Giters

wabzsy / kbMon

Kernel Mode, driver only, ring O, remote UDP ,windows 10, keylogger. (no data needs to be writen to disk..).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Keylog

windows 10 compatible
Kernel Mode, driver only, ring O, remote UDP keylogger.

Application Security

i did not implemented any IoCtl, in order to avoid any Security Issues. in addition, i did not implemented any Revc-datagram method's for this exact same reason, however if you use this driver & see any security problems, please report them here as an issue.

Note: Using this software is at your Own Risk.

The Author will not be held responsible by any circumstances.

Tech

this project splits down into two parts:
1 KeyBoard hook.
2 Raw Networking (datagram socket manipulation).

to monitor the key strokes we need to get in beetwin the keyboard device IRP & the PS/2 port.
Much of the KeyBoard Hook implementation & code is borrowed from fdiskyou.
while to implement this 'kernel man in the middle', we need to mimic the IRP function passed down from the physical device up to the operating system processing; this is done by installing a hook beetwin the keyboard device and passing down each IRP request to the next implementation level.

Our hook (by the diagram above) will come in beetwin win32k.sys & KBDHID.sys, each request is cached by our hook, proccessed by Our driver and passed up to the next irql.
The Second part of Our driver Operation is to log the keystrokes & send them back to our monitoring server.
i have implemented a UDP-DataGram protocol, as we do not recieve or handle any data coming back from the server, and this also make's the monitoring process a lot simpler by the server side.
Another Advantage to a udp implementation is that the port can be closed and opened contantly to make the #dfir work a lot harder.
to implement that i made use of the Wsk, (windows socket kernel), as to avoid any user-mode application.

Usage

currently only the local keylogger is Generic nd can be used W/O building the driver (as it simply logs the keystroke's to C:\Windows\logs), but the remote udp based (that do not need to write any data to disk to run), needs to be build to your server address, as time will pass i will add a universal support, so you wouldn't have to build your own.

Installtion:

!The driver is not signed, so you will have to disable code integrity (or get me a sponser to sign the driver), after that:
Open an elevated command prompt:
sc create kMon type=kernel binpath="\path\to\your\driver.sys"
sc start kMon

Uninstall:

sc stop Kmon

if you encounter any problems simply restart your computer.

For any bugs comment an issue in this github repo.

enjoy!

About

Kernel Mode, driver only, ring O, remote UDP ,windows 10, keylogger. (no data needs to be writen to disk..).

License:MIT License

Languages

Language:C 99.3%Language:Python 0.7%