 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
 Posted: Sun Jan 13, 2008 2:23 am Post subject: Keylogger can record Virtual Keyboard, including of the XP. |
 |
|
Ok, I already made my tests.
My conclusions are that kyeloggers can record only all keystrokes you press on keyboard or simulate with AHK script.
Moreover, it can also record all you type on microsoft virtual keyboard of XP , even if you use the timed form of digit.
Yeh, it's hard.
Loock the follow scrypt lines and the keylogger's log resulted , where I tried confuse the keylogger whit the follow part inclouded in the script . Althought may look hard, is very easy  to figure out the "hidden" word.
...
Send, {CONTROL Down} ; Keylogger read [Ctrl] and the target nothing.
Send, 1,D ; Keylogger read [Ctrl +1][Ctrl + ,][Shift][Ctrl + D] and the target nothing.
Send, 2,D ; Keylogger read [Ctrl +2][Ctrl + ,][Shift][Ctrl + D] and the target nothing.
Send, {CONTROL Up} ; Keylogger read nothing like the target.
BlockInput, On
Send, {Scrambler test} ; Keylogger read nothing, like target windows.
BlockInput, Off
Send, %CarE%%CarA% ; Keylogger read one or two password keys, like the target.
...
Log resulted:
Date: 1/10/quinta-feira 07:25:00
Application: Discador iG - F:\Arquivos de programas\iGv6\Discador iG.exe
Window title: Discador ig
Keystrokes Typed:
[Ctrl][Ctrl+1][Ctrl+,][Shift][Ctrl+D][Ctrl+2][Ctrl+,][Shift][Ctrl+D][Shift]I[Shift]R[Ctrl]
[Ctrl+1][Ctrl+,][Shift][Ctrl+D][Ctrl+2][Ctrl+,][Shift][Ctrl+D]o[Ctrl][Ctrl+1][Ctrl+,][Shift][Ctrl+D]
[Ctrl+2][Ctrl+,][Shift][Ctrl+D]b8[Ctrl][Ctrl+1][Ctrl+,][Shift][Ctrl+D][Ctrl+2][Ctrl+,]
[Shift][Ctrl+D]fy[Ctrl][Ctrl+1][Ctrl+,][Shift][Ctrl+D][Ctrl+2][Ctrl+,][Shift][Ctrl+D]m7[Home]
[Right][Right][Right][Right][Right][Right][Right][Right][Right][Backspace][Home][Right][Right]
[Right][Right][Right][Right][Right][Backspace][Home][Right][Right][Right][Right]
[Right][Backspace][Home][Right][Backspace]
My next step is tri SendPlay command at AHK newest version.
_________________
The humanity is the Evolution taking consciousness of itself. |
|
| Back to top |
|
 |
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Mon Jan 14, 2008 7:07 am Post subject: Re: Keylogger can record Virtual Keyboard, including of the |
|
|
| Robfm wrote: |
My next step is try SendPlay command at AHK newest version. |
Here is the final test with the same keylogger and AHK latest version.
The record was genereted as a result of pressing the 12346 sequence of numbers on the left of the keyboard
| Code: |
1::SendPlay You pressed left keyboard number one`n
2::
Loop, 5
{
SendPlay Test`n
}
return
3::
SendInput 4
return
4::
SendPlay You pressed left keyboard number tree`n
return
6::
BlockInput, on
Send You used Send`n
SendRaw You used SendRaw`n
SendInput You used SendImput`n
SendPlay You used SendPlay`n
SendEvent You used SendEvent`n
SendPlay {Right 2}`n
SendPlay {Home 3}`n
SendPlay {Backspace 4}`n
BlockInput, off
return |
The Log resulted by keylogger.
Date: 1/11/sexta-feira 07:23:58
Application: Discador iG - F:\Arquivos de programas\iGv6\Discador iG.exe
Window title: Discador ig
Keystrokes Typed:
[Shift]You[Space] pressed[Space] left[Space] keyboard[Space] number[Space] one[Enter]
[Shift]Test[Enter]
[Shift]Test[Enter]
[Shift]Test[Enter]
[Shift]Test[Enter]
test[Enter]
[Shift]You[Space] pressed[Space] left[Space] keyboard[Space] number[Space] tree[Enter]
[Shift]You[Space] pressed[Space] left[Space] keyboard[Space] number[Space] tree[Enter]
[Shift]You[Space] used[Space] [Shift]Send[Enter]
[Shift]You[Space] used[Space] [Shift]Send[Shift]Raw[Enter]
[Shift]You[Space] used[Space] [Shift]Send[Shift]Play[Enter]
yOU[Space] used[Space] [Shift]send[Shift]imput[Enter]
[Shift]you[Space] uSED[Space] [Shift]send[Shift]Event[Enter]
[Right][Right][Enter]
[Home][Home][Home][Enter]
[Backspace][Backspace][Backspace][Backspace][Enter]
_________________
The humanity is the Evolution taking consciousness of itself. |
|
| Back to top |
|
|
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Sat Jan 26, 2008 7:32 am Post subject: Tring beat keyloggers |
|
|
If I use ControlSend to send words to two different windows, it is made to one windows by one at a time, and the keylogger record the name of the windows and the word sent to it.
I tried to do it with two scripts running simutaneously, one sending "Real" to a Pass named windows and another sending "Fake" to Mask named windows 10 times each one.
The resul was curiously 63 ( can vary a bit ) different logs, some think like that:
[SHIFT]Real[SHIFT]Real[SHIFT]Real[SHIFT]Re......Pass
[SHIFT]F...................................................................Mask
a................................................................... ...Pass
a..................................................... ........................Mask
l........................................................................Pass
k..................................................... ........................Mask
[SHIFT]R............................................................Pass
e..................................................... ........................Mask
e........................................................................Pass
[SHIFT]F...................................................................Mask
a........................................................................Pass
a..................................................... ........................Mask
l........................................................................Pass
and so one...
A study on one Keylogger's record ability .
Commands Cheked.................Recordeble ?.....Exell.....Mozilla....I EXPLORER
Send................................................Y................OK.........OK............OK
SendPlay..........................................Y................OK.........OK............OK
ControlSend.....................................Y................OK.........OK............OK
ControlCommand.............................N...............FAIL........FAIL..........FAIL
ControlSetText.................................N...............FAIL........FAIL..........FAIL
_SendMessage($handle, 0x0302 )...N................OK.........FAIL..........FAIL
0x0302 is WM_Paste that paste
the clipboard content.
Some idea?
_________________
The humanity is the Evolution taking consciousness of itself. |
|
| Back to top |
|
|
electro5r
Guest
|
| Posted: Wed Feb 27, 2008 9:17 pm Post subject: |
|
|
| Which keylogger is this that you are using? |
|
| Back to top |
|
|
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Fri Feb 29, 2008 4:36 pm Post subject: |
|
|
| electro5r wrote: | | Which keylogger is this that you are using? |
If only one Keylogger is unbeatable then we failed, then I'm not sure about the important of this, but like you may be interested in some experiences, like me, here is the name; KGB.
You can find on the web and try a demo.
Be careful, some little bugs ocurred on my XP, nothing serious but I would not use it on my work system.
Some troble to cleaner your system, try use MV RegClean at www.velasco.com.br and or CCleaner at www.baixaqui.com.br or another download site you like. With it I could use the demo vertion more than one time period.
| Quote: | | With it I could use the demo vertion more than one time period. |
Sorry, I think I was wrong, it worked only one time, I can not reproduze it again. Don't ask me...  But the programs are good yes.
_________________
The humanity is the Evolution taking consciousness of itself.
Last edited by Robfm on Fri Mar 21, 2008 6:35 am; edited 1 time in total |
|
| Back to top |
|
|
Raccoon
Joined: 02 Jan 2008
Posts: 60
|
| Posted: Sat Mar 08, 2008 3:57 am Post subject: |
|
|
Put text in clipboard, and paste text with clipboard. I don't know of any keyloggers that scan clipboard contents.
Otherwise, you could SendMessage or PostMessage to an application.
_________________
Need help right away? Get live support on IRC.
Already have an IRC client installed? /join #autohotkey |
|
| Back to top |
|
|
Guest
|
| Posted: Sat Mar 08, 2008 4:26 am Post subject: |
|
|
| Raccoon wrote: | Put text in clipboard, and paste text with clipboard. I don't know of any keyloggers that scan clipboard contents.
Otherwise, you could SendMessage or PostMessage to an application. |
Are you serious? Monitoring clipboard or message is a lot easier than key logging. |
|
| Back to top |
|
|
Raccoon
Joined: 02 Jan 2008
Posts: 60
|
| Posted: Sat Mar 08, 2008 3:52 pm Post subject: |
|
|
| Anonymous wrote: | | Are you serious? Monitoring clipboard or message is a lot easier than key logging. |
... so easy that keyloggers fail to do this. Name one.
_________________
Need help right away? Get live support on IRC.
Already have an IRC client installed? /join #autohotkey |
|
| Back to top |
|
|
Guest
|
| Posted: Sat Mar 08, 2008 7:19 pm Post subject: |
|
|
| Raccoon wrote: | | ... so easy that keyloggers fail to do this. Name one. |
You're really not serious. Even the one mentioned here has it. |
|
| Back to top |
|
|
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Fri Mar 21, 2008 5:20 am Post subject: |
|
|
| Quote: |
You're really not serious. Even the one mentioned here has it. |
Yes, Raccoon are serious ! But not obvious ! Thak's Raccoon.
Sorry by absence, I was studing Raccon's strange suggestion.
First I need to say that could not test KGB, demo vertion expired. I am using System Keylogger for now.
Edited, go to next page:
The fact is that Keyloggers have a limitation determinated by way wich Operational System manage the priority to use the CPU by all programs running at same time.
Setting your scrypt to ( Process, Prority, , R ) and ( SetBatchLines, -1 ), when your scrypt enter in some routine which the OS "think" important it will dedicate all atention of the CPU to this scrypt, letting all another program waiting .
Then, even if the keylogger is set to R priority, like your scrypt, it will obviously always came later. It can't preview, only wait to ClipBoard changes.
Then, all wich we need to hide clipboard content from the Keylogger is retain all atention of the CPU.
Ok, OK but how ?? 
Simple ( after 8 or 10 hs of tests with one Keylogger, only one, be carefull);
| Code: |
^k::
Process, Priority, , R
SetBatchLines, -1
Aux = Password to be hidden
ClipBoard =
Loop, 10 ; Must be 30 if Keylogger's priority is R !! Important.
{
ClipBoard = %A_Index% ; Must be A_Index. A simple number don't worked. Why ? I don't know ! Try another ways, do some thing...
}
ClipBoard = %Aux%
ClipWait, 1 ; Unlike with Send ^v, may be unecessary with the next Senplay ^v
SenPlay ^v
;Sleep, 30 ; ( read note )
Loop, 10 ; Must be 30 if Keylogger's priority is R ??
{
ClipBoard = %A_Index%
}
ClipBoard =
Process, Priority, , N ; End ! The storm gone.
return
|
Curiousity ; You know this !
ClipBoard = Test
ClipWait, 1
SenPlay ^v
But and thus, Do you know ? Try. With some programs, slows, it can work !
SenPlay ^v
ClipBoard = Test
Explaining: The CPU process this two lines and only then execute the receive process of the target windows relative to the SendPlay, at this time, ClipBoard already is updated. When the priority thread end, a stack of buffered threads process initiate.
Note: This Sleep of 30ms or around that, is necessary for work with some interfaces of slowly response, like some java's interfaces in Firefox. But during this Sleep, the keylogger may be capable to read the clipboard. It is not secure.
_________________
The humanity is the Evolution taking consciousness of itself.
Last edited by Robfm on Sat May 03, 2008 3:30 pm; edited 5 times in total |
|
| Back to top |
|
|
Raccoon
Joined: 02 Jan 2008
Posts: 60
|
| Posted: Fri Mar 21, 2008 7:41 am Post subject: |
|
|
Interesting idea. Battle against key loggers and trojans for CPU time.
My only question about this, and yes it's going to be a lame question, but why are we concerned about the presence of un-wanted key loggers on the system? Are we running this script on a public terminal? Or can we not afford to download COMODO free firewall and process defender... which alerts you to any program that attempts to hook the keyboard or system in any way. TRY IT, it makes AutoHotKey seem villainous with the alerts it gives.
_________________
Need help right away? Get live support on IRC.
Already have an IRC client installed? /join #autohotkey |
|
| Back to top |
|
|
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Sat Mar 22, 2008 11:56 pm Post subject: |
|
|
| Raccoon wrote: | | ..., but why are we concerned about the presence of un-wanted key loggers on the system? Are we running this script on a public terminal? Or can we not afford to download COMODO free firewall and process defender... |
If I understood, sorry if not, the answer is :
As well as, all keyloggers and trojans can not predict the actions of our scrypts, only wait for it and then react, all protections softwares can't predict the keylogger's actions and mutations, they can only waiting for and only then to try block it. They will always come later, some times days later with some virus data base update...
The phylosophical principle here is complement this first secure procedures, trying fill this gap, thinking like that; "Ok, my system remain infected, yes! What can I to do to protect at least my passwords?"
Furthermore, I never must be sure about secure of the system that I use in my job! Since...
One doubt disturbs me, I should keep this, secret?
_________________
The humanity is the Evolution taking consciousness of itself.
Last edited by Robfm on Mon May 05, 2008 6:23 pm; edited 1 time in total |
|
| Back to top |
|
|
Raccoon
Joined: 02 Jan 2008
Posts: 60
|
| Posted: Mon Mar 24, 2008 6:15 am Post subject: |
|
|
Actually, that's how most "Anti-Virus via Definitions--Cleaner" software works. The program I described, COMODO, is both a Network Firewall and a System32 Firewall.
If you know how Firewalls work, they are not dependent on known definitions or predictable actions, they simply do their job by allowing and denying actions on a case-by-case basis.
This System32 Firewall I speak of, a part of COMODO named Defense+, alerts the user of any software activity that could alter the system in any way. This includes any process that tries to write to the harddrive, write to memory space of other processes, hook the keyboard (IN ANY WAY), etc. So, without a doubt, COMODO can detect, capture, and neuter any software keylogger ever made or ever to-be-made.
_________________
Need help right away? Get live support on IRC.
Already have an IRC client installed? /join #autohotkey |
|
| Back to top |
|
|
Robfm
Joined: 27 Dec 2007
Posts: 20
Location: Brazil
|
| Posted: Mon Mar 24, 2008 4:49 pm Post subject: |
|
|
| Raccoon wrote: | | So, without a doubt, COMODO can detect, capture, and neuter any software keylogger ever made or ever to-be-made. |
Ok, now I think have understood better. Your arguments are realy strong and looks like a right way.
I need view Comodo's concepts and review the mine.
The fact is that I have not knowlege enough so thus I never had sure about "thats porgrams".
Thanks about this explains.
Well, after so work, at least remain it's utility for Operationals Systems out of our control, like public.
And thus I think this topic came to the end. If not, good luck to all us...
_________________
The humanity is the Evolution taking consciousness of itself. |
|
| Back to top |
|
|
tic
Joined: 22 Apr 2007
Posts: 1271
|
| Posted: Fri Mar 28, 2008 11:10 am Post subject: |
|
|
| Why not write an obfuscation script? It could send a load of junk data mixed with the real data and then delete the junk after. |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
