Analysis of the Fimbel Keylogger and Pace University Converter Christopher Funk, Sheryl Hanchar, and Ned Bakelman
Keyloggers Record Keystokes Not intrinsically good or evil Potential Uses Data Grabbers (Evil) Active Identification (Good) Visibility of Keyloggers Rootkit vs. Normal Process
Tools for finding Anatomy of any program Analyze it as if it was malicious software Ultimate Packer for eXecutables (UPX) Fakenet – Network Diagnostics Process Explorer – Process Information OLLYdbg – Showing Flow of Program IDA Pro – Interactive Disassembler CFF Explorer – Decompile.Net directory
Keylogger Software Pack Originally three programs Fimble Keylogger Pace Keylogger Launcher Focus of in-depth analysis Pace Converter Newer Version is two programs Combined the two Pace tools
Pace Keylogger Anatomy Opens connect to Pace Server that remains open User Agent is a.Net program
Pace Keylogger Anatomy UPX strings showing where the program is sending the data Password is blacked out
Pace Keylogger Anatomy Process Explorer showing the call to start the Fimble Keylogger
Pace Keylogger Anatomy Ollydgb showing uniquely.Net Calls
Pace Keylogger Anatomy IDA Pro showing.Net boolean variable Says if Fimble is running Very Visible Program
Pace Keylogger Anatomy CFF Explorer – only works with.Net programs Entry Point where malicious software can take control Or just inject code into other benign program
Combination Project Breakdown Goal – Combining Software Tools Keylogger Launcher Converter Issues Different Programming Languages External Program Control from Java Environment Parallel work being done by customer on code Pace University
Two Different Tools Pace University
Goal Breakdown Expanding converter to encompass launcher functions Start and Stop the keylogger Working with previous code Naming Convention Identify keylogging target application Field for name information Numbering Outputs Adding in customer revisions Pace University
Step 1: Working with Previous Code Compiling issues when exporting to Jar Netbeans Meta data Very messy code Did not follow best practices Obsoleted code that still was in use Main() issues Moving it from Login() class to converter() class Pace University
Step 2: Start and Stop Keylogger External Program Executioner Java Process Builder / Process classes Issues Unable to find the program Documentation does not specify necessary parameters Error Messages Unclear Working only on one machine Re-arranging GUI and how to identify the keylogger Pace University
`ProcessBuilder builder = new ProcessBuilder(keyloggerDirectoryField.getText() + "startkeylogger.exe"); builder.directory(new File (keyloggerDirectoryField.getText())); Process javap = builder.start();`
Step 3: Naming Convention LastName_Firstname_Application_Number.xml Identify Target Program Drop down menu Hard coded string, not filtering the output Name information Fields where there but by default were invisible even though necessary Numbering Had to find the last number with the name output name and then iterate Pace University
Step 4: Combining Customer Code Costumer has added to the code after the original version that was combined Need for communication after last step to make sure that his new changes work with new code Did not change the converting code classes Allows for change as the code as long as the function calls stay the same Pace University
Communication with Customer / Testing Constant communication Only one meeting at the last class Very easy to work with Indispensable to combining project Test it on other machines to ensure it was working Try out functions in different ways Guide my steps to ensure all necessary functions were worked on first Work with the previous code and understand what the function did Pace University
Final KeyLogger Launcher and Converter Pace University
Questions, Comments, Concerns, or well wishes