As with the x86 instruction disassembly covered in Chapter 4, key code processing may not seem to be within the scope of this book, but just as trampoline-based process injection requires x86 instruction disassembly, keyboard logging requires key code processing. Fortunately, key code processing is much easier than x86 instruction disassembly-especially when you completely ignore Caps Lock, Num Lock, and nonprintable keys, such as arrows. Key processing is shown in Figure 8-3.
Figure 8-3
Key code mapping is performed with keyMap and shiftKeyMap arrays. Key processing is performed by the GetKey function, which is called from the logging thread whenever key data is available. Together, these components transform key data into text.