Hello. Im tryin to filter out clicks which are comin for external applications and not user himself. I tried GetAsyncKeyState, GetKeyState or GetKeyboardState, watched the LPARAM and WPARAM in SetWindowsHook and it seems that automated keystrokes are the same as the usermade... I wonder how some games detect the fake input, any ideas?Greetz

A real key stroke is sent from the keyboard, and read by the kernel on a read IRP.

 

On read completion, the kernel get's scan code from the IRP, which is converted to virtual key codes / human readable keystrokes, and sent to whatever application's window has focus.

 

Functions like SendMessage(MyKeyCode), SendInput(0x41), keybd_event() will only send the message.

 

If you monitor the IRP's w/ filter driver, you can see the real ones because automated keystrokes will not have an IRP since they work at the highest levels (ie win messaging system) which is mostly user space.

 

My approach would be to make a userland application that uses SetWindowsHook(KEYBOARD_HOOK) to monitor all keystrokes.

 

On each keystroke, it would use DeviceIoControl() to query the driver. Upon receiving the IOCTL, the driver will have all the keystrokes stored in a linked list or array. 

 

It would then compare the keystroke received in userspace, to the scancode it read on an IRP. If they don't match, the keystroke was automated. If they do, it came from the hardware keyboard.

 

I just tested this idea for proof of concept and it works reliably for keyboards. Didn't try w/mouse clicks but I'm pretty sure it's the same concept, the mouse click starts as an IRP.

 

It's not a fast project but if you post your code I will help.

 

PS - Once your attacker figures out your monitoring the kernel, they're going to start making fake IRP's and it'll be impossible to detect what's real and not. They'll always be a step ahead. Keep that in mind ; )

Well i found a trick with usermode approach, gonna test if it gives some false positives, geenrally speaking soem magic with SetWindowsHook WH_KEYBOARD

SetWindowsHook() monitors all messages at their highest level. It won't help you determine what's coming from hardware. If you SendInput("A"), it will catch that, try w/virtual keyboard to see...

You can do it simply by being tricky

 

The fact that a bot enters keystrokes to your app so fast is good enough to get rid of it... how ?

Well, you can check how many char(s) entered per milliseconds and see if it was so fast then it's a bot that we're dealing with.

For the time matter, I think GetTickCount will do and you can determine the number of milliseconds by trial and error.

Regading copy and paste case, check whether the fast-entered text is identical with the one in the clipboard.

Edited July 15, 201510 yr by Alzri2

Using SetWindowsHookEx, you can set a hook on WH_KEYBOARD_LL. Then any input seen inside of that callback can check against the KBDLLHOOKSTRUCT's property 'flags'. You can check for the injected flags 'LLKHF_INJECTED' and 'LLKHF_LOWER_IL_INJECTED'.

Obviously this flag can be bypassed in several different ways but it is a start for something basic if you are not worried about more serious injected input.