Site Options:


Keylogging Ontology

Keylogger Types

There are two main types of keyloggers:

Mobile Keyloggers:  Software-based Keyboards

Mobile devices have software-based keyboards unlike desktop computers with hardware-based keyboards. Mobile device keyboards have on-screen image maps, for which custom keyboards can be developed for specific apps.

A mobile keylogger not only records keystrokes; it must also record the x,y coordinates of the screen area and combine them with a digital image of the screen in order to calculate particular keystrokes.

Mobile keyloggers are most likely to be effective on jailbroken[1] and rooted[2] mobile devices.

General Typology

Scope: Mobile Devices, Desktop Computers, Software, Malware

Hook-Based or API-Based Keylogger

A Hook-Based or API-Based Keylogger continuously monitors the operating system to detect whether keystrokes or mouse clicks are being entered.

A Programming Hook is a coding technique that intercepts operating system or application function calls, events, or messages including keystrokes.
An API (Application Programming Interface) is a complete set of software code including subroutines, methods, functions, etc. for constructing a specific program or type of program such as an operating system. Eg., Windows API.

Form-Grabbing Keylogger

A Form-Grabbing Keylogger records keystrokes entered in web-based forms such as login screens. Login credentials are 'grabbed' from within the browser as they are being entered. The information is logged before it can be passed over the Internet. HTTPS encryption is by-passed. It does not matter whether the keystrokes are entered by hardware keyboard, virtual keyboard, auto-fill, or tapped into a mobile on-screen keyboard.

Hypervisor-Based Keylogger

A Hypervisor-Based Keylogger is theoretical.

A Hypervisor is a Virtual Machine Manager. It allows you to run multiple operating systems concurrently as 'Virtual Machines' on a single physical computer. Each Virtual Machine emulates a single computer.

Scope: Malware, Keylogging
A 'thin' Hypervisor could theoretically capture an instance of the operating system in a single computer or mobile device and virtualize all the files and devices that are contained. The operating system would still reference the files and devices.

The virtualization would allow keystrokes to be intercepted and keylogged as they are being entered. The malware would require a rootkit for installation.

For more information about Hypervisors, see Related Reference:  Hypervisor

Kernel-Level Keylogger

A Kernel-Level Keylogger is typically implemented as a rootkit (malware designed to gain hidden, administrative access to computer and mobile operating systems as well as hardware) into the kernal of the operating system.

A Kernel-Level Keylogger can act as a keyboard device driver (program that controls the keyboard) or replace some of the functions of an original driver, in order to intercept and log keystrokes from a keyboard.

Memory Injection MITB-Based Keylogger

A Memory Injection MITB-based keylogger is able to capture information including keystrokes by exploiting memory corruption in browsers and other system components.

This form of malware is sophisticated and expensive to implement and is capable of by-passing two-factor authentication. It is possibly the most serious threat to online banking security.

MITB (Man In The Browser) malware operates by modifying memory tables or injecting directly into browser memory. The technique by-passes the Windows UAC (User Account Control).

The Windows UAC is a Windows operating system security feature which helps prevent changes initiated by applications and malware that do not have administrative permission. Non-Windows operating systems have similar security features.

Context: Guardedid, MobileTrust
A MitB attack can be avoided by using an out-of-band channel of communication for entering login credentials.

For information about out-of-band channel communication, see Related Reference:  Out-Of-Band Channel

Remote Access Keylogger

Some forms of malware are able to capture data or packets remotely. A network or internet connection is required for access. This is not actual keylogging; it is 'data logging' or 'packet logging'.

For information about packets, see Related Reference:  Network Packet

Clipboard Keylogging
Some forms of malware are able to capture data copied to operating system clipboards, including passwords.  Data is logged, not keystrokes. This is not actual keylogging; it is 'data logging'

Sniffer Keylogger

A Sniffer Keylogger captures data that is stored on a web or network server. This is not actual keylogging; it is 'packet sniffing'.

Network packets of data, including unencrypted passwords can be posted on a web server by HTTP POST events, then retrieved by HTTP GET events sent by a Packet Sniffer (Packet Analyzer).

HTTP (HyperText Transfer Protocol) is a protocol or set of rules for data communication on the internet. 'HyperText' is structured text containing hyperlinks between nodes of text.

When HTTPS (HyperText Transfer Protocol Secure) connectivity is used, data including passwords is encrypted and thus protected from Sniffer Keyloggers.

Related Information:
Keylogging Ontology
Problem & Solution
MobileTrust: FAQs

Related Concepts:

Related Reference:
Keyboard Driver
Network Packet
Out-Of-Band Channel