How I Trolled keyloggers

Introduction

• Keyloggers is an archaic method used by malware authors its basically record everything you type on a keyboard.

Deep analysis

• the API we are hacking is GetAsyncKeyState , its one of the most common APIs that used by Keyloggers ,it Determines whether a key is up or down at the time the function is called ,it takes int in arguments, and returns SHORT

• as you can see GetAsyncKeyState is just a wrapper around ntUserGetAsyncKeyState

  

• ntUserGetAsyncKeyState

  

• if you perform a GetAsyncKeyState the execution will be like this :

  

  Notes

  • The real code of ntUserGetAsyncKeyState function runs in Kernel Mode.
  • When a user-mode application calls the Nt or Zw version of a native system services routine, the routine always treats the parameters that it receives as values that come from a user-mode source that is not trusted .

Patching GetAsyncKeyState :

• first thing we do is locate GetAsyncKeyState in memory then we overwrite the first 12 bytes and make it jump to our fake function .

  

• if the specified key is down/pressed GetAsyncKeyState returns 0x8001 or -32767 in decimal to abuse it ,we create an array of characters of our choice and return -32767 in every character so the keylogger log it sequentially ,then we returns 0 everytime GetAsyncKeyState get called so the keylogger get blocked from logging .

  unsigned char	msg[] = {
  'T','R','O','L','L','E','D'
  };
  

  

• our function in memory:

  

Result

https://user-images.githubusercontent.com/60795188/181157761-695dec5c-3559-4d85-b59e-5ddc83a5bf64.mp4

Lastly

• im planning to make a highly effective program that detect all ( high/low ) level and both direct/indirect syscalls keyloggers and shut them down .