All geek questions in one place

Is there any way to detect key registration software?

I can write a program to detect malicious (or non-malicious) software, which is the key logging (logging keystrokes to get information).

  • What tactics will be used?
    • Is there any specific code to search for?
    • Are there any specific locations I should look for?
  • I prefer Java or Perl as I am fluent in these languages
    • Will these languages ​​work?
    • Is there a better language to use in this case?
  • What will be used?
    • The code?
    • Algorithms?
    • Function?
+6
source share
2 answers

I think it depends on what you are trying to do. If you are looking for well-known programs for keyloggers, you can use any software that can search the file system to view the signature of files. However, it seems you want to detect unknown programs. I do not believe that this is strictly possible. Keylogging applications can passively listen for keystrokes, so there is no active signature that you could look for. It would probably be easier to understand the software that is supposed to run on your computer, and then discover any new software that will start working. This will not necessarily be key recording software, but it will be unauthorized software (or at least authorized software).

Pressing the keys is transmitted to the system as events that you can subscribe to in your application. Here's how games and other programs use keyboard input. The whole system knows when the key was pressed and which key was. You cannot know who is listening.

In other words, if it were possible, it would destroy keyboard recorders, since every anti-virus and anti-spyware application would be able to detect and remove all these types of software. They have an option similar to this, but it is based on well-known signatures of famous keystroke recorders.

+3
source

As a program trying to simply determine if it is being written to the input, for poorly written key registrars, you can look for some temporary patterns, such as periodic delays in re-buffering buffers, but usually the registrar keys are very well written and will be embedded in the driver chain. and therefore they will be indistinguishable from the normal chain.

In this case, the only hope for detecting registrar keys is to check the driver chain to find non-standard drivers (but some key registrars can infect standard drivers), which is not so simple in Windows-land (such low level control).

You will need to connect to the antivirus / malware protection hooks in order to be able to really access not only the definitions of the driver chains, but also the actual executable code to determine if any key blocking is being performed, and this is difficult, full of bureaucracy and almost canceled by nothing but C / C ++

+2
source

Source: https://habr.com/ru/post/888337/

More articles:


All Articles