Open Chaoui-lpb opened 1 month ago
Pengrey
commented
1 month ago Sadly I noticed that while I worked on this. Due to time constraints I wasn't able to fix the issue tho and for the time being I will not be able to work on this sadly. But if you later have a fix feel free to make a PR o/
Chaoui-lpb
commented
1 month ago Thank you for your reply. At the moment, I have no idea where to start to understand where it could be coming from but if I find it I'll let you know.
Chaoui-lpb
commented
1 month ago I found something really interesting this morning. If at the start of your function, you load the user32.dll library, it'll fail the first time but it'll work all other times. User32 library seems to initialize some things (don't know what exactly) in order to win32u to work correctly. On top of that, if you call GetAsyncKeyState(1); at the start of your function, it won't fail, even the first time. Some weird behaviours to debug but these are the few steps towards solution.
HMODULE hModule = LoadLibraryA("user32.dll");
Pengrey
commented
1 month ago Kinda weird not crashing on the vkey == 1 tbh, I needed to supply a range far from 0 for it to use and not crash as seen in the code comment disassembly
Chaoui-lpb
commented
1 month ago I don't think that I understood what you mean. However, I maybe failed in describing what I've done. It succeeds not because the vkey == 1 but because we're making a call to the function. The function surely initialize something in a way but I don't know what exactly.
Hello,
I tried the part of your project called "NtUserGetAsyncKeyState" with the direct syscalls. Unfortunately, after running the keylogger, I realised that it didn't work. So I decided to investigate with x64dbg. From there, I realised that after going into the direct syscalls assembly instructions, the rip seemed to jump into the ntdll.KiUserCallbackDispatcher function and then stop. The image below shows the jump after passing through the assembly instructions.