Jump to content

Keylogger for exfiltration of binaries


Recommended Posts

This is a cross post of sorts: https://forums.hak5.org/index.php?/topic/31831-super-devious-exfiltration/?hl=logger

I'm making the contention that if a keylogger had enough memory, that it could log a binary file (base64 or hex encoded first) and exfiltrate it without the network or needing a Flashdrive/Firewire (other)connection.Be it document, db etc...

It is a bit of inception, the binary to base64 script would need to be written to the computer first, then pipe the target binary (document/db...) through that script. That script could pause, or wait for the keylogger to say "go", and then using native functions perhpas (like Sendkeys) or some other KB emulation, and the keylogger would then, eventually have the converted binary. It could be a binary that gets written by the RD to the computer, we'll call it kb.exe, and it executes and lt pipes the target file/binary into base64 and then the kb.exe would "type" the converted file for the keylogger to pick up.

The RubberDucky function of getting files/scripts onto a computer is done, how about the reverse? Getting (target)files converted into keystrokes and recording those back into the RD or I suppose a second hardware keylogger if RD can't be modified to listen on the bus.

It's not a typical use case, and the network or USB drive are quick and easy for networks that aren't very locked down, but on others, this would be the way to do it. If it's been done I aplogize, I can't seem to find anyone suggesting it the way i am. I also understand that it might not be very quick way to get files out of a network, but I don't know, it could be... Memory of course being one of the most significant issues. Compression in the script (upx? 7z?) against the binary first might help.

Just throwing it out there.


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...