A Keylogger is software or hardware used to log keystrokes entered on a computer or mobile device keyboard, either overtly for surveillance or covertly as malware.
Scope: Endpoint Security, Malware
A keylogger is hidden software that records all keystrokes entered
. The keystrokes can be kept in a log for later use, or sent online to the hacker or intruder. The recorded information is scanned for passwords, credit card numbers, and other information used to commit identity theft.
Keyloggers can enter a computer or mobile device in different ways:
Downloaded accidently when a user browses a malicious web site.
Embedded in malware, and also in software that was originally legitimate.
Bundled with legitimate software and downloaded.
Embedded in images and music files and downloaded.
Installed intentionally by a dissonant user or intruder.
Keyboard Input Methodology for Microsoft Windows has gained acceptance with other operating systems. It is used here for illustration only.
Assigned to each key on a keyboard is a unique value called a scan code, which is a device-dependent identifier for the key on the keyboard. When the user types a key, two scan codes are generated: One scan code when the user presses the key and another when the user releases the key. When keys are pressed, the keyboard device driver receives scan codes from the keyboard.
The keyboard device driver sends the scan codes to the keyboard layout where they are translated into characters and posted to the appropriate window in the application: The keyboard device driver interprets each scan code and translates it to a virtual-key code, which is a device-independent value defined by the system to identify the purpose of a key. After translating a scan code, the keyboard driver creates a message that includes the scan code, the virtual-key code, and other information about the keystroke, and then places the message in the system message queue. The system removes the message from the system message queue and posts it to the message queue of the appropriate thread of the application. Eventually, the thread's message loop removes the message and passes it to the appropriate window procedure of the application for processing.
A keylogger can intercept keystroke at different points in the Keyboard Input Model:
The keyboard driver can be replaced with a rogue driver.
A filter can be added between the keyboard driver and the system message queue. The filter can receive keystrokes from the keyboard driver before it is sent to the application message queue and the system message queue.
Keystrokes can be intercepted by hooking into the system message queue with a callback function provided by the keylogger. When a keystroke message arrives in the message queue, the callback function associated with the keylogger is passed the keystroke information. The keylogger then stores the keystroke data in a file which is later sent to the hacker online.
In programming languages, a 'callback' is a function that is called by another function which takes the first function as a parameter.
Problem & Solution
System Message Queue