Data Sniffing Using Keyloggers

Presentation by:

Pratik Kulkarni

ppk3md@mst.edu

Hariprasath Murugesan

hmghb@mst.edu

Introduction

• Keyloggers- hardware or software that clandestinely monitor and record the activity of a user and send the logs to the attacker

• Two types of Keyloggers:

i) Hardware Keyloggers

Fig. Inline PS2 (Hardware) Keylogger.

Reference: https://en.wikipedia.org/wiki/Keystroke_logging

- A hardware keylogger consists of:

a) Microcontroller- processes the typed keywords and passes them to the internal memory

b) Non-volatile memory- stores the recorded data and retrieves it even if power is switched off

- Memory- few kilobytes (KB) to several gigabytes (GB)

- Types-Wireless Keylogger Sniffers, Regular Hardware Keyloggers etc.

• We will be using a software keylogger in our Project

ii) Software Keyloggers

- Computer programs that run on target computer’s software

- Types: a) Hypervisor-based: Hypervisors are s/w or h/w that create and run virtual machines.

- The keylogger resides in a malware underneath the operating system and remains undetected, becoming a virtual machine e.g. Blue Pill

b) Packet analyser: i) HTTP POST is vulnerable to this kind of keylogger.

ii) It seizes the network traffic making use of HTTP POST event like ‘404 Not Found’

iii) This is one of the reasons why HTTPS was invented

c) API-based: i) Hook function from API (Application Programming Interface) is used to intercept the function calls or events in between the keyboard and the operating system

ii) The hook function takes the event data to the keylogger each time a key is pressed or released and keylogger just records it

• We shall be using Hook function to execute our project

Simulation Model• Hook- Applications can intercept events such as messages, mouse actions,

and keystrokes

- A function that intercepts a particular type of event is known as a hook procedure

• Architecture: has 3 modules

- Main Module- Different hook functions categorized under SetWindowsHookEx viz. WH_MOUSE_LL: It enables the user to monitor the mouse input events

- WH_CALLWNDPROC: This enables the user to monitor the messages sent to window procedures

- The Hook function we used is WH_KEYBOARD_LL: It enables the user to monitor the keyboard input events

- The Main Module will install a global WH_KEYBOARD_LL hook-procedure

- A global hook function is installed in all of the running processes

It monitor messages before they reach the target window procedure

- The hook procedure WH_KEYBOARD_LL is installed by calling the SetWindowsHookEx WinAPI

- Hook Procedure Module: The hook procedure will report back to the main module every time a key is pressed

- The main module will store this data in its records via a log file

- SMTP Module: The Main module directs the SMTP module to send the log file to the attacker once the browser is opened

- log file will contain all the user data that was collected during its life cycle

Flow GraphMain Module and Hook Procedure Module

30s TimerMyKeyboardProc

dll injectorWrite to log file

Global hook

Create a thread

Load SMTP.dllIf log file exists, then

send mail

30s Timer

firefox.exe Dll_helper.dll

SMTP Module

• Demo:

https://www.youtube.com/watch?v=F9VBiR543AI&fe

ature=youtu.be

Conclusion and Future Work• Learnings:- We were exposed to various different new functions of windows

programming

- Learnt more about system vulnerabilities and how they could be exploited

• Summary:- Hook is the function which plays an instrumental role in our project

- Main module will install WH_KEYBOARD_LL procedure with the help of SetWindowsHookEx WinAPI

- Hook Procedure Module will report to Main Module

- SMTP Module sends the log file to the attacker

• Future Work: We can extend this project to Kernel based Keylogger

where the keylogger hides itself at the Kernel level

References• http://www.securityweek.com/attackers-use-keyloggers-email-steal-

datanighthunter-attacks

• http://www.codeproject.com/Articles/98355/SMTP-Client-with-SSL-TLS

• https://en.wikipedia.org/wiki/Keystroke_logging

• https://en.wikipedia.org/wiki/Hardware_keylogger

• https://msdn.microsoft.com/enus/library/windows/desktop/ms644959%28v=vs.85%29.aspx#wh_cbthook

• https://en.wikipedia.org/wiki/Blue_Pill_%28software%29

• http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5246998