Skip to main content

Can I determine if my computer has a key logger installed? – YES!!!


Detecting keyloggers is as simple as looking in the right place (which may or may not be simple depending on your viewpoint). The problem is knowing what to look for and where. What follows is a non-exhaustive few things you could do to check for keylogging modules.
Firstly, the obvious easy way to build a keylogger is to use DLL Injection which can be achieved a number of ways. Most of these will result in a DLL showing up as mapped to the process’s address space. Take a look at this picture:
pyd process
What is the topmost entry in that list? It’s a pyd, or python extension, file. I’ve been messing with python-implemented COM servers and as a result, the DLL is loaded into Windows Explorer’s address space.
DLL Injection of the keylogging variety will load its DLL into all of the target address spaces – can’t capture everything if you don’t. So one thing to look out for would be strange DLLs you cannot attribute to products whose purpose you know. They’ll show up in this list for all processes.
Of the techniques described on wikipedia, the only one that I’ve not seen is the CreateRemoteThread variety – I’m uncertain if the outcome would be to attach a thread to the image or execute a thread with a name DllMain. Thanks to process explorer, we can still see what threads are executing what:
Threads
Awesome, right? Well, they could well be named to coincide with the obvious user32.dll or some such. There’s a number of experiments we could perform to work out if that’s the case, if we so wanted. These are left as an exercise to the reader (don’t you just hate it when people say that!).
So that covers user-mode-obvious-keylogger-mode. There are some less obvious places a keylogger could be embedded (but they’d unlikely be global ones). However, things get really exciting when you start talking about kernel level hooks. There’s an excellent article by Mark R and Bryce Cogswell on this topic, although it needs updating with the following caveat:
  • 64-bit Windows kernels have a kernel-patch protection mechanism that periodically checks key points in the kernel for modification and shuts the system down if they’re detected.
So, if you’re running 32-bit windows, you could still have some form of kernel level hooking installed and working; if you’re using 64-bit it is much less likely – given KPP has been bypassed before and is constantly changing, I would bet on you being free of kernel hooks on x64 as windows updates would crash the monitoring product system periodically. Software just doesn’t sell on that basis.
What can you do versus a 32-bit hook? Lots of things:
  • Examine the drivers folder for entries that look suspicious/cannot be attributed.
  • Do the same thing, but offline, so that the driver can’t prevent you from looking.
  • Configure a debug boot entry with bcdedit (bcdedit /copy {current} /d "Windows in debug mode", bcdedit /debug {id} ON after appropriate bcdedit /dbgsettings), hook up a firewire cable (really. Don’t use serial. I discovered this using serial cables – firewire’s much faster). Then, on your source machine, start kd and set a break point on module loading, then step through all the modules that load, making a note of them. Not much a driver can do to hide itself from you before its started. You might even proceed to examine it from here (g to continue, ctrl+c breaks at any point).
Of course, caveats here are that no windows executables have been patched directly, or some such malfeasance that is beyond our ability to trivially detect.
That’s directly looking at the system, but is no means a complete solution. If you believe the logging software is phoning home, a transparent proxy might help you identify where – i.e. you might be dialled in to vpn.mycompany.com but you might also see connections to monitorserver.mycompany.com.
As you can no doubt tell, a lot of the techniques available to you depend on two things:
  • Your pre-existing familiarity with your OS, or ability to quickly become familiar with what is out of place and
  • The ability and resource of the author to hide/disguise their modifications from you.
Short answer: there’s no foolproof way to detect anything of the sort; there are however some places you can start looking for evidence.

Comments

Post a Comment

Popular posts from this blog

Live inside technology

Microsoft doesn’t just want you to use the latest Windows; it wants you to live inside of it. The company has revealed the HoloLens, a wearable holographic computer launching alongside Windows 10 that lets you project Windows apps onto the surfaces of your home or office. Holographic Fetus & Other Incredible 3D Tech 3D scanners are enabling us to see all kinds of things we’ve never dreamed of witnessing before. Microsoft outlined some of the uses of HoloLens in a demo video, which showcases how Windows apps can come to life once you put the headset on. Some examples include the ability to see Windows app icons on your kitchen cabinet, project a Skype call onto your wall and even physically manipulate a Minecraft world that’s laid out on your coffee table. The HoloLens itself is a black headset with a circular plastic headband and sunglass-like, see-through lenses in the front. The device uses a “high-end” processor and GPU, with an additional holographic processing uni
Post a Comment
Read more

How to Use the NETSH Command to Change from Static IP Address to DHCP

You can use the netsh command in Windows 2000 to script the process of changing a computer from a static Internet Protocol (IP) address to Dynamic Host Configuration Protocol (DHCP) or vice versa. The netsh command accomplishes this task without the need to restart the computer. This feature is particularly useful for laptops that move from one environment to another, when it is necessary to use statically assigned IP addresses at one location and DHCP assigned IP addresses at another. To switch the specified adapter from a static address to DHCP, type the following command: netsh interface ip set address “Local Area Connection” dhcp NOTE: Typing this command changes the interface named “Local Area Connection” to DHCP. To display all of the adapters in the computer with their current IP addresses to determine the correct adapter name, type the following command: Netsh interface ip show config To change to a static address, type the following command: netsh interface ip set
Post a Comment
Read more

Now you can breathe liquid!

DIVE DEEP The recommended absolute limit for recreational SCUBA divers is just 130 feet, and technical dives using Trimix bottom out at 330. Even then, you’ve got less than five minutes at depth before requiring monitored decompression to avoid getting the bends (the not-scary word for when nitrogen dissolves into your tissue under the massive pressure of the water column, is ejected into the bloodstream during ascent, and you die of a brain embolism). Interestingly though, once your body hits its nitrogen saturation limit, it doesn’t matter if you stay down for an hour or a month; your decompression time effectively maxes out. This technique, known as saturation diving, is how recovery divers working on the K-141 Kursk were able to spend hours 300 feet below sea level (amidst 10 atmospheres of pressure) and how the crew in The Abyss were able to do their jobs. LIQUID AIR Perhaps the best-remembered scene from the 1989 Sci-Fi classic The Abyss is when Ed Harris’ chara
Post a Comment
Read more