1 / 21

Analysis of the Fimbel Keylogger and Pace University Converter

Analysis of the Fimbel Keylogger and Pace University Converter. Christopher Funk, Sheryl Hanchar , and Ned Bakelman. Pace University. Keyloggers. Record Keystokes Not intrinsically good or evil Potential Uses Data Grabbers (Evil) Active Identification (Good)

clarke
Download Presentation

Analysis of the Fimbel Keylogger and Pace University Converter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of the FimbelKeylogger and Pace University Converter Christopher Funk, Sheryl Hanchar, and Ned Bakelman

  2. Pace University Keyloggers • Record Keystokes • Not intrinsically good or evil • Potential Uses • Data Grabbers (Evil) • Active Identification (Good) • Visibility of Keyloggers • Rootkit vs. Normal Process

  3. Pace University Tools for finding Anatomy of any program • Analyze it as if it was malicious software • Ultimate Packer for eXecutables (UPX) • Fakenet – Network Diagnostics • Process Explorer – Process Information • OLLYdbg – Showing Flow of Program • IDA Pro – Interactive Disassembler • CFF Explorer – Decompile .Netdirectory

  4. Pace University Keylogger Software Pack • Originally three programs • FimbleKeylogger • Pace Keylogger Launcher • Focus of in-depth analysis • Pace Converter • Newer Version is two programs • Combined the two Pace tools

  5. Pace University Pace Keylogger Anatomy • Opens connect to Pace Server that remains open • User Agent is a .Net program

  6. Pace University Pace Keylogger Anatomy • UPX strings showing where the program is sending the data • Password is blacked out

  7. Pace University Pace Keylogger Anatomy • Process Explorer showing the call to start the FimbleKeylogger

  8. Pace University Pace Keylogger Anatomy • Ollydgb showing uniquely .Net Calls

  9. Pace University Pace Keylogger Anatomy • IDA Pro showing .Netboolean variable • Says if Fimble is running • Very Visible Program

  10. Pace University Pace Keylogger Anatomy • CFF Explorer – only works with .Net programs • Entry Point where malicious software can take control • Or just inject code into other benign program

  11. Pace University Pace University Combination Project Breakdown • Goal – Combining Software Tools • Keylogger Launcher • Converter • Issues • Different Programming Languages • External Program Control from Java Environment • Parallel work being done by customer on code

  12. Pace University Pace University Two Different Tools

  13. Pace University Pace University Goal Breakdown • Expanding converter to encompass launcher functions • Start and Stop the keylogger • Working with previous code • Naming Convention • Identify keylogging target application • Field for name information • Numbering Outputs • Adding in customer revisions

  14. Pace University Pace University Step 1: Working with Previous Code • Compiling issues when exporting to Jar • Netbeans Meta data • Very messy code • Did not follow best practices • Obsoleted code that still was in use • Main() issues • Moving it from Login() class to converter() class

  15. Pace University Pace University Step 2: Start and Stop Keylogger • External Program Executioner • Java Process Builder / Process classes • Issues • Unable to find the program • Documentation does not specify necessary parameters • Error Messages Unclear • Working only on one machine • Re-arranging GUI and how to identify the keylogger

  16. Pace University Pace University `ProcessBuilder builder = newProcessBuilder(keyloggerDirectoryField.getText() + "startkeylogger.exe"); builder.directory(new File (keyloggerDirectoryField.getText())); Process javap = builder.start();`

  17. Pace University Pace University Step 3: Naming Convention • LastName_Firstname_Application_Number.xml • Identify Target Program • Drop down menu • Hard coded string, not filtering the output • Name information • Fields where there but by default were invisible even though necessary • Numbering • Had to find the last number with the name output name and then iterate

  18. Pace University Pace University Step 4: Combining Customer Code • Costumer has added to the code after the original version that was combined • Need for communication after last step to make sure that his new changes work with new code • Did not change the converting code classes • Allows for change as the code as long as the function calls stay the same

  19. Pace University Pace University Communication with Customer / Testing • Constant email communication • Only one meeting at the last class • Very easy to work with • Indispensable to combining project • Test it on other machines to ensure it was working • Try out functions in different ways • Guide my steps to ensure all necessary functions were worked on first • Work with the previous code and understand what the function did

  20. Pace University Pace University Final KeyLogger Launcher and Converter

  21. Pace University Questions, Comments, Concerns, or well wishes

More Related