Keystroke Loggers

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Hackers (and sometimes employers) install keystroke loggers to record keystrokes. One of the better know is Invisible Keylogger Stealth ( IKS )which is a commercial utility (more likely to be used by employers than hackers). Arne Vidstrom has released the freeware klogger utility (more likely to be used by hackers and penetration testing teams). There are any number of freeware, shareware and commercial keystroke loggers available for every operating system. They are mostly written as keyboard device drivers and as such are invisible to the user of the PC. There are also hardware versions of keystroke loggers including keyboards that have a dual function - keyboards and keystroke logging and keystroke loggers that are little boxes that plug in between the keyboard cable and the PC. See my Penetration Testing Tip #22: Keystroke loggers and spy software / hardware for more information on software and hardware keystroke loggers.

OK. Thats all well and good but why is this tip in the registry section. It turns out that IKS uses NT's registry. You can use it to find whether IKS has been installed on the PC:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\iks
Name: DisplayName
Type: REG_SZ
Value: IKS
Name: LogName
Type: REG_MULTI_SZ
Value: \%SystemRoot%\iks.dat

The IKS documentation gives instructions on how to hide this "red flag". Even with values changed and the key name iks changed, search for the key "LogName" under Services for IKS's footprint.

See Also

Featured Links