From the course: Windows Performance Toolkit: Spyware Detection

Unlock the full course today

Join today to access over 22,400 courses taught by industry experts or purchase this course individually.

Finding the keylogger hooks, part 2

Finding the keylogger hooks, part 2 - Windows Tutorial

From the course: Windows Performance Toolkit: Spyware Detection

Start my 1-month free trial

Finding the keylogger hooks, part 2

- We have narrowed our search for the keylogger. We now need to find the evidence that we were indeed being recorded by inspecting the call stacks of the threads that belong to these processes. We're looking for calls to anything related to hooks and KBDLLHOOKSTRUCT. So let's start inspecting. Let's go from top to bottom. Let's click on the drop-down arrow for svchost. We will now see the thread's New Thread Id column and if we will look at the graph, we see that only one thread is active the entire time we are keypressing in Notepad. Thread Id 420 is the only one that comes in and is active while we are pressing and holding down a button in Notepad. So let's click on the drop-down arrow button next to [Root] and inspect the thread stack for this thread. We can see a User GetMessage call but if we look at the UserCallbackDispatcher this should give us the name of the callback procedure. So let's click on the arrow next to UserCallbackDispatcher and bingo, look at that…

Contents