Detection Example: DSE vs Global Hotkeys
Description: Hotkeys are a type of event hook that are triggered when a registered key has been pressed. Hotkeys are registered to a specific window (although this window can be hidden) in the program doing the hooking, so that when the hotkey is pressed the window will be notified with a WM_HOTKEY window message.
As hotkeys are global (keystrokes are captured regardless of which application has focus) they can be used to create keyloggers. Multi-key sequences such as Ctrl+Alt+Del can also be registered.
Unfortunately however there has never been any conventional ways to enumerate or list the hotkeys on a system ... until now! DSE is the first program to have this capability.
Detection: We created a simple program (c:\f10hotkey.exe) and made it register a single key sequence - ALT+F10.
Here you can see that DSE easily sees c:\f10hotkey.exe (process ID 432):
TID indicates the ID of the thread that is handling the messages sent to the window, and we can see exactly when that thread was created.
We can also see the window that is registered to receive the hotkey notifications - its hWnd (window handle) is B011E, its class name is "#32770", and its window title is "HotKey (Alf-F10)".
Below that is a list of all the hotkeys assigned to that window, which in this case is just the ALT+F10 sequence.
We can also see that 4 threads in 3 other processes (csrss.exe, winlogon.exe and explorer.exe) have registered hotkeys, and now for the first time thanks to DSE we can see exactly what they are, which programs they come from, and much more.
Here we can see the hotkeys on Windows XP:
You can see, for example, that the Ctrl+Alt+Delete secure attention sequence is registered to a window entitled "SAS window" that belongs to the winlogon.exe process.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.