![]() ![]() However, things get really exciting when you start talking about kernel level hooks. There are some less obvious places a keylogger could be embedded (but they'd unlikely be global ones). So that covers user-mode-obvious-keylogger-mode. These are left as an exercise to the reader (don't you just hate it when people say that!). There's a number of experiments we could perform to work out if that's the case, if we so wanted. Thanks to process explorer, we can still see what threads are executing what:Īwesome, right? Well, they could well be named to coincide with the obvious user32.dll or some such. Of the techniques described on wikipedia, the only one that I've not seen is the CreateRemoteThread variety - I'm uncertain if the outcome would be to attach a thread to the image or execute a thread with a name DllMain. They'll show up in this list for all processes. So one thing to look out for would be strange DLLs you cannot attribute to products whose purpose you know. I've been messing with python-implemented COM servers and as a result, the DLL is loaded into Windows Explorer's address space.ĭLL Injection of the keylogging variety will load its DLL into all of the target address spaces - can't capture everything if you don't. ![]() What is the topmost entry in that list? It's a pyd, or python extension, file. Most of these will result in a DLL showing up as mapped to the process's address space. What follows is a non-exhaustive few things you could do to check for keylogging modules.įirstly, the obvious easy way to build a keylogger is to use DLL Injection which can be achieved a number of ways. The problem is knowing what to look for and where. Will this be as simple as looking at the process tree or registry, or do these kinds of key loggers hide themselves better than that?ĭetecting keyloggers is as simple as looking in the right place (which may or may not be simple depending on your viewpoint). Iszi gives you some very good advice in general - chances are if they're using monitoring software, they're confident in it. This is simply given as an example of what sort of spyware tools are available to corporations. I have no affiliations with the company, nor have I used their product. * Note: This is not an endorsement of Spector Pro. Keep business on business hardware, and personal stuff on personal hardware, and you should be fine. ![]() Always presume that they are logging keystrokes, capturing screenshots (another common spyware feature), and monitoring network traffic with the possible inclusion of an SSL proxy. Further, any company worried about compliance in these matters will also have a Warning Banner on the system which reminds users at each log-in that they may be subject to monitoring on those systems.īottom line: Don't do anything on company equipment that you don't want them to see. Regardless, it's very likely that your friend has already signed (and thereby agreed to) an Acceptable Use Policy which includes a clause that relinquishes all rights to privacy on company-owned equipment. But, if you presume the former to be the case, then you should also presume there's some solid justification for their confidence. If they've given your friend full admin rights on the box, they're either really confident in their monitoring and configuration control capabilities or they're fairly ignorant to the implications of giving such privileges to an end-user. Also, as syneticon-dj notes, it's possible they may instead be using a hardware keylogger which could be implemented in a way that cannot be easily detected by software. Some enterprise-level products do include rootkits which make the keylogger nearly impossible to detect, unless you know the product in use and its configuration. This would greatly depend on the implementation of the keylogger. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |