#keylogger

I was curious how many of the dozens of custom shortcuts I actually use. And also, yes, curious what someone who did keylog me would actually see. (Of course all my passwords are in the file—it's interesting to think of a way of obfuscating that.)

It'll take me a while to comb through (not to mention the extreme amount of sed I need to use to parse the file), but a couple fun facts:

I am a serial backspacer. Backspace is my third-favorite key to press, after the spacebar and "e".

Keylugger

A #Toontown #cog adopt for @traxxboxx.bsky.social! A "Keylogger" or in this case a "KeyLugger" lol

i have a ps/2 keyboard that could have been compromised by an implant. what can i do besides replacing the keyboard?

this keyboard is intended for an environment where USB is blocked on all ports, including for HUDs, so i cannot replace it with a USB keyboard.

i suspect that i could get a ps/2 keylogger and check periodically to confirm it isn't sending rogue commands to the device it will be attached to. a cheaper option would be to leave it connected to an open document and see if it sends any weird keystrokes without my input, but i don't know enough about the AT protocol to know if a malicious ps/2 input stream could send like, lower level commands that would never reach the OS. my primary question is if that's something that's possible. I'm also open to any additional concerns / thoughts anyone here may have.

under most circumstances i'd recommend to anyone else in my position to get rid of the keyboard, but I'm way more interested in finding ways to confirm via logging that the keyboard is or is not safe to use.

Finished the first part of my keylogger.

It’s 100% not perfect and I can imagine it not running as smoothly on keyboards of a different layout; honestly as this is just a PoC I’m pretty happy with where it is and proceeding forward with it in it’s current form.

It turned out to be more involved than expected- originally I had it working in a loop with GetAsyncKeyState (https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate) but this was using 20% of my CPU when investigated- while this had no negative effect on my laptop personally, it probably wouldn’t be ideal on laptops with weaker CPUs.

This is when I came across Windows hooks (https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks) To put it simply, Windows hooks are very similar to JavaScript event listeners- you know, listening for clicks on a specific button and similar? 

The code here is the first step in the process. I used 2 kinds of Win32 functions here as the Win32 API is pretty retarded as I couldn’t setup an event hook for a change in the foreground window through WindowsHookEx: while low level event hooks (denoted by _LL)  do not need to be put into a DLL and then loaded into another C program through WindowsHookEx, a majority of other event hooks do.

WinEventHook, however, doesn’t have this limitation. In order to avoid having to create a separate program just to load in the hooks from a DLL, I simply used the two different functions. This wouldn’t work if I wanted the callbacks to interact; I don’t so yeah. xD

These are the callbacks I created for the two events. I created a keyLogger class with virtual methods which provides the code for returning characters corresponding to keypresses and returning the active foreground window (literally just the window the user is currently interacting with.)

This is my returnChar method- pretty self explanatory. I decided to just use the integer value of the inputted character to determine certain punctuation that was inputted. Unfortunately, I am limited to UK keyboard testing only so I can’t say how well this works on a US keyboard layout! 

The shift key also proved to be a huge issue- for some reason I get an accented a before the shift key is registered as being pressed down. For the sake of simplicity, I simply noted this when encountered as either shift or an accented a (though this may not be needed now that I’m outputting when shift is pressed with a key!)

This is the method for returning the currently active window. Pretty self explanatory.

That’s pretty much it! I have the code in a repo here https://github.com/CourtneyJane2904/keylogger if anyone’s interested. 

My next step will be setting this up to run on startup and to run as hidden as physically possible with the permissions of the user. 

After that there’ll be a focus on sending the data to a remote server and finally looking into the obfuscation and encryption of the program if it flags up Windows Defender. 

Thinking of delivering it through a malicious word document in my PoC scenario but I honestly haven’t decided yet!