Summary
This covers the architecture of Windows keyloggers from userland hooks to kernel drivers, walking through six methods with actual code and their detection profiles. You get SetWindowsHookEx mechanics (both low-level and regular), RegisterRawInputDevices, GetAsyncKeyState polling, direct HID access, and ETW-based capture. The real value is in the IOC analysis for each approach, especially the RegisterRawInputDevices ETW telemetry that most red teamers miss. It includes window title capture for context filtering and practical stealth techniques like DNS exfiltration and sleep masking. Use this when designing implant persistence modules or analyzing malware samples to understand their capture mechanism and detection surface. The comparison table at the end is genuinely useful for threat modeling.
Install to Claude Code
npx -y skills add hypnguyen1209/offensive-claude --skill keylogger-arch --agent claude-codeInstalls into .claude/skills of the current project.
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →
Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →Files
SKILL.md
Select a file.
Featured
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →An agent that runs the SEO playbooks that move rankings and ships PRs you control.
Get founding access →Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →
