorry. – Piskvor left the building Jun 30 '10 at 08:23
1

@Piskvor: Unless Vista/7's UAC is now preventing it, SetWindowsHookEx() can be executed at any user level. – Marc Bernier Jul 02 '10 at 19:12

Detecting Keyboard Hooks

4 Answers4

Linked