Anti-Anti-Keylogger Software

Posted: October 15, 2010 in Research

Overview:

Ever installed a keylogger on your “own” machine for research purposes, and found that the machine you’re testing on has some crummy anti keylogger based software? Frustrating right? Wrong, cause I am going to show you an exploit to use if you want to keylog Internet explorer.

The Solution:

So there is a couple of things we need to accomplish to get this working properly.

  1. Get access to the browser object.
  2. Find a means to inject some malicious code.
  3. figure out what code to inject.

Now anti keylogger software tends to intercept the key events at a keyboard driver level, and then fire off some random key events. These are consumed, and the legitimate key strokes are fired inside the target window. Bearing in mind that your code has no control over anything in between, and lets asume that nuking the keylogger is not possible for some reason (some keyloggers are very good at limiting uninstall capability). So how can we intercept keystrokes to IE?

Ok, more tips for you. If your keylogger is in the browser window, eg. a browser plugin, keylogger p0wn3d. But lets say that the user is fully aware of malicious browser based plugins. Not that easy to hide, especially in IE 8, and windows 7, both of which will spawn popup windows alerting the user to the installation of a plugin. How would we insert a keylogger now? Anyone?

Open up visual studio, and create an internet explorer object. then enter the following code:

foreach(InternetExplorer ie in new ShellWindows())

Loop through each ie object checking the location parameter, and creating an object from that.

if(ie.LocationURL.Contains(“targetSite”))

{

ieToP0wn = ie;

}

 

Cool, so now we have access to the browser object. 1 down!

Step 2, a means to inject malicious code into the page.So quite a few of these antikeylogging systems protect the DOM and Cookie container so you cannot just add you code into the page as it will say access denied.However Navigate function is not blocked.Ever seen this before: “javascript:alert(1);”. Test it by copying it out, and pasting it in your URL bar. See the message box? Cool, but what does this have to do with the for-mentioned code? ieToP0wn.navigate() that’s what. So, in your c# code, add in the following.

ieToP0wn.navigate(“javascript:alert(1);”)

Cool, a means to inject code, and if we can inject code, we can inject a keylogger. So homework for you, google document.innerHTML, and window.onKeypress(). With these you can change web page structure, and add a key event listener. Awesome. Me thinks this looks like a Keylogger :).

Will upload some sample code at a later stage. And you can expect the release of a security tool in the near future to test your IE browser security software. Watch this space.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s