The program is a keylogger.
The program uses hook injection to steal keystrokes.
The program creates the file practicalmalwareanalysis.log to store the keystrokes.
Since we’ve already analyzed this binary in the labs for Chapter 3, and it was extracted as part of Lab 12-2 Solutions, let’s begin by opening the file with IDA Pro to examine the
function imports. The most interesting of the imports is
SetWindowsHookExA, an API that allows an application to hook or monitor events within
In Example C-76, we see that
SetWindowsHookExA is called from
main at ❶. The MSDN documentation shows that the first parameter,
0Dh, corresponds to
WH_KEYBOARD_LL, which enables monitoring of keyboard events ...