Is there a better way to monitor keystrokes than system wide WH_CBT hook?

Question

I am currently researching a good reliable way of logging user actions on the computer. I created a simple app that hooks WH_CBT events globally and it seems to work fine for now. I've read about situations when an application would've their own WH_CBT event handler and would not call CallNextHookEx() function after handling it. I assume that scenario would prevent me from handling any events in that application myself with a system wide hook.

Is there any other (maybe better) way to hijack keystroke events in applications? Maybe something related to manually injecting a DLL to processes like this:

1. Pick process.
2. Inject DLL using CreateRemoteThreadEx().
3. DLL hooks (detours) some winapi functions and gathers information from them about keystrokes or other events.

Would hooking GetMessage() or TranslateMessage() functions be enough in that case? Am I right that any process using a Message Loop would have to use these functions in order to process events for created windows?

Answer 1

A low level keyboard hooking using WH_KEYBOARD_LL would be the best (as it would capture everything), but other more specific solutions exist, such as sub-classing the parent level window of whatever application you targeting to capture the key related window messages, which avoids having to do any code tampering or system wide filtering.

Back to a more global scope, you can also do this using WH_KEYBOARD, WH_CALLWNDPROC or WH_GETMESSAGE based hooks, which can be done globally or at thread level. It all depends on what and how much you are trying to capture.