Technical Inf.
 

Introduction
Quick help
Downloads
Technical Inf.
Reserve

 

Support This Project

SourceForge.net Logo

PSMAntiKeyLogger

Some more about Spyware

bulletNowadays, there is a lot of Spy software in the world. Once installed, it can steal users’ password, security and private information easily. So in order to protect computer users from being lost passwords, there is also a huge number of AntiSpy software in the world, once installed, it tries to detect and remove all Spy software in the computer.
bulletIn order to protect your PC from Spywares or KeyLoggers, you should now how they work, the signals of them and then find out the way to detect and destroy them by using Anti- tools or by yourself.

You can try some Spy software by searching the word “Spy” in www.google.com. The real SpyWare runs in background, even you cannot see it in the Process list or you cannot kill it by using Task Manager. The functions can often be included in a Spyware are Key Logging, Screen&Active form capturing, URL monitoring, Network&Email capturing, Password peeking, etc.
(If you are parents wanting to monitor your children activities, you can use these products :D)

You can also try some AntiSpy software by searching the word “AntiSpy” in the Internet. Two good examples are:
http://www.spydex.com/download.html
http://www.spychecker.com/software/antispy.html
(You can also find them by using eDonkey :)) )

I have found from the Internet that there are two kinds of AntiSpy software, the first one, when running it will scan all the local Hard disks to find the known Spy software – this one is not good because it can only detect the known and old Spy software, not all (My opinion). Samples:
http://www.spycop.com
http://www.detect-spyware.com
And the second one, when it runs, it will detect all Spy programs - which try to monitor the keyboard action. The second one seems to be better. Samples:
http://www.spydex.com
http://www.spychecker.com

KeyLogger
KeyLoggers may be included in Spywares or may be separated products.

Nowadays, there are two kinds of KeyLoggers:
The first one is Hardware KeyLogger; this is small device which someone put it between your Keyboard and the PC. This kind of device has a flash memory, which stores all keystrokes in it. There is no software can detect this kind of KeyLogger, there is only one way that is: sometimes, check you keyboard to see if there is any strange thing plugged to it! But people don’t worry much about this kind of hardware because around them there is not exist any not-good friends, who, in order to connect Hardware KeyLogger must be near you.
Here are some samples of Hardware KeyLogger:
http://keystroke-loggers.staticusers.net/hardware-keykatcher/
http://www.amecisco.com/products.htm
http://www.keyghost.com/sx/
http://spycop.com/keyloggerremoval.htm

The second one is Software KeyLogger; this is hidden software running in background. It can capture all the keystrokes and encrypt it, then store in hidden file or send it to another person. This kind of software can be installed manually, or by a new unknown virus, or by an ActiveX in the website, or by opening mail attachment that someone send to you. I have tried some of KeyLogger software downloaded from the Internet and I know that there are some different kinds: Almost of them are application software which runs after window logon, some of them is service-type application and only a few number of them runs as driver (Keyboard Filter Driver – this one is very difficult to detect!!!).

Some samples that run as application are:
Ghost Keylogger (gkldemo.exe) - http://www.keylogger.net/
Family Key Logger (keylogger.zip)- http://www.spyarsenal.com/index.html?smp
KeyloggerPro (keyloggerpro-setup-sw.exe) - http://www.exploreanywhere.com/
Perfect Keylogger (i_bpk_lite.exe) - http://www.blazingtools.com/downloads.html - this one can hide its process in process list and it has good reports.

One sample that run as service is Advanced KEYLOGGER (advanced_keylogger.exe): http://www.mykeylogger.com, it has the same name with system process – “svchost.exe” and it has one service named “MS Software Generic Host Process for Win32 Services”

And one sample that runs in driver layer is Invisible Keylogger Stealth (iks2k21d.exe) - http://www.keylogger.com/iks2000.htm, using Keyboard Filter Driver (iks.sys), It can get WindowsLogin Password!!!

And more here:
http://www.astalavista.com/tools/utilities/keylogger/
http://directory.google.com/Top/Computers/Software/Shareware/Windows/Utilities/Security/Keylogger/
http://www.minihttpserver.net/spysoft.htm

For those who want to develop AntiKeylogger tools:

(Detect and Prevent, not scan)

If you develop AntiSpy module, you must make it run as Service or Driver layer – this is not easy, and second, you have to know deeply about Hooking API and know how to use it, and the third difficult one is Inter Process Communication between the Service and our Application, not by common Send/Receive Message routine.
Why do you need to put your module running as service? Because, in order to detect all Spy software that is running, your process must be in lower layer (Service or Driver).
Why do you need to know about “Hooking API”? In order to trap any Spy program, you have to hook two APIs function: SetWindowsHookExA and SetWindowsHookExW in the User32.DLL, because every Spy program call these two functions before they can record the keyboard action. Why “Hooking API” is difficult, because in order to hook the APIs you must access deeply in the OS system. First we have to inject our DLL to System Wide Processes and second we have to modify the Address of the APIs functions in the System Wide Processes Memory. A number of Programmers in the world can do it is not big – they must be Experts, and some of them had to use Assembly language! Microsoft also has a special research project about this: http://research.microsoft.com/sn/detours/

i. You could buy only “API Hook for Windows Software Development Kit” (Hook Windows API SDK), and then pay time to study it, adding codes and make our AntiSpy program. If you follow this way, it is a little difficult and it will take long time, because besides paying time for study this code you have to pay more time for writing Service or Driver – it is also too difficult! But one advantage of this way is that with this library we can develop other useful program in the future not only AntiSpy. Here are some places that we could buy (Price list):
http://www.apihook.com/order/pricelist.html#APIHOOKSDKPrices
http://www.hookapi.com/order.html (with demo)
http://www.hallogram.com/funchook (expensive)

ii. You could find information in the Internet and buy some books and pay time for researching and coding this project from the ground up (Hooking API, Service, IPC, etc…). It will take very long time and very difficult. There is a lot of article about Hooking API in the Internet, but the more I read the more I think it is complex. Here are some sample links:
Microsoft Research: http://research.microsoft.com/sn/detours/
Other Links:
http://www.wheaty.net
http://www.geocities.com/SiliconValley/1741/downloads/index.html
http://gilisa.free.fr/outils/kapimon
programmersheaven.com: http://www.programmersheaven.com/search/download.asp?FileID=25915
madCollection: http://www.madshi.net
codeguru & codeproject:
http://codeguru.earthweb.com/system/apihook.html
http://www.codeproject.com/useritems/DLL_Injection_tutorial.asp?target=API%7CHOOK
http://www.codeproject.net/useritems/syswidehook9x.asp

To find more information in the Internet, you can use the Keywords: API hooking, system-wide API Hook, interceptor, API spying, system-wide API interceptor, API interception library, intercept a windows API, hook API, API interception.

Please be alert about spywares!!!

Best regards,
 

(C) 2003-2004 Do Duc Truong, Truong2D@Yahoo.com - http://ddt.info.tm

http://psmantikeyloger.sourceforge.net, http://sourceforge.net/projects/psmantikeyloger