Guest W. Watson Posted July 8, 2007 Posted July 8, 2007 Suppose one detects that keylogging software is on a PC. Is there someway to discover who is recording it, the "listener"? -- Wayne Watson (Nevada City, CA) Web Page: <speckledwithStars.net> Quote
Guest SingaporeWebDesign Posted July 8, 2007 Posted July 8, 2007 Hello, If I recall correctly, ZoneAlarm alerts you when an application is attempting to monitor keystrokes. -- Singapore Website Design http://www.bootstrike.com/Webdesign/ Singapore Web Hosting http://www.bootstrike.com/WinXP/faq.html Windows XP FAQ "W. Watson" <wolf_tracks@invalid.com> wrote in message news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net... > Suppose one detects that keylogging software is on a PC. Is there someway > to discover who is recording it, the "listener"? > -- > Wayne Watson (Nevada City, CA) > > Web Page: <speckledwithStars.net> Quote
Guest Scherbina Vladimir Posted July 8, 2007 Posted July 8, 2007 Hello Wayne, I suppose, it's hard to do that programatically, since the whole task might be devided into several stages. For example, grabbed text might be stored in some file (as plain or encoded text), and then due to some rules it might be uploaded to server within 1 day, or 1 week, etc. I don't think any AV is capable to handle such behavior of mailware. I suggest you to find expirienced person, who is able to reverse the malware binaries and analyze them carefully. Reversing might give you the asnwer "who is hooking your keyboard". -- Vladimir, Windows SDK MVP "W. Watson" <wolf_tracks@invalid.com> wrote in message news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net... > Suppose one detects that keylogging software is on a PC. Is there someway > to discover who is recording it, the "listener"? > -- > Wayne Watson (Nevada City, CA) > > Web Page: <speckledwithStars.net> Quote
Guest David H. Lipman Posted July 8, 2007 Posted July 8, 2007 From: "W. Watson" <wolf_tracks@invalid.com> | Suppose one detects that keylogging software is on a PC. Is there someway to | discover who is recording it, the "listener"? You would have to sniff the packets and maybe you can discern this information but, I doubt the information would be fruitful. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest Milo (MSPSS) Posted July 9, 2007 Posted July 9, 2007 Quite often this kinds of application wont show in the taskmanager as they are designed to evade one esp. ( top end Kelogging Software) or as a running process but it would sure show itself attach to explorer.exe ( desktop ) and iexplore.exe ( internet explorer) since its meant to capture typo and screenshots. all application use dll`s and sure enough you would see them among the list. Open Process explorer>locate explorer.exe on the left details pane and then right click on it - follows that is proceed to treads tab there you would see all dll files attached to it now from there isolate them one at a time cross reference them to a list you may have // or so browse the web for who or what a certain dll file is. Use this http://download.sysinternals.com/Files/ProcessExplorer.zip http://www.microsoft.com/systeminternals -- Milo MSPSS "Scherbina Vladimir" wrote: > Hello Wayne, > > I suppose, it's hard to do that programatically, since the whole task might > be devided into several stages. For example, grabbed text might be stored in > some file (as plain or encoded text), and then due to some rules it might be > uploaded to server within 1 day, or 1 week, etc. I don't think any AV is > capable to handle such behavior of mailware. I suggest you to find > expirienced person, who is able to reverse the malware binaries and analyze > them carefully. Reversing might give you the asnwer "who is hooking your > keyboard". > > -- > Vladimir, Windows SDK MVP > "W. Watson" <wolf_tracks@invalid.com> wrote in message > news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net... > > Suppose one detects that keylogging software is on a PC. Is there someway > > to discover who is recording it, the "listener"? > > -- > > Wayne Watson (Nevada City, CA) > > > > Web Page: <speckledwithStars.net> > > > Quote
Guest Scherbina Vladimir Posted July 9, 2007 Posted July 9, 2007 Using SoftIce one is able to set breakpoint to LowLevelKeyboardProc or KbFilter_ServiceCallback, and track all code paths. The hooker can also be found by setting breakpoints to IO functions, for example, one may assume that the keyboard hooker is storing the grabbed text to file, so it's quite possible to track that by setting breakpoint to ZwWriteFile (and analyze the text which is stored in file). A year ago I was analyzing a box with malware, that was acting like mentioned above. It was grabbing the text and storing it in file. Then, at the begining of every day it was sending the data to FTP server. -- Vladimir, Windows SDK MVP "Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message news:167164F2-FC78-41A3-B39B-B50D691F039C@microsoft.com... > Quite often this kinds of application wont show in the taskmanager as they > are designed to evade one esp. ( top end Kelogging Software) or as a > running > process but it would sure show itself attach to explorer.exe ( desktop ) > and > iexplore.exe ( internet explorer) since its meant to capture typo and > screenshots. all application use dll`s and sure enough you would see them > among the list. > > Open Process explorer>locate explorer.exe on the left details pane and > then > right click on it - follows that is proceed to treads tab there you would > see all dll files attached to it now from there isolate them one at a time > cross reference them to a list you may have // or so browse the web for > who > or what a certain dll file is. > > Use this > http://download.sysinternals.com/Files/ProcessExplorer.zip > http://www.microsoft.com/systeminternals > > -- > Milo > MSPSS > > > "Scherbina Vladimir" wrote: > >> Hello Wayne, >> >> I suppose, it's hard to do that programatically, since the whole task >> might >> be devided into several stages. For example, grabbed text might be stored >> in >> some file (as plain or encoded text), and then due to some rules it might >> be >> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is >> capable to handle such behavior of mailware. I suggest you to find >> expirienced person, who is able to reverse the malware binaries and >> analyze >> them carefully. Reversing might give you the asnwer "who is hooking your >> keyboard". >> >> -- >> Vladimir, Windows SDK MVP >> "W. Watson" <wolf_tracks@invalid.com> wrote in message >> news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net... >> > Suppose one detects that keylogging software is on a PC. Is there >> > someway >> > to discover who is recording it, the "listener"? >> > -- >> > Wayne Watson (Nevada City, CA) >> > >> > Web Page: <speckledwithStars.net> >> >> >> Quote
Guest Marc C. Dürrer Posted July 9, 2007 Posted July 9, 2007 "W. Watson" <wolf_tracks@invalid.com> schrieb > Suppose one detects that keylogging software is on a PC. Is there > someway to discover who is recording it, the "listener"? Chances are high that it's your wife :-) The active keylogging software, assuming the logs are not just kept on the computer for anybody else to read, should actually hide a server or a mail address somewhere. One would think that a professional should be able to find this address. Marc Quote
Guest Milo Posted July 9, 2007 Posted July 9, 2007 yes sir, it does use quite a bandwidth - since sometimes its sends out large amount of data for the captured txt and pictures. hmmm softice not a bad application I use IDa pro and OllyDbg. With the second scenario what if its someone not remote who deployed that in the said system same person you share it with. "Scherbina Vladimir" <v_scherbina@online.mvps.org> wrote in message news:OSOl7qgwHHA.4640@TK2MSFTNGP03.phx.gbl... > Using SoftIce one is able to set breakpoint to LowLevelKeyboardProc or > KbFilter_ServiceCallback, and track all code paths. The hooker can also be > found by setting breakpoints to IO functions, for example, one may assume > that the keyboard hooker is storing the grabbed text to file, so it's > quite > possible to track that by setting breakpoint to ZwWriteFile (and analyze > the > text which is stored in file). > > A year ago I was analyzing a box with malware, that was acting like > mentioned above. It was grabbing the text and storing it in file. Then, at > the begining of every day it was sending the data to FTP server. > > -- > Vladimir, Windows SDK MVP > "Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message > news:167164F2-FC78-41A3-B39B-B50D691F039C@microsoft.com... >> Quite often this kinds of application wont show in the taskmanager as >> they >> are designed to evade one esp. ( top end Kelogging Software) or as a >> running >> process but it would sure show itself attach to explorer.exe ( desktop ) >> and >> iexplore.exe ( internet explorer) since its meant to capture typo and >> screenshots. all application use dll`s and sure enough you would see them >> among the list. >> >> Open Process explorer>locate explorer.exe on the left details pane and >> then >> right click on it - follows that is proceed to treads tab there you would >> see all dll files attached to it now from there isolate them one at a >> time >> cross reference them to a list you may have // or so browse the web for >> who >> or what a certain dll file is. >> >> Use this >> http://download.sysinternals.com/Files/ProcessExplorer.zip >> http://www.microsoft.com/systeminternals >> >> -- >> Milo >> MSPSS >> >> >> "Scherbina Vladimir" wrote: >> >>> Hello Wayne, >>> >>> I suppose, it's hard to do that programatically, since the whole task >>> might >>> be devided into several stages. For example, grabbed text might be >>> stored >>> in >>> some file (as plain or encoded text), and then due to some rules it >>> might >>> be >>> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is >>> capable to handle such behavior of mailware. I suggest you to find >>> expirienced person, who is able to reverse the malware binaries and >>> analyze >>> them carefully. Reversing might give you the asnwer "who is hooking your >>> keyboard". >>> >>> -- >>> Vladimir, Windows SDK MVP >>> "W. Watson" <wolf_tracks@invalid.com> wrote in message >>> news:bw_ji.3978$rL1.2725@newssvr19.news.prodigy.net... >>> > Suppose one detects that keylogging software is on a PC. Is there >>> > someway >>> > to discover who is recording it, the "listener"? >>> > -- >>> > Wayne Watson (Nevada City, CA) >>> > >>> > Web Page: <speckledwithStars.net> >>> >>> >>> > > > Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.