analysis of the fimbel keylogger and pace university converter
DESCRIPTION
Analysis of the Fimbel Keylogger and Pace University Converter. Christopher Funk, Sheryl Hanchar , and Ned Bakelman. Pace University. Keyloggers. Record Keystokes Not intrinsically good or evil Potential Uses Data Grabbers (Evil) Active Identification (Good) - PowerPoint PPT PresentationTRANSCRIPT
Analysis of the Fimbel Keylogger and Pace University ConverterChristopher Funk, Sheryl Hanchar, and Ned Bakelman
Keyloggers Record Keystokes
Not intrinsically good or evil Potential Uses
Data Grabbers (Evil) Active Identification (Good)
Visibility of Keyloggers Rootkit vs. Normal Process
PACE UNIVERSITY
Tools for finding Anatomy of any program Analyze it as if it was malicious software
Ultimate Packer for eXecutables (UPX) Fakenet – Network Diagnostics Process Explorer – Process Information OLLYdbg – Showing Flow of Program IDA Pro – Interactive Disassembler CFF Explorer – Decompile .Net directory
PACE UNIVERSITY
Keylogger Software Pack Originally three programs
Fimble Keylogger Pace Keylogger Launcher
Focus of in-depth analysis Pace Converter
Newer Version is two programs Combined the two Pace tools
PACE UNIVERSITY
Pace Keylogger Anatomy
Opens connect to Pace Server that remains open
User Agent is a .Net program
PACE UNIVERSITY
Pace Keylogger Anatomy
UPX strings showing where the program is sending the data
Password is blacked out
PACE UNIVERSITY
Pace Keylogger Anatomy
Process Explorer showing the call to start the Fimble Keylogger
PACE UNIVERSITY
Pace Keylogger Anatomy
Ollydgb showing uniquely .Net Calls
PACE UNIVERSITY
Pace Keylogger Anatomy
IDA Pro showing .Net boolean variable
Says if Fimble is running
Very Visible Program
PACE UNIVERSITY
Pace Keylogger Anatomy
CFF Explorer – only works with .Net programs
Entry Point where malicious software can take control
Or just inject code into other benign program
PACE UNIVERSITY
Combination Project Breakdown Goal – Combining Software Tools
Keylogger Launcher Converter
Issues Different Programming Languages External Program Control from Java
Environment Parallel work being done by customer on
code
Pace UniversityPACE UNIVERSITY
Two Different Tools
Pace UniversityPACE UNIVERSITY
Goal Breakdown Expanding converter to encompass
launcher functions Start and Stop the keylogger Working with previous code Naming Convention
Identify keylogging target application Field for name information Numbering Outputs
Adding in customer revisions
Pace UniversityPACE UNIVERSITY
Step 1: Working with Previous Code Compiling issues when exporting to Jar
Netbeans Meta data Very messy code
Did not follow best practices Obsoleted code that still was in use
Main() issues Moving it from Login() class to converter()
class
Pace UniversityPACE UNIVERSITY
Step 2: Start and Stop Keylogger External Program Executioner
Java Process Builder / Process classes Issues
Unable to find the program Documentation does not specify necessary
parameters Error Messages Unclear
Working only on one machine Re-arranging GUI and how to identify the
keylogger
Pace UniversityPACE UNIVERSITY
Pace University
`ProcessBuilder builder = new ProcessBuilder(keyloggerDirectoryField.getText() + "startkeylogger.exe"); builder.directory(new File (keyloggerDirectoryField.getText()));Process javap = builder.start();`
PACE UNIVERSITY
Step 3: Naming Convention LastName_Firstname_Application_Number.xml Identify Target Program
Drop down menu Hard coded string, not filtering the output
Name information Fields where there but by default were invisible
even though necessary Numbering
Had to find the last number with the name output name and then iterate
Pace UniversityPACE UNIVERSITY
Step 4: Combining Customer Code Costumer has added to the code after
the original version that was combined Need for communication after last step to
make sure that his new changes work with new code
Did not change the converting code classes Allows for change as the code as long as
the function calls stay the same
Pace UniversityPACE UNIVERSITY
Communication with Customer / Testing Constant email communication
Only one meeting at the last class Very easy to work with Indispensable to combining project
Test it on other machines to ensure it was working Try out functions in different ways Guide my steps to ensure all necessary functions
were worked on first Work with the previous code and understand what
the function did
Pace UniversityPACE UNIVERSITY
Final KeyLogger Launcher and Converter
Pace UniversityPACE UNIVERSITY
Questions, Comments, Concerns, or well wishes
PACE UNIVERSITY