......................................................................................................................................4 Introduction................................................................................................................................ 4 An IME Is Loaded In Every Process ........................................................................................... 9 An IME Can Be Added ................................................................................................................ 9 IMEs Capture Every Keystroke Without Hooking ..................................................................... 10 IMEs Are Loaded In Safe Mode ..................................................................................................11 More Harmful Actions ................................................................................................................11 Details Of The IME Interface ..................................................................................................... 11 DllMain ....................................................................................................................................... 13 ImeInquire (LPIMEINFO lpInfo, LPTSTR lpszUIClass, DWORD dwSystemInfoFlags)................ 12 ImeSelect (HIMC hIMC, BOOL bSelected).................................................................................. 12 ImeSetActiveContext (HIMC hIMC,BOOL fFlag) ........................................................................12 ImeProcessKey (HIMC hIMC,UINT vKey, LPARAM lKeyData, CONST LPBYTE lpbKeyState).....12 ImeToAsciiEx (UINT uVKey, UINT uScanCode, CONST LPBYTE lpbKeyState, LPTRANSMSGLIST lpTransBuf, UINT fuState, HIMC hIMC) ...................................................... 12 Web-Aware? ............................................................................................................................... 13 About the author ........................................................................................................................14 3 IME as a Possible Keylogger IME as a Possible Keylogger Abstract This paper outlines a potential method for using an Input Method Editor (IME) as a keylogger. It will discuss how it is possible, using components of Windows multilingual support, to create a file that will capture keystrokes on a target system while using the OS to protect that file from removal or deletion.This paper outlines a potential method for using an Input Method Editor (IME) as a keylogger. It will discuss how it is possible, using components of Windows multilingual support, to create a file that will capture keystrokes on a target system while using the OS to protect that file from removal or deletion. Introduction The Chinese, Japanese and Korean writing systems use thousands of characters: Hanzi (Chinese characters) in Chinese; Kanji (Chinese characters), Hiragana and Katakana in Japanese; Hangeul and Hanja (Chinese characters) in Korean. To represent these characters, each of these languages has its own multi-byte character code sets. On ASCII code-based Windows operating systems such as Windows 95, the double byte character set or DBCS is used, where each two-byte sequence represents one character. While DBCS is no longer commonly used, it is still used on Windows XP if a program does not call Unicode APIs. Starting with Windows 2000, Microsoft’s desktop operating systems have primarily used Unicode for cross-compatibility and ease of use. If a keyboard had thousands of keys, as was once the case with mechanical typewriters, there would be no need to convert multiple keystrokes to a single character. However, most modern keyboards have only around 100 keys. Therefore, we need something to convert keystrokes to characters before being used in an application. This kind of software is called a front-end processor or FEP, and IME is the standard name for FEPs used in Windows environments. Figure 1 shows some common IME options when the keyboard icon is clicked. The pop-up list shows all the available IMEs or keyboard layouts for a given language. Figure 1: Some common IME options Figures 2-5 illustrate how a user inputs Chinese characters in Notepad. The IME status bar is shown in the bottom right-hand corner of the Notepad window here, but it can be placed anywhere, and generally is shown either in the bottom right-hand corner of the screen or as part of the Taskbar.