What is a key(-stroke)logger?
A keystroke logger is a program that intercepts all keystrokes that you've
made on your computer. Sysadmins use it to see what you'r doing. They
can
view what website you're visiting, cause
you must fill in the url to get there. Keystroke loggers run at the
background and require a password to change the data or to view the logfile.
Keystroke loggers are also used by hackers, because it also logs passwords
>from the victims. Logfiles can be send by email, a lot of keyloggers
have
that option.
I've tried a lot of keystroke loggers, to see which one is the best.
Here's
my list:
- Key Key 2000
- Chat nanny
- Key Interceptor
- 2SPY!
- Omniquad Desktop Surveillance
- WinWHatWhere Investigator
- AppsTraka
- SureShot Ghost Keylogger
[***********Key Key 2000*************]
- What can Key Key 2000 do?
Key Key 2000 is a very simple keystroke-logger, though a lot of people
are
using it. The logfile is usually stored in the Key Key 2000 directrory
as
kklog.txt :
C:\Program Files\KEYKEY\log\ <--------This is the standard directory
And it's not even encrypted. This is why a lot os sysadmins Don't install
Key Key as standard installation. They place the logfile in the
systemfolder, where it's very difficult to find. But there are other ways
to
Crack Key Key 2000...
Changing Password
This is the most dumbest of Key Key 2000
It's not very difficult to crack the password, because it's stored in
the
windows registry as:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\vkeykeyd\AccessPass
word
If you can't find the value, it means there's no password installed!
You can simply delete the password value to gain full acces to Key Key
2000
To acces Key Key 2000 monitor, search for a file in your computer called
kkmon.exe
Lots of information is stored in the windows registry, like the the name
and
directory of the logfile, but that's not important, because you can already
acces the keystroke logger and chage the password.
http://www.mikkotech.com
[***********Chat Nanny*************]
This program works a lot better then Key Key 2000. Normally Chatnanny
is a
program that prevents kids to see their mums nasty pics on the onternet,
but
it can also be used to prevent employees to see porn pics. It's difficult
to
find the directory and I can't find anything in the Windows Registry.
Anyway, to acces Chatnanny, goto start ---> execute and enter 'nannywin'.
A
passwordform appears. The standard password is set as 'chatnanny' , but
I
don't think anyone would be so stupid to keep that password. You can give
it
a try though. The standard directory for chatnanny is C:\windows\shelltray,
and the program that sysadmins use to monitor is C:\windows\nannywin.exe.
When you delete nannywin.exe, the sysadmin can't monitor anymore :)
Here's a little something you need to know; in C:\WINDOWS\shelltray is
a
file called viewfilter.dat You can find the filterwords for a website
in
this file. When Chatnanny finds a word on a website you are currently
visiting and it matches with a word in the list, it'll make the website
unable to view. Please edit this list ;). Almost the same, postfilter
filters websites that ask for your creditcard number and other personal
stuff.
You'll also find a file called something like #activity.186 . This file
logs
your keystrokes. Convert it to a textfile and you'll see. You can modify
or
delete it, but when you delete it, chatnanny will automatically create
a new
one.
[***********Key Interceptor*************]
This program is very simple, you can even stop it from loggin by simply
pressing ctrl+alt+del. The program is called something like keyrunner.
The
program will start with the next startup. To prevent this, goto start
--->
run and type 'msconfig' click on the tab 'startup'(or something) and click
on Keyrunner and Keyineterceptor9x. Now the program will not start at
startup :)
[***********2SPY!*************]
2Spy! is an application for monitoring, intercepting and logging system
messages on your machine like keystrokes, mouse clicks, window
activations, etc...
2SPY!'s directory normally is C:\windws\system\ssh32
Logfiles are encrypted and you can only decrypt it by entering a password.
It has some extra stuff like screen capture. Normally the screen captures
will be saved in the SSH32 directory, but
that could be changed. The logfile is called ssh32.log and is normally
saved
in C:\windows\system or the SSH32 directory.
Encrypt the logfile
Here's a trick to encrypt the logfile, but you need to install 2SPY! on
your
own computer. Dopwnload it at www.zoranjuric.com and ionstall it. Now
place
the (decrypted)logfile in your own SSH32 directory and open SSH32.exe
. Goto
options ---> logfile and enter the foldername of where the logfile
is
stored. Klick ok and now your in a panel called control panel. Click decrypt
and after that, klick view logfile. Modify it, encrypt it again and switch
the manipulated logfile with the normal logfile (when you're back at the
other computer) Now the sysadmin has a manipualted logfile.
To prevent it from running on windows startup, just enter the windows
registry (regedit.exe) and delete this value :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssh32
View the screen captures
This is very easy to view. Normally you need to open the *.2sp files with
view2sp.exe, but that requires a password. You don't need the password,
all
you have to do is open the *.2sp files with paint, and the screen captures
are yours without the need of a password.
Delete 2SPY!
To show an error on startup and to prevent 2SPY from running correctly,
simply delete the SSH32.ddl(hidden) file in C:\windows\system.
[***********Omniquad Desktop Surveillance*************]
This program looks very intelligent. It can send the logfile with email,
and
can take screen shots and you see a blue eye in systemtray when ODSP is
working.BUT...
There are some things that make the program very weak, like a configuration
program. You don't need a password to configurate ODSP. Without a password
you can:
- Disable /enable keylogging...
- Disable /enable screenlogging...
- View screen /key logfiles...
- Change directories of logfiles and other programs...
- Enable /disable Omniquad...
- And many, many more!
All you have to do is install OSDP on your own computer and copy ODSCFG.EXE
to a disk. Then go back to the other computer and open ODSCFG.EXE from
the
disk.
If you can't find this program, don't worry. The logfile is called
odsact.log and can be found in the OSPD folder. The logfile isn'nt
encrypted. The Screen shots can be found in
C:\Program Files\ODSP\Virtual_Video and only require paint to open...
Download ODSP at www.omniquad.com
NOTE: A stupid sysadmin could have forgotten to remove the configuration
program (ODSCFG.EXE)
To prevent ODSP from running at startup, just remove from regsitry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odsp
[***********WinWHatWhere Investigator*************]
WinWhatWhere will show an icon in system tray, a 'W' with a green dot
.
WWWI will normally be installed in C:\windows\system\OBLE. The data files
wil also be installed there. Delete them to show an error when the sysadmin
wants to view the logfile.
Prevent to run at startup
This was a little harder to search, because these programmers where smart
and gave their program a difficult name in a different location then
C:\windows\system\OBLE. Anyway:
Open register edit and delete these values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CMA Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\CMA
Manager
Just to be sure, goto start--->run and type msconfig. Unclick all the
CMA
Manager values that
try to run aa81232.exe .
You can also goto start---> search and type aa81232.exe. He'll find
two
files, and delete them if you like
[***********AppsTraka*************]
This program isn't vry protected. All of it's information can be found
in
the windows registry.
Change the password:
The password to enter the program is stored in the windows registry. To
change it, just
delete this value from the register:
HKEY_LOCAL_MACHINE\SOFTWARE\Odisoft\AppsTraka\Settings\password
When you start C:\Program Files\AppsTraka\AppsTraka.exe (it's usually
stored
here...)
It shows in error and aks you to enter a new password.
Prevent startup
Goto start---> run and typ msconfig. Click the startup tab and close
'Apps
traka'
Delete appstrake
First the program mustn't be running. You can do that by deleting the
startup value or restart in safe-mode(hit f8 a couple of times while
starting your pc)
Then search for a file called AppsTraka.exe and delete it.
Change Warning-Message
'This computer has monitoring software installed. All activities will
be
recorded.'
You can change the warning message from the Appstrka. When AppsTraka
appears, it'll show a manipulated message. Here's how to do that:
You need to know that this will only work if the sysadmin has turned 'show
warning msg' on.
open windows registry (regedit.exe) and search for this value:
HKEY_LOCAL_MACHINE\SOFTWARE\Odisoft\AppsTraka\Settings\WarnMsg
Here is the warning message stored. To change it, click on it with you
right
mouse button.
[***********SureShot Ghost Keylogger*************]
This program works fine; It's logfile is encrypted and can be send by
email.
The normal directory is C:\program files\gkl . Still ther's an easy way
to
get the password, change the email-to adress, view the logfile and
modify/delete the logfile.
gklconfig.cfg
This is the weakness of the program: gklconfig.cfg . Every configuration
of
ghost logger will be stored in this file; the password, logfilename, etc.
When you delete this file, the program will use the standard configuration,
and asks for your password. Then run the program called gklconfig.exe
and
enter a new password. You're in...
View logfile
Ok, bad luck. The sysadmin doesn't allow people to delete files, but you
still want to take a look at the logfile. And there's a way:
If the sysadmin has configurated ghost logger the standard way, here's
where
you can find the logfile: C:\Program Files\gkl\logfile.txt . This is only
by
standard configuration.
Copy it to a disk and take it at home. Install ghostlogger on your computer.
(www.keylogger.net)
and paste the logfile in the ghostloggers directory. Run gklconfig.exe
and
view the logfile.
Disable SureShot Ghost keylogger
Delete the folder where ghost logger is in. You can also change the name
of
the dynamic link library, usually called gkl.dll . When this is done,
only
your computer name and username will be logged. Or goto start-->run
and typ
msconfig, disable GhostKeylogger.
[***********DELETE PROGRAMS*************]
Here are a few ways you could try to disable the keylogger that is running.
Some options you need could be disabled by the sysadmin, so you need more
ways to disable the program.
-=HTML-DOCUMENT=-
You can try this one when your computer has microsoft internet explorer.
Create an txt-docment and paste this text into the document:
<html>
<body>
<SCRIPT language=vbscript>
Sub Window_OnLoad()
call disable
end sub
Sub disable
Set onstart = CreateObject("Scripting.FileSystemObject")
set a =
onstart.GetFile("C:\put_the_folder_and_exename_of_the_keylogger_here")
a.delete
END SUB
</SCRIPT>
</body>
</html>
Now change the *.txt into *.html and run the HTML-document. When internet
Explorer runs the document, goto extra---> internet options --->
security
and set everything to low. Run the HTML-document again and now internet
explorer asks you if its possible to load active-X documents. Klick YES.
-=AUTOEXEC.BAT (MS-DOS)=-
Search for a file in C:\ called autoexec.bat. Add this line to autoexec.bat:
del C:\progra~1\keylog~1.exe
This will delete the monitoring program that the sysadmin uses to view
the
logfile.
IMPORTANT: when a a folder or filename has more chars than 6, MS-DOS
can
only read when you replace the 7 chars or more to ~1 . For instance:
C:\program files\keylogger.exe
becomes:
C:\progra~1\keylog~1.exe
This is only in MS-DOS, you dont have to replace the names in windows!
-=DOWNLOADING=-
Somethimes you can overwrite a file by downloading a file and save it
as the
keylogger program.
Just download a file, click save to disk and save it as the keylogger
name.
Hopefully the keylooger will nott work correctly anymore.
by Michiel Habraken
5/7/2002
|