[OT] Keylogging--How to Catch the "Listener"?

W

W. Watson

Suppose one detects that keylogging software is on a PC. Is there someway to
discover who is recording it, the "listener"?
--
Wayne Watson (Nevada City, CA)

Web Page: <speckledwithStars.net>
 
S

SingaporeWebDesign

Hello,

If I recall correctly, ZoneAlarm alerts you when an application is
attempting to monitor keystrokes.

--
Singapore Website Design
http://www.bootstrike.com/Webdesign/
Singapore Web Hosting
http://www.bootstrike.com/WinXP/faq.html
Windows XP FAQ

"W. Watson" <wolf_tracks@invalid.com> wrote in message
news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net...
> Suppose one detects that keylogging software is on a PC. Is there someway
> to discover who is recording it, the "listener"?
> --
> Wayne Watson (Nevada City, CA)
>
> Web Page: <speckledwithStars.net>
 
S

Scherbina Vladimir

Hello Wayne,

I suppose, it's hard to do that programatically, since the whole task might
be devided into several stages. For example, grabbed text might be stored in
some file (as plain or encoded text), and then due to some rules it might be
uploaded to server within 1 day, or 1 week, etc. I don't think any AV is
capable to handle such behavior of mailware. I suggest you to find
expirienced person, who is able to reverse the malware binaries and analyze
them carefully. Reversing might give you the asnwer "who is hooking your
keyboard".

--
Vladimir, Windows SDK MVP
"W. Watson" <wolf_tracks@invalid.com> wrote in message
news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net...
> Suppose one detects that keylogging software is on a PC. Is there someway
> to discover who is recording it, the "listener"?
> --
> Wayne Watson (Nevada City, CA)
>
> Web Page: <speckledwithStars.net>
 
M

Milo (MSPSS)

Quite often this kinds of application wont show in the taskmanager as they
are designed to evade one esp. ( top end Kelogging Software) or as a running
process but it would sure show itself attach to explorer.exe ( desktop ) and
iexplore.exe ( internet explorer) since its meant to capture typo and
screenshots. all application use dll`s and sure enough you would see them
among the list.

Open Process explorer>locate explorer.exe on the left details pane and then
right click on it - follows that is proceed to treads tab there you would
see all dll files attached to it now from there isolate them one at a time
cross reference them to a list you may have // or so browse the web for who
or what a certain dll file is.

Use this
http://download.sysinternals.com/Files/ProcessExplorer.zip
http://www.microsoft.com/systeminternals

--
Milo
MSPSS


"Scherbina Vladimir" wrote:

> Hello Wayne,
>
> I suppose, it's hard to do that programatically, since the whole task might
> be devided into several stages. For example, grabbed text might be stored in
> some file (as plain or encoded text), and then due to some rules it might be
> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is
> capable to handle such behavior of mailware. I suggest you to find
> expirienced person, who is able to reverse the malware binaries and analyze
> them carefully. Reversing might give you the asnwer "who is hooking your
> keyboard".
>
> --
> Vladimir, Windows SDK MVP
> "W. Watson" <wolf_tracks@invalid.com> wrote in message
> news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net...
> > Suppose one detects that keylogging software is on a PC. Is there someway
> > to discover who is recording it, the "listener"?
> > --
> > Wayne Watson (Nevada City, CA)
> >
> > Web Page: <speckledwithStars.net>
>
>
>
 
S

Scherbina Vladimir

Using SoftIce one is able to set breakpoint to LowLevelKeyboardProc or
KbFilter_ServiceCallback, and track all code paths. The hooker can also be
found by setting breakpoints to IO functions, for example, one may assume
that the keyboard hooker is storing the grabbed text to file, so it's quite
possible to track that by setting breakpoint to ZwWriteFile (and analyze the
text which is stored in file).

A year ago I was analyzing a box with malware, that was acting like
mentioned above. It was grabbing the text and storing it in file. Then, at
the begining of every day it was sending the data to FTP server.

--
Vladimir, Windows SDK MVP
"Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message
news:167164F2-FC78-41A3-B39B-B50D691F039C@microsoft.com...
> Quite often this kinds of application wont show in the taskmanager as they
> are designed to evade one esp. ( top end Kelogging Software) or as a
> running
> process but it would sure show itself attach to explorer.exe ( desktop )
> and
> iexplore.exe ( internet explorer) since its meant to capture typo and
> screenshots. all application use dll`s and sure enough you would see them
> among the list.
>
> Open Process explorer>locate explorer.exe on the left details pane and
> then
> right click on it - follows that is proceed to treads tab there you would
> see all dll files attached to it now from there isolate them one at a time
> cross reference them to a list you may have // or so browse the web for
> who
> or what a certain dll file is.
>
> Use this
> http://download.sysinternals.com/Files/ProcessExplorer.zip
> http://www.microsoft.com/systeminternals
>
> --
> Milo
> MSPSS
>
>
> "Scherbina Vladimir" wrote:
>
>> Hello Wayne,
>>
>> I suppose, it's hard to do that programatically, since the whole task
>> might
>> be devided into several stages. For example, grabbed text might be stored
>> in
>> some file (as plain or encoded text), and then due to some rules it might
>> be
>> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is
>> capable to handle such behavior of mailware. I suggest you to find
>> expirienced person, who is able to reverse the malware binaries and
>> analyze
>> them carefully. Reversing might give you the asnwer "who is hooking your
>> keyboard".
>>
>> --
>> Vladimir, Windows SDK MVP
>> "W. Watson" <wolf_tracks@invalid.com> wrote in message
>> news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net...
>> > Suppose one detects that keylogging software is on a PC. Is there
>> > someway
>> > to discover who is recording it, the "listener"?
>> > --
>> > Wayne Watson (Nevada City, CA)
>> >
>> > Web Page: <speckledwithStars.net>
>>
>>
>>
 
M

Marc C. Dürrer

"W. Watson" <wolf_tracks@invalid.com> schrieb
> Suppose one detects that keylogging software is on a PC. Is there
> someway to discover who is recording it, the "listener"?

Chances are high that it's your wife :)

The active keylogging software, assuming the logs are not just kept
on the computer for anybody else to read, should actually hide a
server or a mail address somewhere. One would think that a
professional should be able to find this address.

Marc
 
M

Milo

yes sir, it does use quite a bandwidth - since sometimes its sends out large
amount of data for the captured txt and pictures. hmmm softice not a bad
application I use IDa pro and OllyDbg. With the second scenario what if its
someone not remote who deployed that in the said system same person you
share it with.

"Scherbina Vladimir" <v_scherbina@online.mvps.org> wrote in message
news:OSOl7qgwHHA.4640@TK2MSFTNGP03.phx.gbl...
> Using SoftIce one is able to set breakpoint to LowLevelKeyboardProc or
> KbFilter_ServiceCallback, and track all code paths. The hooker can also be
> found by setting breakpoints to IO functions, for example, one may assume
> that the keyboard hooker is storing the grabbed text to file, so it's
> quite
> possible to track that by setting breakpoint to ZwWriteFile (and analyze
> the
> text which is stored in file).
>
> A year ago I was analyzing a box with malware, that was acting like
> mentioned above. It was grabbing the text and storing it in file. Then, at
> the begining of every day it was sending the data to FTP server.
>
> --
> Vladimir, Windows SDK MVP
> "Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message
> news:167164F2-FC78-41A3-B39B-B50D691F039C@microsoft.com...
>> Quite often this kinds of application wont show in the taskmanager as
>> they
>> are designed to evade one esp. ( top end Kelogging Software) or as a
>> running
>> process but it would sure show itself attach to explorer.exe ( desktop )
>> and
>> iexplore.exe ( internet explorer) since its meant to capture typo and
>> screenshots. all application use dll`s and sure enough you would see them
>> among the list.
>>
>> Open Process explorer>locate explorer.exe on the left details pane and
>> then
>> right click on it - follows that is proceed to treads tab there you would
>> see all dll files attached to it now from there isolate them one at a
>> time
>> cross reference them to a list you may have // or so browse the web for
>> who
>> or what a certain dll file is.
>>
>> Use this
>> http://download.sysinternals.com/Files/ProcessExplorer.zip
>> http://www.microsoft.com/systeminternals
>>
>> --
>> Milo
>> MSPSS
>>
>>
>> "Scherbina Vladimir" wrote:
>>
>>> Hello Wayne,
>>>
>>> I suppose, it's hard to do that programatically, since the whole task
>>> might
>>> be devided into several stages. For example, grabbed text might be
>>> stored
>>> in
>>> some file (as plain or encoded text), and then due to some rules it
>>> might
>>> be
>>> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is
>>> capable to handle such behavior of mailware. I suggest you to find
>>> expirienced person, who is able to reverse the malware binaries and
>>> analyze
>>> them carefully. Reversing might give you the asnwer "who is hooking your
>>> keyboard".
>>>
>>> --
>>> Vladimir, Windows SDK MVP
>>> "W. Watson" <wolf_tracks@invalid.com> wrote in message
>>> news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net...
>>> > Suppose one detects that keylogging software is on a PC. Is there
>>> > someway
>>> > to discover who is recording it, the "listener"?
>>> > --
>>> > Wayne Watson (Nevada City, CA)
>>> >
>>> > Web Page: <speckledwithStars.net>
>>>
>>>
>>>
>
>
>
 
You must log in or register to reply here.

Similar threads

O
How to fix broken start menu when clicking account name?
Replies
0
Views
30
O'neal Mendez
O
L
I have Win10Pro and need to Downgrade to win10 Home - any ideas how?
Replies
0
Views
62
LenseOnLife
L
L
I am trying to clean up local disk (H:), but I can't because a second windows is installed on it.
Replies
0
Views
39
Ligia Tonca
L
K
How do I change my desktop icons back to the program icons?
Replies
0
Views
16
Kenneth Austin1
K
B
Cant uninstall McAffee Security scan plus from Windows 10. Inside the Uninstall App page, buttons greyed out
Replies
0
Views
108
BradleyRogers805
B
Back
Top Bottom