5 replies to this topic

[RhetoricalRuvim]

An already-existing way of outsmarting a keylogger is to use the mouse to change the position of the typing cursor within the password input field and to select different parts of the text and replace them with other characters.

So I was thinking, what if I write a program that would remember the passwords for me, and when I need to enter a password, I can just set the keyboard focus on the password input field and use the appropriate keyboard shortcut for the program to set the text of that input field to the right password.

Something like this:

wait for keyboard shortcut 
get handle to (child) window in focus 
set that window's text to the password

Can this idea work? Are there any flaws to it?

[Alexander]

That sounds like the equivalent of pasting your password (ctrl-v), except with another shortcut and the ability to store passwords for other programs. I am sure some password manager out there has this sort of feature, however it seems like more of a feature for usability than keylogger defeating.

Alexander.

[RhetoricalRuvim]

Okay, I just thought of something the keylogger guys can do . They can probably remember which keyboard shortcut was used for entering the password and then when the user is not looking they can make a new window with an input element, use that keyboard shortcut, and get the value that the program enters.

Something like this:

watch which keys are pressed and record keyboard shortcuts 

wait until the computer is idle for x minutes 
make a new window 
perhaps position the window off the screen, 
  so that there are less chances of the user noticing anything 
add an edit control child window to the main window 
point 1: 
trigger a recorded keyboard shortcut 
get the edit window text and save it 
clear the edit window 
repeat point 1 for any other keyboard shortcuts recorded 

use the passwords...

So my next idea to fix this is to have the user type the password manually every time, but send a bunch of decoy keystrokes to the system as well, so that the keylogger would have a bunch of useless information.

Something like this:

record the child window in focus to a variable 

make a new window, asking the user to enter the password 
make an edit control for the user to type in 
set focus on the edit control 

do this: 
every random * x milliseconds, send a random decoy keystroke to the system; 
  record this key in the useless character variable 

and also this, at the same time: 
every time a new character gets added, do this: 
  check if the character added is equal to the character 
    in the useless character variable 
  if it is, clear (set to '\0') the useless character variable, 
    clear the edit control, 
    and continue 
  else, add the new character to the password variable, 
    clear the edit control, 
    and continue 

when the user is done entering the password (e.g. when 
  the user presses the return key), close our window, 
  and set the 
  previously-in-focus recorded (child) window's text to 
  the text in the password variable

So my question would be, can the keylogger/malware still get to the password with this idea implemented?

[Alexander]

It would have better luck doing anything other than getting around that (reading every text string in the program for example, which will have your password). You can guarentee the keylogger people won't know your exact operating system, what is installed, and care more about the people who do not have protection. They could go *forever* writing code to get around systems such as that. The question is, why? If you are concious enough about security to write these, then you probably would not enter your credit card or passwords directly for them to steal anyway.

Edit: Apologise, many edits to structure of post.

Edited by Alexander, 03 May 2012 - 06:16 PM.

[RhetoricalRuvim]

Can you clarify a bit? I didn't understand whether your post is saying that my idea is bad, good, easy-to-break, or something else.

[Alexander]

If the criminal wishes to be successful, they will try to send as many copies of their program to as many people as possible and get rich.

If they write code for every possible bypass, they will lose profit (cost of time, cost of man hours, cost of distribution) and that is not as lucrative.

If they know what you are entering (ctrl+f4 for example, to enter a password) and can push updates to your computer to utilise this, they could perform *many* more methods than that (trojans, screen capture, ...) If you are evading keyloggers, you probably will not be entering passwords and credit cards directly or in plain site anyway, and the keylogger writer is not likely even targeting you. They will sift through millions of lines of text and look for what they want. If they see "p<delete key>password" or "ctrl+f4" or ... they will ignore it and move on to the thousands of other things that look like passwords

They could, for example, poll the current active window for text strings, in your password box (or all boxes), this renders how you enter the password (changing positions, by shortcut, pasting) useless as the final password is captured because it has to be sent as-is to the program to verify anyway, right?

Your first method of changing positions is very good. A virtual keyboard, where-as you press a button and it goes in to the box you are focused on, is a tried and true method implemented in the past by various financial websites. You could do many things ranging from simple to complex - but you will have better luck removing the keylogger or not entering passwords on a computer that is so at risk and vulnerable.

Alexander.