You are on page 1of 12




Why can keylogger pose a threat?


3.1. Keylogger software
3.2. Hardware keylogger

Nowadays, information technology is rapidly evolving and increasingly makes life easier to
people. Also, the daily operations of individuals and large companies has been greatly
facilitated. Along with the many advantages that today's level of computerization offers, it
should be noted that the flow of information is not fully secure. There are many ways of
invasion of privacy and theft of confidential data and the large number of malicious programs
that make it happen.
This thesis aim is to present keyloggers, malicious programs that represent a great threat to
privacy and security, and make it by tracking the user's input character. Furthermore, it will be
described making a simple keylogger which will be implemented basic functionality and
methods of attack. The first chapter will describe the main representatives of the term
"keylogger". The second chapter will deal with the division of the keylogging software and
hardware as well as any of their subspecies. In the third chapter principles of operation of
each keyloggers and programming mechanisms they use, will be presented. The next chapter
will give a full insight into the process of making keyloggers. It will describe all the
functionality and code that allows them. It will also be described himself working principle
keylogger applications from initial infection to successful computer theft of confidential data.


The term 'keylogger' itself is neutral and indicates the function of a program. Most sources
define a keylogger software program that secretly monitors and saves every keystroke on your
keyboard. Such a definition is not entirely accurate because the keylogger does not have to be
a software program, but may also be a device or hardware keylogger (as it will be shown
later). Although much less frequently used when talking about computer security, it is
important to point out their existence. Also, keylogging functionality can be (and often are)
much more than simple storage keystrokes.
The types of keyloggers and their functionality will be described in more details later in this
thesis. Legitimate programs may have a keylogging function that can be used in calling some
program functionality using "hotkeys" (or shortcut key combination). There are plenty of
legitimate software that allows administrators to monitor employees during working hours or
users to monitor the activities of guests at their own computers. However, there is a thin line

between justified monitoring and espionage. Legitimate software is often maliciously used to
steal a user's secret information such as passwords, credit card numbers, etc.
Most modern keyloggers are considered legitimate software or hardware, and are available for
purchase in the open market. Developers and software dealers offer a long list of purposes for
which it is appropriate to use keyloggers:
-Security Companies: monitoring whether the computers used for the purposes of
contingencies is in the job description;
-Security Company: using keyloggers in order to monitor keywords and phrases related to
business secrets whose disclosure would harm the Company;
-Parental Control: Parents can monitor what their children are doing on the Internet and can
be notified about accessing web pages with inappropriate content;
- Jealous spouses or partners can use keylogger to monitor the actions of their better half;
- Law conduction as one of the methods of collecting evidence in a criminal investigation.

The stated reasons for the use of keylogging are more subjective than objective whichmeans
that ll these situations can be resolved by other methods. Every legitimate keylogging
program can still be used with the evil and criminal intentions.
Today, keyloggers mainly used in such, evil intentions to steal the user's secret data is mostly
related to online payment. Having that in mind the creators of malicious programs are
constantly writing new keyloggers.

Furthermore, many keyloggers hide in the computer system (rootkit functionality) which
makes them full-blooded Trojan programs.

2.1. Why can keylogger pose a threat?

Unlike other malware, keyloggers do not pose a threat to a computer system. Nevertheless, a
major threat to the users of the computer system since they can be used to intercept passwords
and other confidential information entered by the keyboard, and other entering devices. As a
result, cyber criminals can get to the pin codes and account numbers of various e-payment
systems, passwords, online accounts, email addresses, etc ... Once you come forward to
confidential user information with ease can make a transfer of money from the customer's e account to yours. Unfortunately, access to confidential data may floor when you have a more
serious and far-reaching consequences of losing money. Best keylogger can be used as a tool
for both industrial as well as for political espionage and thus lead to the disclosure of
classified state information that could furthermore lead to compromising the security of the
state organizations (eg, stealing private encryption keys).



It can be said that the keylogger software or hardware entities that perform keylogging
function (Eng. keystroke logging). Furthermore, we can define keylogging as the process of
capturing and monitoring (and saving) the keys typed on a keyboard, typically on a

confidential manner so that the user is not aware that his actions monitored. There are a large
number of keylogging methods, software and hardware, to electromagnetic and those based
on sound analysis ...

3.1. Keylogger Software

These are software programs designed to work on computer. They run hidden from the eyes
of customers and intercept all keystrokes on the computer on which they run.
Furthermore, a software keylogger certain intervals sends "caught" button attacker (e-mail,
FTP server, etc.).
Distinctions of sofwares according to their technical design and mode, we can divide
keyloggers into five categories :
1. Hypervisor-Based
Keylogger can be placed inside a virtual machine Malware hypervisor where, in
principle, is performed "below the" operating system, which stays unchanged. This
effectively becomes a virtual machine Virtual machine and is not in the operating
system, and this makes it difficult to find.

2. Kernel-Based
These keyloggers are very effective and difficult to eradicate. They are on the kernel
level which makes them difficult to detect. Often implemented as rootkits and so fraud
system that they see as their integral part. As part of the kernel, these programs do not

have barriers to access all hardware entries. Often implemented as the keyboard
drivers and therefore they are allowed to access directly entered with characters even
before they reach the operating system. Their complexity makes it very difficult for
them to program a while and rarely used.

3. API-based
These keyloggers are "hung up" on the API (application programming interface) so it
informs the operating system each time the button is pressed on the keyboard, and they
just store these characters. Using the API functions like GetAsyncKeyState ,
GetForegroundWindow to retrieve the state of the keyboard, and subscribe to events
from the keyboard . These keyloggers are easier to program the preceding it is more
often used.

4. Grabbing based form

These keyloggers are based on retrieving copy of the the event in function of Internet
browser (browser event functions) and recording of confidential informations with
dedicated web form. Informations recorded prior to their surrender itself for further
and thus bypasses HTTPS encryption.

5. Packet Analyzers
Type of keyloggers that capture and analyze packets mesh traffic affiliated with HTTP
POST events for the purpose of reach noncripted passwords. Keylogger softwares can

be enhanced with additional functionalities to reach to users information without

relying on keystrokes from the keyboard as the only input.

Some of the additional functionality:

Clipboard Logging- keylogger captures all the information that the user copied into
the current containe - clipboard.

Screen Logging (screenshots) - saves picture of the current state of the screen in order
to come up with any graphical information. It is possible to capture the entire screen, a
window only one application or even just the area around the mouse pointer. Images
are captured periodically or as a result of user actions (eg, mouse click).

Text capturing within the control- Windows API allows retrieval of some control,
which means that it is possible to get to the passwords even if they are hidden behind a
mask (usually a sign asterisk).

Catching any open programs, folders or windows as well as a screenshot of every

visited web pages.

Catching Query browser, instant messenger conversations applications and other

Internet activities.

3.2. Hardware keylogger

Hardware keyloggers are not dependent on the software installed and are as a device in the
computer system. The most commonly implemented as a condition of the connection between
the keyboard and the computer. They record all keyboard activity and are stored in its own
internal memory.


The main idea behind keylogger is to stand between the two series of events from the moment
when a key is pressed on the keyboard to display information on the screen. As described
above, this can be achieved either by video surveillance hardware modification of the
keyboard, inserting a device between the computer and the keyboard driver modification, a
modification of the kernel, or, most often, requesting information from the keyboard using the
standard API methods.
Most widespread methods for entering characters are:

Systemic Hook that IS using WinAPI method (SetWindowsHook) intercepts a call

about the pressed key

Demand-cyclic keyboard (keyboard cyclical information request) for information

about the key you press. Implemented WinAPI methods Get (Async) KeyStore or

By Using filter DriverS keyboard. Type of drivers which first receives the information
about the pressure keys and forwards the information to drivers of operating system

The following is an outline of different types of keyloggers, depending on the type of

implemented methods. Recently increasingly present keyloggers that use different methods of
masking their files to avoid detection. One of the noted software is Signum best keylogger.
These methods fall under tzv.rootkit method, or set of programs that can hide files and
running processes of the operating system.

Here it will be shown an example of a simple keylogger software. Also it will be explained in
more detail the process of creating the same. Furthermore, it will be described all that maters
including functionality and program code which allows their use.
Therefore, the goal is to write a keylogger application that will have the basic characteristics
and functionality of each keyloggers. Keylogger will retrieve all user entered from the
keyboard. The application will be hidden from the user and will trigger at each power-up. All
available data will be saved in a text file whose location can be freely selected. The resulting
text file (log file) will be sent by e-mail to an e-mail address. In addition to the basic
functionality of the goal is to implement some of the more advanced features that can have a
Basic keylogger features to be implemented:
- the presence of user-Hide
- catching keystrokes
- saving data to a desired location on the disk form of the division of the text log file
- sending data mail
- Raising at each starting of computer (modification of the registry)

Further, in this practical implementation of development,it will be demonstrated some of the

additional functionality that a keylogger may have:
- hidden menu
- the possibility of detection of keywords and acting accordingly
- capturing the picture of the current situation on the scren, screenshots and send it by email
- current show captured text on the screen for the purpose of eventual optical surveillance
- detection of presence of users
- unobtrusive installation

In this text it is shown and explaind, the problems of invasion of privacy and security of users
of computer systems. Both theoretically and practically is presented an attack of keyloggers,
malicious software that secretly monitors the user'sinput of characters. With a description of
the types of keyloggers is described a the very principle of their work, as well as the basic
software mechanism that allows Windows Hooks their main function - monitoring character
input from the keyboard.
The problem of keylogging is not negligible, the more forward with only a basic knowledge
of programming can make a keylogger that is able to compromise a user's privacy and
security and lead to undesirable consequences, the loss of money from your bank account. In
the practical part of this work is provided a method of making a keylogger applications that
are implemented within the core functionality and methods of attack.
Since more and more people rely on computers in everyday life it is necessary to be aware of
the existence of such malicious software that can make a tangible and emotional damage, and
it is advisable to take some of the protective measures presented in this graduate work.