| 4Fh | Keyboard Intercept |
| 00h | Read Character |
| 01h | Read Input Status |
| 02h | Read Keyboard Shift Status |
| 05h | Store Keystroke in Keyboard Buffer |
| 10h | Read Character Extended |
| 11h | Read Input Status Extended |
| 12h | Read Keyboard Shift Status Extended |
if(interrupt == "0x4FH") {
inputChar = "0x00H"
shiftStatus = "0x02H"
}
// some logic to handle shift-status and interpretation..
print resultChar
mov ah, 0x0e
mov al, '!'
int 0x10 AH = 00hNotes: On extended keyboards, this function discards any extended keystrokes, returning only when a non-extended keystroke is available. The BIOS scan code is usually, but not always, the same as the hardware scan code processed by INT 09. It is the same for ASCII keystrokes and most unshifted special keys (F-keys, arrow keys, etc.), but differs for shifted special keys. Some (older) clone BIOSes do not discard extended keystrokes and manage function AH=00h and AH=10h the same. The K3PLUS v6.00+ INT 16 BIOS replacement doesn't discard extended keystrokes (same as with functions 10h and 20h), but will always translate prefix E0h to 00h. This allows old programs to use extended keystrokes and should not cause compatibility problems
Return:
AH = BIOS scan code
AL = ASCII character
Most keyloggers, as in - the ones used to intercept passwords for banking and other online accounts, are generally applications that run 'over' the applications theyre meant to intercept passwords from.
There was a popular World of Warcraft password keylogger some time ago that simply affixed itself over the login screen and when someone typed in their information, it first went to the keylogger and then to the webportal. I had thought that most were similar, but if what youre suggesting is feasable, Id like to hear how/if you can figure out a way to make it work.
Right, I understand how user-land keyboard hooks and intercepting keyboard messages from applications works. I'm trying to get more information on something that operates lower-level than the previously mentioned..
If you can figure out a way to make your way work, dude - Id love to hear about it. Seems like a real pain, but reading through your posts again, seems like youre onto something...hopefully lol
As I've explained, you cannot use BIOS interrupts in Windows because they are intercepted. As unfortunate as it is, it's just part of the way that the system works. You cannot use any of the truly low-level ASM that you're wanting to use because the CPU is running in 'protected' mode. If the system has started Windows, then the lower-level BIOS calls are inaccessible directly. If you load something before the CPU switches from 'real' mode to 'protected' mode then when it actually makes the switch, that software is no longer running and it's useless at that point. The lowest that you can get, within Windows, is via the kernel itself. Your best bet for a keylogger is to create a [virtual] device driver that interposes itself within the rest of the scheme to intercept keyboard I/O prior to handing it off to the normal driver for processing. You will still likely want some userland process, though at this driver level you can hide that process's existence. The userland process will be able to suss out other properties, like which website one visits & what input box someone clicked on, that would be important for information gathering.
Putting all of this together; you need to learn to build a rootkit. This also gets you closer to interfacing directly with the hardware and more options may open. I would suggest, personally, not trying to replace the keyboard driver altogether but ensure that you understand how it works. You'll be receiving messages quickly and you cannot afford to let the system wait on your code so trying to compress scancode logs at this level would be a poor idea. Separate & modularize your code. You can hand it off to other things to do the extra work for you. All you need running at ring0 is something that intercepts & forwards keyboard input and possibly something to hide & manage your processes. Designing the code for this is easy, getting it into ring0 is not as easy. Additional research on rootkits will help you.
Please be respectful of the knowledge that you are seeking and the minds that help you find it.