Hi,

I have a program called e.g. keylogger.exe uses a module keylogger.dll. In this module there is a function getkeyboardstate() to get what user types (intercept the keystrokes). I have implemented a program (e.g hookapi.exe) which uses a system-wide hooking which replaces the getkeyboardstate() with mygetkeyboardstate() and use GetModuleFileName() in order to know which program is calling the getkeyboardstate() function. Unfortunately, it does not show me the origion of this function!

To make this clear for you, suppose that a keylogger.exe is currently working in my system as well as my hookapi.exe. The keylogger.exe is implementing a system-wide hooking (using SetWindowsHookEx() and UnHookWindowsHook()) to intercept keystrokes by using GetKeyboardState(). On the other hand, the hookapi.exe is using a system-wide hook to monitor which program is using a Getkeyboardstate() function. When I open a notepad.exe and starts to type, my hookapi.exe shows that notepad.exe is calling getkeyboardstate() instead of keylogger.exe! I have used GetModuleFileName() to show the calling program.

My question is that how can I know that the keylogger.exe is the one who is using this function.

Thanks in advance

SetWindowsHookEx actually injects code into all running processes when you make it a global hook like that. Thusly, keylogger.exe isn't actually ever the 'original' caller. Can you spend your time doing anything other than this skiddy?

Thanks but is there anyway to know which program has injected its code in the running processes!

You may want to explore the INFO & debugging tools (such as windbg.exe.,)
http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Thanks
G