> CATEGORIES LeakTest1 : LeakTest LeakTest2 : Tooleaky LeakTest3 : FireHole LeakTest4 : Yalta LeakTest5 : Outbound LeakTest6 : PCAudit LeakTest7 : AWFT LeakTest8 : Thermite LeakTest9 : CopyCat LeakTest10: MBtest LeakTest11: WB LeakTest12: PCAudit2 LeakTest13: Ghost LeakTest14: DNStester LeakTest15: Surfer LeakTest16: Breakout LeakTest17: Jumper LeakTest18: CPIL LeakTest19: PCFlank LeakTest20: CPIL Suite LeakTest21: BITStester LeakTest22: Coat LeakTest23: FPR LeakTest24: OSfwbypass LeakTest25: Runner LeakTest26: ZAbypass   LEAK TESTING   KILL TESTING   ADVICES   DOCUMENTS   REWARDS   > IN THE WILD   > LINKS   > FAQ   > TOOLS

     

     

How to use Anti-Keylogger Tester ? Last document revision date : 10/24/2007 1 - How to simulate a real keylogger : A Keylogger is a rogue application that is recording pushed keystrokes on other windows than it's own. Indeed, there is no need to install any global hook, neither to use some tricky keylogger code, to receive events sent to it's own window. When you own a window, you automatically receive events happenning on it, including keystrokes. An application is therefore considered as a keylogger as soon as it uses code to spy keystrokes globally on all windows and applications running. Consequently, if you let the focus on AKLT, "intercepted" keystrokes are not considered intercepted, and AKLT is not considered as keylogging. HIPS or dedicated anti-keylogger software will not raise any alarm while AKLT's window has the focus, as it is a legitimate behavior to watch it's own keystrokes. To use AKLT correctly, run the keyklogging test you want, then either select another window to give it the focus (e.g an empty notepad) and/or minimize AKLT's window. 2 - Compatibility : AKLT is a 32bits application that has been tested on 32bits and 64bits OS. The tests from 1 to 4, the cyclical/hookless tests, work on both OS type without any problem. However for the tests 5 & 6, the ones using a global hook, the hook created is a 32bits one. As a consequence, while running on 64bits OS, the hook should theoretically only be able to spy 32bits applications (as per MSDN) However it seems to work against IE 64bits and notepad 64bits on my system. MSDN is unclear about that. I think it's due to the code not being in a DLL, perhaps. About Windows Vista, access to the JournalRecord hook is denied, probably by UAC and it's use of UIPI. That should theoreticaly work if UAC is disabled (reboot required), but there is no point doing so. If your OS already natively protect you, keep this protection. 3 - Stability : AKLT is a standalone executable, it does not use any driver. Even if that means there is no risk to crash (BSOD) because of AKLT, it is always advised to have backups before testing. That is a general statement not linked to AKLT in particular. One of your security software using drivers/kernel hooks may crash on it's own while "stressed" with testing tools. About the hooks, in almost all cases you won't have any trouble. Either you run it and your HIPS does not see it (I don't think that by 2007 that's still possible), or your HIPS detects it and you deny it (thus killing the hook). However about the JournalRecord hook, if your HIPS detects it and pauses it awaiting for your answer, and that you choose "allow it", there is great chances that all of your application windows will be frozen and unresponsive. Without diving into the details, if you encounter such case, there a quick and easy way to kill the JournalRecord hook (test 6) : push CTRL+ALT+SUPPR or CTRL+ESC, Windows will automatically kill the hook. Other than that I don't think of any other issues. All of the tests I have done on 4 different computers didn't lead to any issue.

Home      News      Contact      Online form      Mailing list