SetWindowsHookExA
, an API that allows an application to hook or monitor events within Microsoft Windows.In , we see that SetWindowsHookExA
is called from main
at ❶. The MSDN documentation shows that the first parameter, 0Dh
, corresponds to WH_KEYBOARD_LL
, which enables monitoring of keyboard events using the hook function IDA Pro labeled fn
at ❷. The program is probably doing something with keystrokes. The fn
function will receive keystrokes.
cmp
, in order to process each keypress once. At ❸, the program passes (mov
) the virtual key code to the function sub_4010C7
shown later in bold.Examining sub_4010C7
, we see that first the program opens a file, practicalmalwareanalysis.log. After this, the malware calls GetForegroundWindow
followed by GetWindowTextA
, as shown in . First, GetForegroundWindow
selects the active window when the key was pressed, and then it grabs the title of the window using GetWindowTextA
. This helps the program provide context for where the keystrokes originated.
var_C
contains the virtual key code that was passed into the function, we see the virtual key code used as an index to a lookup table at ❷. The value received from the lookup table is used as an index into the jump table off_401441
at ❶.off_401441
. This returns the location loc_401249
, where we find the string [SHIFT]
written to the log file.Example C-80. The offset table for byte_40148D
byte_40148D db 0, 1, 12h, 12h db 12h, 2, 12h, 12h db 3, 4, 12h, 12h
We are able to conclude that this malware is a keylogger that logs keystrokes to the file practicalmalwareanalysis.log. This keylogger uses SetWindowsHookEx
to implement its keylogging functionality.