Thursday, November 15, 2012

Keylogger Or Keystroker : Beginners Guide FAQ

In my previous post i written about RAT Beginners guide. Here i am going to post about the Kelogging Or Keyloggers Beginners Guide.So in this post i will cover all the concepts which in the keyloggers After reading this you dont need any guide to start keylogging again.

What is Keylogger?

A keylogger is a program that logs a keyboards keystrokes. It can be used for several purposes, both black hat and white hat. The most common use is black hat. A keylogger functions by grabbing a keystroke, triggered by when the slave presses a key on their keyboard, and saving it to a variable. This process is called "keyboard hooking". It then will take this long variable and send it via a SMTP or FTP server. You can then view these logs and use it for whatever your intention may be. Keyloggers have several different features that I will go into in a later section. The most basic ones only include keyboard hooking and a way to send the logs.

Terms You Should know in Keylogger:


Slang term for keylogger. See the "What is a keylogger" section.


Slang term for keyboard hooks. These are also explained in the "What is a keylogger section"


Section of code that is triggered when the slave types something on the keyboard.


Compilation of all the keystrokes over a period of time.


A web host that stores files that allows the user to connect and retrieve said files. Files in this case are logs.

A way that logs are sent via Simple email. Example, MSN, Gmail, Yahoo, etc.


Fully Un-Detected. This means that antiviruses will not detect your file as a virus. This will be further explained in the "What is crypting section".


Undetected. This means that some antiviruses will not detect your files as a virus, while others will.


A server is the output of your keylogger. I will take this in-depth in the"What is a server?" section.
A crypter crypts your file removing detections. I'll take this in-depth in the "What is crypting" section.
A detection is a term used when an antivirus detects, or thinks your file is a virus. You always want to have the least amount of detections possible to increase your success rate and to reduce errors.
Black hat
A black hat is someone who uses their knowledge of computers and security for malicious reasons.
White hat
A white hat is someone who uses their knowledge of computers and security for helpful reasons. They help disinfect and improve others security to combat black hat hackers.
Grey hat
A grey hat is a mixture between a black and white hat. They will infect innocent people and then help them get rid of it, for free or a price (the latter being more common).
When a file is backdoored it has a virus binded to it. This means that the file will act normally and the user will be infected without their knowledge. This has become extremely common in the keylogger section. Always be wary of new releases.

Keyloggers Common feature:

As I've said before, most keyloggers have two basic settings. Keyboard hooking and log sending (by FTP or SMTP). Most keylogger developers likes to include more settings to help ease the user experience. Below is a list of common settings you may find, and what they do:

Icon Changers

This will change your viruses icon without corrupting it like some third party programs can do.
MuteX is a unique string that you generate. It helps prevent multiple logs from being sent.
Add to Startup

This will add a registry (or other ways) that will cause your virus to start when the computer is turned on.
Antis are a feature that help keep your virus on the slaves computer for as long as possible. They disable or stop certain white hat programs such as antiviruses, sandboxie, and keyscramblers from running or removing your file.
Disable CMD/Taskmanager/Registry
This feature will change the registry value for each of these system tools to disable them.
Logging interval
This allows the user to chose how often logs are sent.
Fake Error Message
This will cause a fake error message to pop up, making it seem less suspicious.
File pumper
This will add to the size of your virus. This helps making it seem less suspicious as a game won't be a few 

Assembly Editing
This allows you to change things found in the properties menu when right clicking a file. This helps it seem more like a real file rather than a virus.
Encrypted user information
This encrtyps your information so that others cannot steal it by Decompiling your virus.
Test connection
This will test your credentials that you've entered to make sure they are correct.

How do i Use It?

Using a keylogger is a lot easier than it sounds. All you need to do is find one that you want to use, download it, and then choose your settings. Once you have entered all your information and chosen your settings, click the build button. The builder will create your server. This is what you give to people. Give them this file and when they run it they will be infected and you will start receiving logs. Pretty self explanitory. If you ever have a question contact the creator and they should be able to help you.

What is a Stub?

A stub is a separate binary that contains special code that is required for the keylogger to function. There are usually two things in a keylogger. The builder and the stub. Some keyloggers will have a stub built in. A builder takes the information and settings you've chosen and merges it with a stub. The stub contains keyhooks and the workings of each feature. These two merge to create your virus, containing all of the information. I'll cover this file in the next section.

What is Server?

A server is the output of your keylogging builder. It takes your user information (the builder) and the actual malicious code (the stub) and merges the two (via either Code DOM which I'll explain later in this section, or by file splitting, which I will also cover) to make one bad ass file. There are several ways that this is accomplished, and both ways have their ups and downs. The server is also what you distribute to infect people. It is your "virus"

CodeDom is a type of building that generates the code during run time. This allows the user to only have to download one file (just a builder). After inputting your information, the builder will take this and combine it with the malicious code (already inside the builder). This helps lower detection rates, but overall is harder to do, and is harder to reFUD (you have to re distribute the entire builder, instead of just providing another stub).

File splitting is the old school way to do things. It requires taking your information (the builder) and combining it with a separate file that contains the malicious code. While this makes it easier to detect, it's easier to update as you can simply give your users another file (same thing, just with less detections).

What is Crypting?

Crypting can be very complex, though it isn't necessary for you to know all of this information. So for this section I'll keep things to what you need to know. Crypting involves taking a stub (sometimes it's CodeDOM) and using that to FUD (or lower your detection rate) your file. The entire process can get a bit confusing, and I won't bother getting into it. What you do need to know is that crypting can easily corrupt your keylogging sever making it no longer work. A corrupt keylogger may not be detected (the crypter at least did it's job) but it will not send logs making it useless. Because of this you should chose your crypters carefully and it may take a while to find one that works (for free) with your keylogging server. If you are buying a crypter (which I recommend) then be sure to ask the seller to either test or verify your server. In short, crypting is used to lower detection rate, and raise execution rates. That's all you need to know.

Difference Between Keylogger and Stealer?

There is one major defining difference between a stealer and a keylogger. A stealers purposes is to steal passwords that have been saved in the browser/application. Ever logged into something and your browser prompted you to save the password? This is what stealers steal. They are good for massivley grabbing passwords and quickly. Once run they do not continue to steal until run again.

What is .Net Framework?

.Net Framework is a very in-depth concept from Microsoft. While you don't need to know (or should you really care) you should know that most keyloggers are written in Visual Basic .Net, giving it a dependence. Depending on who made it you may have to install a specific version (.Net 4.0). Most computers (99%) come with .Net 2.0 installed. Your output will also require a specific framework (depending on which one you use).

Can Victim detect it's presence once keylogger is installed in his/her computer?

Well it's really difficult for the victim to detect keylogger's presence as it runs in complete stealth mode, It hides it self from task manager, Startup etc

Can victim trace you back?

Once the keylogger is installed, I think it's almost impossible for the victim to trace you back

How can I protect my self from keylogger?

A simple keylogger can be detected by even a lame antivirus, but sometimes the attacker can use methods like Crypting,Binding,Hexing etc, that make it harder for the Antivirus to detect the keylogger. So to counter that you should use a piece of software called sandboxie,Sandboxie runs the choosen computer program in an Isolated space so if the file you receive is a keylogger, You need no to worry because it won't affect your other programs, Firefox users can use the free version of keyscrambler which encrypts each and every keystrokes you type, so even if a keylogger is installed in your computer, You need not to worry as the attacker will receive the encrypted keystroke

How do I find if a file is binded with a keylogger?

Keylogger can be binded with almost any file so how do you know if the file is binded?, You can use Bintext or Hex editor to find out, But Bintext and Hex editing method do not work effectively if the server is crypted so alternatively there is a great piece of software named "Resource hacker" that can tell you if the file is binded or not

i hope i explained the Most of the concepts in keylogger if any thing missing mention in comments i will explain soon.Hope this post helped you.

Happy Hacking.. :)

1 comment: