KeyLogger

Again. They have this feature in settings. The "Install global hook " checkbox This feature is broken. It's a bug.

itman, keeps learning programming. First, the function SetWindowsHooksEx is from user32.dll not kernel32, it hooks windows messages infrastructure. Second, these dlls are just wraps or proxies for system calls and interprocess communications. You can statically link all its code into your exe file and make a nonportable program completely independent from any dll. The actual system calls are done through INT and SYSCALL instructions on x86 processors. Have developers ever come to this forum? Admins, have you reported the bug?

I've tested it with notepad application in the video. I've tried to add notepad.exe in files section. It didn't work. Probably because "all files" option already covers "notepad.exe" right?

And the HIPS Install global hook rule is just a do nothing checkbox. Right?

WAT? The video of its action was recorded on Win7. I've tested it on Win10 too. I have already written about this. The video was downloaded and watched by you. Stop spamming the thread please.

itman, from your comments I come to conclusion that you either not a programmer or trying hard to divert conversation from the actual issue by spamming in the thread. Debunking user32.dll BS: HIPS is able to catch file accesses. File accesses are done through even more core dll then user32, through kernel32.dll. Eset HIPS module is able to detect it. Also the term "kernel space global root table" was just made up by you, there is no such term in system programming. Actually this is done through a very different mechanism, it is not achieved by dll function calls instrumentation, because malicious program would be able to remove this instrumentation from its address space then. Debunking Powershell BS: Powershell is just a script language interpreter. Just like JavaScript running in a browser. How its extension and syntax are even relevant to the issue? All native programs running on the system are able to call this standard SetWindowsHookEx API. Even those started by unprivileged user. Debunking Online Payment Protection: I've tested it and indeed keylogger isn't able to log text entered in the browser that it launches. I am really curious how it is achieved and why this is not system wide. But passwords are also entered during Skype logins, windows logins, in bitcoin wallets, any text entered by user in a standalone app may be interesting to attacker. Now back to the issue. Eset is marketing Internet Security product as a tool that blocks keyloggers. It has the rule in HIPS that suppose to block hooks. This feature is not working and the rule is never signalled. Sorry if this sounds harsh, but please if you have something meaningful to add then go on and add, otherwise please stop distracting us from the actual issue. I have no intention to argue with you and debunk your misleading comments with all this made up terms and exercises in powershell scripting. I've started the thread to receive comments from actual developers or support staff. If it is a bug then open it in bugtracker and inform us here when it will be fixed. Other users may also be interested.

I've tested them on Win 10 too. Neither ESET nor Yandex were able to catch my simple keylogger. Ghostpress is working, only if it is started before the keylogger and it doesn't report it. Keylogger will still be present in the system undiscovered but Ghostpress overwrite virtual key codes reported to hooks down the chain so the keylogger is not able to log characters. I see that admins aren't interested in reporting the bug and no developers have come. Ok then. Bye.

I have posted a video in wich keylogger logged keypresses made in another application. What other proofs do you want? I have already told you that it doesn't inject dll on Win7. It do install hook and log keypresses though. The advertised keylogger detection feature is broken and the rule "Install global hook" doesn't work.

Stop this speculations pleas. I am the author of this program. It does call SetWindowsHookEx, the program was written by me 15 years ago. It was demanded to put hook function into dll back then. It is still required according to MSDN though it doesn't inject anything in Win7 and later. The program doesn't install any drivers. It just call SetWindowsHookEx and log keypresses. See the video. It worked. And NOD didn't stop it. It can even be run from unprivileged user and still able to log keypresses systemwide. The advertised keylogger detection feature is broken and the rule "Install global hook" doesn't work.

Admins, please file the bug report then

It seems that it really doesn't inject this dll. It was the case for XP and is not the case for Win7. Good. This explains why the second rule didn't trigger. But why the first rule "install global hook" didn't trigger too? The hook was obviously installed. It captured keypresses and logged the phrase I typed.

See the video. I am not using a kernel mode keylogger. I explain how SetWindowsHook works. The kernel is injecting the dll you provide. If it is not designed to block keylogging activity then what this global hook rule is supposed to do? And why is it marketed as such?

That is how keyboard hooks are working on Windows. You must implement the hook function in dll and set it using the SetWindowsHookEx. And then the windows itself inject this dll into every other process running. There can't be any global hooks without a dll. What does this global hook rule means then? And what application should I ban from injecting dll into other processes if it is done by windows kernel? Should I ban the windows kernel itself? I've rebooted my test VM and added the rule for "Modify state of another application" as well. It doesn't work. Here is the video attached. nod.zip

I've tried both block and ask. It doesn't work. No diagnostic is shown and logs are empty.

I did the above. It doesn't block nor ask anything when I am running my small keylogger. I can make a screencap video of this.