|
Posted by Milo on July 9, 2007, 9:44 am
If you were Registered and logged in, you could reply and use other advanced thread options
yes sir, it does use quite a bandwidth - since sometimes its sends out large
amount of data for the captured txt and pictures. hmmm softice not a bad
application I use IDa pro and OllyDbg. With the second scenario what if its
someone not remote who deployed that in the said system same person you
share it with.
> Using SoftIce one is able to set breakpoint to LowLevelKeyboardProc or
> KbFilter_ServiceCallback, and track all code paths. The hooker can also be
> found by setting breakpoints to IO functions, for example, one may assume
> that the keyboard hooker is storing the grabbed text to file, so it's
> quite
> possible to track that by setting breakpoint to ZwWriteFile (and analyze
> the
> text which is stored in file).
>
> A year ago I was analyzing a box with malware, that was acting like
> mentioned above. It was grabbing the text and storing it in file. Then, at
> the begining of every day it was sending the data to FTP server.
>
> --
> Vladimir, Windows SDK MVP
>> Quite often this kinds of application wont show in the taskmanager as
>> they
>> are designed to evade one esp. ( top end Kelogging Software) or as a
>> running
>> process but it would sure show itself attach to explorer.exe ( desktop )
>> and
>> iexplore.exe ( internet explorer) since its meant to capture typo and
>> screenshots. all application use dll`s and sure enough you would see them
>> among the list.
>>
>> Open Process explorer>locate explorer.exe on the left details pane and
>> then
>> right click on it - follows that is proceed to treads tab there you would
>> see all dll files attached to it now from there isolate them one at a
>> time
>> cross reference them to a list you may have // or so browse the web for
>> who
>> or what a certain dll file is.
>>
>> Use this
>> http://download.sysinternals.com/Files/ProcessExplorer.zip
>> http://www.microsoft.com/systeminternals
>>
>> --
>> Milo
>> MSPSS
>>
>>
>> "Scherbina Vladimir" wrote:
>>
>>> Hello Wayne,
>>>
>>> I suppose, it's hard to do that programatically, since the whole task
>>> might
>>> be devided into several stages. For example, grabbed text might be
>>> stored
>>> in
>>> some file (as plain or encoded text), and then due to some rules it
>>> might
>>> be
>>> uploaded to server within 1 day, or 1 week, etc. I don't think any AV is
>>> capable to handle such behavior of mailware. I suggest you to find
>>> expirienced person, who is able to reverse the malware binaries and
>>> analyze
>>> them carefully. Reversing might give you the asnwer "who is hooking your
>>> keyboard".
>>>
>>> --
>>> Vladimir, Windows SDK MVP
>>> > Suppose one detects that keylogging software is on a PC. Is there
>>> > someway
>>> > to discover who is recording it, the "listener"?
>>> > --
>>> > Wayne Watson (Nevada City, CA)
>>> >
>>> > Web Page: <speckledwithStars.net>
>>>
>>>
>>>
>
>
>
| ![[OT] Keylogging--How to Catch the](/images/header.jpg)
XML site map