Attack Method: Keystroke Recorders (Keyloggers)
Description: Keystroke recorders (aka. keyboard loggers, keyloggers, keystroke hookers, etc) are programs with the ability to record keys pressed on the keyboard. Usually, programs only need to monitor the keys being pressed in their own application, but sometimes programs need to be able to record all keys pressed in all programs. For example, a trojan might want to record all your keystrokes so as to see which usernames and passwords you type in, as well as any websites you visit, as well as any chat sessions you might have. To achieve this, the program must create a global keyboard hook. It achieves this by making a call to the SetWindowsHookEx function in user32.dll (see also the Hook Attacks section).

SOLUTION: DiamondCS Process Guard easily prevents keystroke recorders from being able to install global keyboard hooks by securing access to the SetWindowsHookEx function in user32.dll..

Case Example:.
We've created a simple and safe keystroke recorder that you can use to test if keystroke recorders will work on your system (and unless your system is protected by Process Guard, they almost certainly will be able to record your keystrokes). This program can be downloaded at http://www.diamondcs.com.au/downloads/keyhook.exe

When you run the demo, every key that you press in any program that has user32.dll loaded (most do) will be intercepted by keyhook.dll, which is the DLL file the Keyhook demo uses for the global keyboard hook, which is required by the SetWindowsHookEx function. At this point, all the Keyhook demo does is harmlessly display the key that was pressed, as seen in this screenshot:

However, if it was a trojan instead it could do some very strange things including changing the key that was pressed, disabling certain keys, logging all your keystrokes to a file and transmitting them to the Internet, doing strange things when certain keys are pressed, and so on. Consequently, it's a good idea to prevent the creation of global keyboard hooks by using Process Guard. 

If you run the demo when Process Guard has the Block Global Hooks General Option enabled you won't see any keystrokes being recorded at all - not even if you type them into the KeyHook Demo window itself! This is because Process Guard would've blocked the attack, as seen in this screenshot:

The alert also shows us that the type of the hook was a Keyboard hook, which makes it even more obvious that the program did indeed try to create a global keyboard hook.

If you ever find a rare situation where a program does need to create a global keyboard hook (such as the Keyhook demo) you can always give it the Allow permission to do so if you choose by giving it an Allow Global Hooks rule, such as this:

Related websites:
 Wikipedia: Keyloggers
 Wikipedia: Keystroke logging
 MSDN: SetWindowsHookEx