Here we discuss the skills that will help make the learning curve easier. Knowing basic programming concepts like integers, doubles, what a function is, etc. will greatly help. Previous experience making Win32 projects with Visual Studio will go a long way since we look at the source of a keylogger inside Visual Studio. Also, recommendations on where to report cyber intrusions is given here.
- [Instructor] It will make the learning curve easier if you are familiar with some basic programming concepts. Since the application we will be performing CPU analysis on is written in C++ and it uses Windows application programming interfaces, which are usually just referred to as Windows APIs, it will help if you are familiar with for loops, if-else statements, data types like integers and doubles, and what a function is. The integrated development environment that we're going to use, usually just called an IDE, is Visual Studio 2015.
So, it will help if you are familiar with making Visual Studio projects, and to follow along as we inspect this keylogger's source code, you'll want to grab Visual Studio 2015 from msdn.com, and make your own Win32 project. Keep in mind, this is a Win32 project that you want to create, not a Win32 console application. Now, if you are dealing with a cyber intrusion, you should report it to ic3.gov, which is the FBI Internet Crimes Complaint Center.
There's a form there you can fill out to give the description of the incident. Now, internet crimes range from theft to online harassment, so report it here if you are encountering these cyber crimes. The Windows Performance Recorder allows us to select from some predefined recording scenarios, which are listed in this table. The CPU usage is so we can see when the keylogger comes in to record us, and the disk and file I/O activity will let us see the path of the log file that is being written and then sent via email.
Now keep in mind that the chances of us seeing anything meaningful in the disk and file I/O activity is very low, since realistically, the email is sent once a day or even once a week, in order to avoid detection. So out of the 24 hours in a day, the chances of us recording while that email is being sent during our 60 second collection is very low. The important part is not finding the log file that is being written and then sent, but finding the keylogger process itself, so we can find it and delete it all together from our system.
If the keylogger is deleted, the log files that it was writing to will no longer be sent.