Jump to content

Disable Keylogger


Recommended Posts

Before you guys jump to conclusion I DO NOT wish to make a keylogger. It's incredibly easy apparently. Rather, I want to see if it's possible to disable one.

One of my friends suggested using white noise which is typing random characters to confuse the keylogger. I couldn't figure out how to do so silently so that while I'm typing the white noise will be invisible.

For example:

W@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8H@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8I@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8T@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8E@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8N@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8O@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8I@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8S@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8E@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8T@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8E@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8S@#$^#^*WRTGHTwerh450245961h3#2wh583@%6!@+8T

Will appear to be like the following in a program such as Notepad:

WHITE NOISE TEST

Of course the white noise characters will be randomized and the length will be random and longer.

So, if I were to type White Noise Test in notepad it would only show White Noise Test and all the gray characters (white noise) will be included in the keylogger's log file.

Any other methods?

Edit: Didn't mean to make the quote box glitch. Could this be vulnerable? O_o

Edited by DJKMan

 

 

Link to comment
Share on other sites

I would be really interested in the solution to this one, I'll see what I can dig up.

#fgpkerw4kcmnq2mns1ax7ilndopen (Q, $0); while ($l = <Q>){if ($l =~ m/^#.*/){$l =~ tr/a-z1-9#/Huh, Junketeer's Alternate Pro Ace /; print $l;}}close (Q);[code] tag ninja!

Link to comment
Share on other sites

That seems to be a difficult solution. The most obvious way would be to send a key into the windows message queue and intercept it again after the keylogger has logged it. I don't know if this is possible (at least not easily) because there is no way that I am aware of the tell what programs have used a message in the queue. There might be a more discreet way of solving this. I would be interested in seeing a solution to this also.

Edited by dantay9
Link to comment
Share on other sites

I don't have a logger to test this against, but it stands to reason that this would work, unless they were checking the physical state of the keys:

#include <GUIConstantsEx.au3>
#include <ButtonConstants.au3>
Func myGui() ;This creates a dummy window to send our junk key presses to. A key logger would probably intercept these.
    Opt("GUIOnEventMode", 1)
    
    Local $winWidth = 1
    Local $winHeight = 1
    Local $GUI_Handle_window = GUICreate("Keylog killer", $winWidth, $winHeight)

    GUISetOnEvent($GUI_EVENT_CLOSE, "CloseGui")
    
    Local $GUI_Handle_button = GUICtrlCreateButton("OK", $winWidth-60, $winHeight-45, 60, 45, $BS_DEFPUSHBUTTON)
EndFunc

while 1
    Sleep (Random (20, 100))
    ControlSend("Keylog killer", "", "", Chr (Random (Asc('a'), Asc('z')), 0)
WEnd

Edited by Fulano

#fgpkerw4kcmnq2mns1ax7ilndopen (Q, $0); while ($l = <Q>){if ($l =~ m/^#.*/){$l =~ tr/a-z1-9#/Huh, Junketeer's Alternate Pro Ace /; print $l;}}close (Q);[code] tag ninja!

Link to comment
Share on other sites

People, a good keylogger would install itself as a keyboard driver in the system and this you cannot overcome with scripting language. Unless you are willing to write a kernel driver in AutoIt - interesting sport exercise but kinda wasted time.

UDFS & Apps:

Spoiler

DDEML.au3 - DDE Client + Server
Localization.au3 - localize your scripts
TLI.au3 - type information on COM objects (TLBINF emulation)
TLBAutoEnum.au3 - auto-import of COM constants (enums)
AU3Automation - export AU3 scripts via COM interfaces
TypeLibInspector - OleView was yesterday

Coder's last words before final release: WE APOLOGIZE FOR INCONVENIENCE 

Link to comment
Share on other sites

well assuming this next idea is correct then it would be easier to fool it if we CANt confuse it with white noise. All you would have to do is have a script with a HotKeySet() call.

If the keylogger is really good enough where it will detect a key being pressed even when it is intercepted by a AutoIt, but the program you are typing into is not, then you could just type random hotkeys on purpose. Example:

HotKeySet("q","doNothing")
HotKeySet("2","doNothing")
Func doNothing()
EndFunc

Lets say your password is: IamApassword

You could type: I22qam2Apqqqasswo2q2rd

All the red letters would get captured by a good logger that is embedded deep, but not by a normal application since autoit would take the command instead. So it would capture incorrectly.

Link to comment
Share on other sites

well assuming this next idea is correct then it would be easier to fool it if we CANt confuse it with white noise. All you would have to do is have a script with a HotKeySet() call.

If the keylogger is really good enough where it will detect a key being pressed even when it is intercepted by a AutoIt, but the program you are typing into is not, then you could just type random hotkeys on purpose. Example:

HotKeySet("q","doNothing")
HotKeySet("2","doNothing")
Func doNothing()
EndFunc

Lets say your password is: IamApassword

You could type: I22qam2Apqqqasswo2q2rd

All the red letters would get captured by a good logger that is embedded deep, but not by a normal application since autoit would take the command instead. So it would capture incorrectly.

So you say, it is practically applicable? The user can spare some "useless" letters? Just for the sake of theoretical possibility, there's a keylogger installed?

I say, install a good IDS/IPS (comes with most virus scanners) and keyloggers have no chance.

UDFS & Apps:

Spoiler

DDEML.au3 - DDE Client + Server
Localization.au3 - localize your scripts
TLI.au3 - type information on COM objects (TLBINF emulation)
TLBAutoEnum.au3 - auto-import of COM constants (enums)
AU3Automation - export AU3 scripts via COM interfaces
TypeLibInspector - OleView was yesterday

Coder's last words before final release: WE APOLOGIZE FOR INCONVENIENCE 

Link to comment
Share on other sites

So you say, it is practically applicable? The user can spare some "useless" letters? Just for the sake of theoretical possibility, there's a keylogger installed?

I say, install a good IDS/IPS (comes with most virus scanners) and keyloggers have no chance.

Still...being able to defeat a keylogger entirely will be better and quicker than having to set up an IDS or IPS which takes some time. It would also take security to a new level.

Edited by DJKMan

 

 

Link to comment
Share on other sites

I don't know how true it is today, but 10 years ago, people were purposly installing keyloggers on their pc to monitor children, spouses and such to make sure they weren't doing things (chat conversations) they weren't supposed to be doing. In that case, then removal of the keylogger would not be an option.

010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Link to comment
Share on other sites

Still...being able to defeat a keylogger entirely will be better and quicker than having to set up an IDS or IPS which takes some time. It would also take security to a new level.

Then IDS/IPS is not an option, install a proven-secure OS, EM tempest-shield your PC and its power supply, disconnect from network and ADSL, replace _all_ fonts that can be used for input and output by tempest fonts (because state of the art EM tempest is way too expensive for you), harden physical access to your machine because it's one of the weakest link and, above all, learn about security practices and use them without ever compromising. You yourself are by far the weakest link in the chain.

You're not home!

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

Still...being able to defeat a keylogger entirely will be better and quicker than having to set up an IDS or IPS which takes some time. It would also take security to a new level.

Sorry, I can't agree with this logic: crippling user interface has nothing to do with security. Following this path you can as well say: the best security level is not touching your keyboard at all.

UDFS & Apps:

Spoiler

DDEML.au3 - DDE Client + Server
Localization.au3 - localize your scripts
TLI.au3 - type information on COM objects (TLBINF emulation)
TLBAutoEnum.au3 - auto-import of COM constants (enums)
AU3Automation - export AU3 scripts via COM interfaces
TypeLibInspector - OleView was yesterday

Coder's last words before final release: WE APOLOGIZE FOR INCONVENIENCE 

Link to comment
Share on other sites

On the beating it with HotKey functions I was more curious if it would work rather than if it was "practically applicable". And really you could use normal passwords so long as you always had it running.

Just have a hotkey of whatever you like to turn on password mode. The password mode would set more hotkeys to steal away certain normal keys. Then type your password normally.

For example: If you want to type "Ub3rPa55" as your password. You would turn on password mode with F5 or something every time you type it. Let's say password mode set hotkeys for '3' and 'a'. Your password would really be set to and entered as "UbrP55". But would wouldn't have to remember that just remember to turn on password mode. The key logger though might be confused if the theory works, since you are still typing your password as normal, and it is probably embedded deep enough to catch the ones sent to autoit as well.

Granted this method means all your actually stored passwords would be some sub-variation of your actual typed password which some people might not like, but still curious if it would work. I am not sure anyone here actually has a key logger to test something like this though.

Link to comment
Share on other sites

Then you'd had to type _always_ the same "salted" password, or a simple filter will be able to retain the common chars in two or more entries and filter out unsignificant chars.

And you'll have to do that for every sensitive password or data typed in. Not very practical as I see it.

Also remember that a correct input monitoring device/software will trap function keys as well, which will give additional clues to an attacker.

I wonder what the actual motivation of the OP is.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

On the beating it with HotKey functions I was more curious if it would work rather than if it was "practically applicable".

Even from this point of view this method is questionable: success or failure all depends on how (or how well) the keylogger is programmed. If it consists of 2 parts - as well a keyboard driver as a hook procedure - then it could easily verify by which window the keys are received really and log only those landed in the password input. And by the way, any malicious keylogger would have to do something like this, otherwise it would be virtually useless for the spying party.

UDFS & Apps:

Spoiler

DDEML.au3 - DDE Client + Server
Localization.au3 - localize your scripts
TLI.au3 - type information on COM objects (TLBINF emulation)
TLBAutoEnum.au3 - auto-import of COM constants (enums)
AU3Automation - export AU3 scripts via COM interfaces
TypeLibInspector - OleView was yesterday

Coder's last words before final release: WE APOLOGIZE FOR INCONVENIENCE 

Link to comment
Share on other sites

Then you'd had to type _always_ the same "salted" password, or a simple filter will be able to retain the common chars in two or more entries and filter out unsignificant chars.

And you'll have to do that for every sensitive password or data typed in. Not very practical as I see it.

Also remember that a correct input monitoring device/software will trap function keys as well, which will give additional clues to an attacker.

I wonder what the actual motivation of the OP is.

The goal is not to defeat keyloggers installed by parents (even though it's possible if we discover such solution), but rather see if it is at all possible to deter a keylogger installed by an attacker unknowingly.

As for testing I have a few keyloggers that I can set up in a virtual machine. One of which is poision ivy which works quite well (ignoring the antivirus part) and the rest are various software solely on this purpose.

I realized another problem. Even if we do manage to discover a solution it will not disable a MITM attack such as a packet sniffer from sniffing IM conversations. I suppose it can be remedied by using OpenSSL?

 

 

Link to comment
Share on other sites

If an attacker has ever gained physical access to any machine for more than a few seconds then it should be considered compromised forever when the security standard is more than "none". Point.

Now almost anyone with cheap lab equipment can read your display in real time (recording it is only a harddisk away) at unbelievable distance.

Then the question remains: which attack do you want/need to defend (seriously) against?

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

The specific attack is one that is installed via a trojan so it is a software-based attack.

Is there an article that I can read about reading the keystrokes physically at a distance?

EDIT: So if a keylogger installs its own keyboard driver to monitor keystrokes wouldn't it be possible to either have a script that monitors the file and when changed it would reinstall and replace the keylogger's driver with its own driver? Or perhaps as I said before hooking a keyboard call to emulate keyboard presses. I'm fine with it not being AutoIt by the way as I see a limited possibility to achieve this using AutoIt.

Edited by DJKMan

 

 

Link to comment
Share on other sites

Nice reading about tempest and tempest fonts.

Again, if a machine has been tempered with, it really be should considered compromised. In security terms: cut down into sub-millimeter chunks and burnt into a military incinerator.

A power cord can host spying hardware, got that? So security is security! Have a look at "rainbow books, "orange book", TCSEC and NSA, you'll learn a lot.

Edit: I also mean something more personal. If you actually have to defend valuable secrets against determined and powerful opponents, then you'll have really hard time if you don't already have enough specialized knowledge and must be prepared to fund your defense with big money.

Now if you're more concerned about having your privacy and/or intimacy respected by familly, relatives, neighbours then you have _much_ better time having a peacefull and honest discussion with those people. Building walls and miradors with armed guards is probably not the smartest way to have you being respected as an individual. My 2 cents.

Edit2: software is ..., well: software! Run a secure system (needs tech) or regard your Windowed PC as possibly compromised. AutoIt won't help you so this discussion is way off topic if you ask me.

Edited by jchd

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

  • 2 months later...

Nice reading about tempest and tempest fonts.

Again, if a machine has been tempered with, it really be should considered compromised. In security terms: cut down into sub-millimeter chunks and burnt into a military incinerator.

A power cord can host spying hardware, got that? So security is security! Have a look at "rainbow books, "orange book", TCSEC and NSA, you'll learn a lot.

Edit: I also mean something more personal. If you actually have to defend valuable secrets against determined and powerful opponents, then you'll have really hard time if you don't already have enough specialized knowledge and must be prepared to fund your defense with big money.

Now if you're more concerned about having your privacy and/or intimacy respected by familly, relatives, neighbours then you have _much_ better time having a peacefull and honest discussion with those people. Building walls and miradors with armed guards is probably not the smartest way to have you being respected as an individual. My 2 cents.

Edit2: software is ..., well: software! Run a secure system (needs tech) or regard your Windowed PC as possibly compromised. AutoIt won't help you so this discussion is way off topic if you ask me.

Yeah, very interesting article on tempest fonts. When I was in the AF, we were all briefed on tempest preventative procedures. One of the big ones was typing (keyboard or electric typewriter) while on a tempest *unsecure* phone. Because the EMR could be detected over the phone and possibly retranslated. I am sure there are experts out there with a database of signals from keyboards/typewriters/who-knows-what-else to detect that kind of thing.

I suppose any kind of signal with repetition can be detected with equipment that is sensitive enough, recorded, then translated. I suppose if you want to go that far, it is plausible to translate what someone is writing on a notepad by sounds the writing makes. Hahaha. We are never safe from prying eyes. Of course, if you have nothing to hide ... :mellow:

Be open minded but not gullible.A hammer sees everything as a nail ... so don't be A tool ... be many tools.

Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...