See the malware in action during this demo where all of the capabilities of this malware are shown. It can record your key presses, your computer screen, your microphone and your webcam. It then sends these recordings automatically to a dummy email account for the hacker to easily view from any device with email access.
- Let's grab the tools we will need in order to detect this spyware, by going to the Windows ADK download site. In this kit, there are two tools which we will need. The first of these two tools is the Windows Performance Recorder, which logs system events and generates an event tracing log file. The second tool, Windows Performance Analyzer, will open and analyze this file. Both of these tools are commonly referred to as, WPR, and WPA, respectively. With that said, let's click on the blue download button, and save the ADK setup executable.
Once the setup file is done downloading, locate it and double-click on it to start the installation process. Click Run if the prompt comes up. The installation process is going to be your typical one where we click on Next, Next, Accept end-user license agreements. But once we get to the part where we can select features, we want to pause right here, and we want to uncheck everything.
We want to make sure we only check Windows Performance Toolkit. Once checked, click on Install, and click Yes on any prompts that come up. Once the installation process is done, we can exit out of here. Let's now locate the Windows Performance Toolkit, which will be, by default, in your C: drive, Program Files, in the folder labeled Windows Kits. Inside here, you will see different folders labeled 8, 8.1, and 10.
I'm going to click on 10 for Windows 10. You will want to click on the folder for your OS, and in that folder will be the Windows Performance Toolkit. Inside the Windows Performance Toolkit, if we scroll all the way to the bottom, we can see this WPRUI. Let's right-click on that and select Create shortcut. Click Yes on any prompts that come up. Let's do the same for the Windows Performance Analyzer, which is wpa, right here.
Right-click on that, and select Create shortcut. Once again, click Yes on any prompts that come up. Once you've created the desktop shortcuts for the Windows Performance Recorder, and the Windows Performance Analyzer, let's exit out, and we need to do one more thing. We need to configure our system to point to the Microsoft Symbol Server. This step is so we can see the function names that are being called by applications like the keylogger. Without these symbols, we are blind.
We're going to add the path to the Microsoft Symbol Server to our system environment variable. To do this, let's go to our control panel, and go to the system environment variables. We are going to add the path to the Microsoft Symbol Server to our system environment variable. Under the System variables section, click on the button New. The Variable name we're going to add is _NT_SYMBOL_PATH.
For its value, this is what we're going to put. What this says is grab the symbols from the Microsoft Server and save them to our own folder labeled Symbols. Once done, click OK, and we're going to add one more variable. Let's click on New one more time, and for the Variable name, let's put _NT_SYMCACHE_PATH, and for the value, let's put C:\SymCache.
This lets us cache the downloaded symbols to our C: drive SymCache folder. This folder will be automatically generated for us. Once done, let's click on OK, and click on OK, and one more time on this OK. Let's exit out of the control panel. And that is it. That's the Windows Performance Toolkit, installed and set up. We now have quick access to these two tools, which we will need for spyware detection and malware analysis.
- Analyzing malware
- Reviewing the overall structure of the malware
- Collecting malware data
- Finding and analyzing keylogger patterns
- Analyzing screen recordings
- Analyzing webcam recordings
- Analyzing microphone recordings
- Recording prevention tips