How Could A Keylogger Dramatically Improves Performance Of PostMessage()

Question

I wanted to see if I'd be able to detect the presence of a keylogger on my system by running a 'benchmark' on my system in a clean state, installing keylogger, and repeating the benchmark. The idea being that the keylogger would need to consume resources to run correctly and should result in a lower benchmark score.

In code, I've basically written two while loop that use the win32API calls SendMessage() and PostMessage() to simulate keystrokes. It executes the loop for given amount of time and records how many successful messages it's sent.

I was expecting the keylogger to either make no measurable difference (after all, there's a whole lot of 'stuff' executing on a desktop, all the time, and I figured a keylogger might not use a lot...) or that it would result in a slightly lower number.

And that's mostly what I've seen in the case of the 'SendMessage()' calls.

What I don't understand is that my benchmark is showing a dramatic increase in the number of calls to PostMessage()

Averaging many executions, prior to installing the keylogger, I seeing about 10k PostMessage() per second. After installing a keylogger, I'm now seeing almost 25k calls to PostMessage() per second.

It just doesn't make any sense to me.

If my understanding of PostMessage is correct, it adds a windows message to the process's message queue and resumes execution (while SendMessage waits until the process handles the message before returning). I'd expect PostMessage to execute faster than SendMessage, and that some messages might be lost once the message queue is full....but nothing in my limited understanding would help me understand how a keylogger could INCREASE performance - by such a significant margin.

I feel like the code is pretty simple. I can confirm that it does register as a keystroke (I'm sending them into Notepad) and that they keylogger is logging them.

Can someone explain to me what I'm missing?

How can a keylogger improve performance?!

Update I'm running the benchmark 10 times and averaging the results.
Pausing the keylogger (so that it is still installed, but not logging) still yielded the high results. After uninstalling the keylogger and rebooting my machine, the average of 10 runs is now 9.9k per second; very much in alignment with my original results.

I did have to reboot my machine to complete the uninstall.

Answer 1

There is not much that throttles a PostMessage() call. Internally it has to acquire a lock to access the thread's message queue to append the message in a safe way. The outlier here is that it is so slow to do so without the logger, 10K calls per second is not much. There may well be a throttle inside Windows that blocks the call for a short while, as long as the app is working on emptying the queue. No idea if this is real.

It depends a great deal on exactly what hook is used by the keyboard logger, there's more than one candidate. But there's no hook to detect that a message got added to the queue, only when one is retrieved from the queue and dispatched to the window. Like WH_GETMESSAGE, WH_CALLWNDPROC or WH_CALLWNDPROCRET. So what follows is that a logger would make emptying the queue slower.

That provides an explanation for what you are seeing, if you call PostMessage() without throttling then you'll overflow the message queue. By default it can only contain 10,000 messages. If you overflow it, you'll get a fast return and you'll measure a higher rate.

So I'd guess that you forgot to look at the return value of PostMessage(). It returns FALSE when the message could not be added.