Keystroke Loggers


Hackers (and sometimes employers) install keystroke loggers to record
keystrokes. One of the better know is Invisible Keylogger Stealth ( IKS )which is a commercial
utility (more likely to be used by employers than hackers). Arne Vidstrom has
released the freeware klogger utility (more likely to be used by hackers and
penetration testing teams). There are any number of freeware, shareware and
commercial keystroke loggers available for every operating system. They are
mostly written as keyboard device drivers and as such are invisible to the user
of the PC. There are also hardware versions of keystroke loggers including
keyboards that have a dual function – keyboards and keystroke logging and
keystroke loggers that are little boxes that plug in between the keyboard cable
and the PC. See my Penetration Testing Tip #22: Keystroke loggers and spy software /
hardware
for more information on software and hardware keystroke loggers.

OK. Thats all well and good but why is this tip in the registry section. It
turns out that IKS uses NT’s registry. You can use it to find whether IKS has
been installed on the PC:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\iks
Name:
DisplayName
Type: REG_SZ
Value: IKS

Name: LogName

Type: REG_MULTI_SZ
Value: \%SystemRoot%\iks.dat

The IKS documentation gives instructions on how to hide this “red flag”. Even
with values changed and the key name iks changed, search for the key “LogName”
under Services for IKS’s footprint.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top