International Journal of Information Security and Software Engineering

Open Access  Subscription or Fee Access

With ever evolving security and operating system, cybercriminals are also evolving to find any kind of breach in the security system and take advantage of that narrow door get sensitive information from our devices, malware being one of them. Malware is known by various name depending on the situation we are in. Most common is malicious code (MC), malicious software and malcode. McGraw and Morrisett characterize noxious code as "any code added, changed, or eliminated from a product framework to deliberately cause hurt or sabotage the expected capacity of the framework". Keylogger is a tiny program which runs in foundation without the information on proprietor and saves all keystrokes by the console which sends the log record of the information captured to a certain hacker or to the certain server used by those hackers. Cybercriminals use keylogging techniques to get sensitive information such as your user id of different sites along with your password, confidential intellectual property, and any other information that can be profitable for them. With cybercriminals their tool of attack is also becoming diverse in this case Keylogger are evolving fast and with this growth is becoming harder to catch even with the all the safety measure. This paper focuses on how the keyloggers works, what are their types, how a keyloggers can be detected if it is present in the system and how a user can prevent his system from getting effected by the keyloggers.

In the beginning, the OS generates a raw input string and a system h/w input queue in the csrss.exe process.

The raw input string consistently sends read solicitations to the keyboard driver, which remains in a waiting condition until an occasion from the keyboard appears [4].

When the user uses a key on the keyboard, the keyboard smaller scale controller perceives that a key has been used and sends both the output code of the used key to the PC and an interrupt request.

The keyboard framework controller gets the scan code, processes it at that point makes it available on input/yield port 60h and creates a central processor hardware interrupt.

The interrupt on controller flags the CPU to invoke the interrupt with handling method for IRQ1–ISR, which is already enlisted in the framework by the functional keyboard driver i8042prt.

The ISR peruses the information which has been received from the internal keyboard controller line, transforms the scan codes to virtual key codes and lines "I804KeyboardlsrDPC", a delayed procedure call.

Instantly as could reasonably the framework call the DPC which thus executes the callback technique Keyboard Class Service Callback registered by the class keyboard driver.

The Keyboard Class Service Callback method extricates a pending end request from the raw input string from its line and returns it with data about the key used Figure 2.

The he raw input string spares the data to the framework h/w input line and uses it to make the essential Windows keyboard messages WM_KEYDOWN, WM_KEYUP, which is put toward the finish of the VIQ virtual input line of the active string.

The message handling cycle string than eradicate the message from the line and sends the relating window system for preparing. Right when this happens, the framework work Translate Message might be called, which utilizes essential keyboard messages to make the extra "image" messages WM_CHAR, WM_SYSCHAR, WM_DEADCHAR, and WM_SYSDEADCHAR.