Keyboard Lint

Keyboard Lint is a fuzzer for detecting keystroke logging software. The idea is that by overworking a key logger it can be made to crash or otherwise makes its presence more detectable. Keyboard Lint will only work on key loggers that catch the SendKeys() function.

Download:

Use:

Fire it up, press the button. Keys are sent as fast as possible - currently to a window internal to the app. This may cause your computer extreme input lag - in order to pause output toggle your numlock key. Keyboard Lint checks the state of numlock every cycle and will bail out if it changes.

What was the point of that?:

First off - I consider this a proof of concept rather than a finished product. I have not done exhaustive testing.

Key logging software requires CPU, disk, network and memory. The idea is that by feeding a key logger an inordinate amount of data it will increase these requirements and be more easily detectable by other means.

What might happen?

• Keylogger doesn't pick our input at all:
  • Maybe there is nothing there.
  • Maybe this indicates that a key logger (if present) may be trivially defeated by using an onscreen keyboard.
• Keylogger picks up our input:
  • Logs grow without bound. This by its nature must eventually fill memory, disk or be sent away via the network. These files can be found and this traffic can be noticed.
  • Logs caps at a certain size. In this case we have either flushed the queue (old data discarded) or filled the queue (new data not retained). (a more fancy key logger might try to determine which input is more valuable as it goes - for instance identifying password fields or via user behavior)
  • Keylogger's CPU usage might spike along with the input as it handles the flood of keys. A keylogger performing heuristics to determine interesting data to capture may be more vulnerable here.

Keyboard Lint can be defeated in many ways - its far from perfect. For instance a rate-limiter on the logging code (humans don't type at 3,000 words per minute), or a semantic check (log words, don't log gibberish). Semantic check is unlikely because any good key logger would want to get your gibberish passwords successfully.