Keyboard device logger
Subversive Technologies & Countermeasures
| |||||||||||||||
KDL is a kernel space filter driver that attaches itself to the kbdclass and gleans data as it is passed up and down the device stack storing it in a nonpaged memory cache. When the max cache size condition is met the cached key data is processed, formatted, and dumped to file. The rest of the driver is a standard WDM filter driver in its flow and execution with the addition of code that allows for the logging process of key data.
The loader is HEAVILY based on Ctrl2Cap (http://www.sysinternals.com) and just rams the registry settings needed into the system. This worked well for the driver since it was the point and the loader is just an end to those means.
This driver in no way tries to hide or disguise it self, but on the contrary "hides" in plain sight. There are no tricks or any raw manipulations of bits that lock this driver into certain hardware, revision or patch level using WDM standards in an attempt to bend the rules rather then break them. The DDK was used to compile the driver under the W2k/Xp/2003 build environments but only given tested under Windows Xp Sp2.
The thought process behind this driver was to remain at a high level of compatibility across patches/service packs by adhering to DDK standards in the strictest interpretation.
The code itself is compartmentalized into files that best describe what that portion of codes purpose in life is. This should help offset the drivers (re)developement cycle over time against patches and new OS versions and for overall general code evolution.
Contents |
[edit] Basic features
- Source Level filter function that can be used to customize the type of key data that is logged.
- Registry configurable key data cache size. Used to ease I/O overhead.
- Registry configurable log file.
- Source level configurable key data output format.
- .inf file installer/unistaller
[edit] Unknowns
Kdl has not been tested with USB keyboards and have no idea of how it will react to PnP calls of insertion and removal. Most likely it will have a very nasty reaction. Not having a USB keyboard lying around at the moment this portion of the code is not planed to be implemented anytime soon.
[edit] Possible additions
- Command line option for log file attributes
- Implement IoInitializeRemoveLock for dynamic loading and unloading
- Customizable key filters from user level
[edit] Changelog
[edit] [10/05/05]: Version 1.0.1
kld.h, kdl.c - Removed the registry structure and used a single variable gRegistryPath.
Added kdlx86.inf as another entry point for installation. Right click on the file and chose install.
Added (kdl.h)LARGE_INTEGER theEOF; to _DEVICE_EXTENSION so we can append key data to the end of the logfile. Also modified (kdlfile.c/CreateLogFile)ZwCreateFile() DesiredAccess to SYNCHRONIZE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA. And (kdlfile.c/WriteDataFile)ZwWriteFile() ByteOffset &theDeviceExtension->theEOF. This appears to have solved the problem with key data being appended to the log file.
[edit] [10/09/05]: Version 1.0.2
- Cleaning up the code a bit as I learn more about device drivers
Added (kdl.h)ExFreePoolWithTag( a, b ) ExFreePool( (a) ) MACRO for cleaner win2k compatability. Changed (kdl.c)"for ( i=0; i < IRP_MJ_MAXIMUM_FUNCTION; i++ )" into " for ( i=0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ )".
Added (kdl.h)#defien tags for ExAllocatePoolWithTag() functions. Changed (kdlx86.inf) "StartType = 3" into "StartType = 0" to prompt for a restart after installation.
[edit] [10/11/05]: Version 1.0.3
Changed install.bat into loaderinstall.bat and uninstall.bat into loaderunistall.bat. Name change only.
Created infinstall.cmd and infuninstall.cmd as alternates to using the kdl.exe loader New file infinstall.cmd as an alternate to right clicking and choosing install from the kdlx86.inf file.
New file infuninstall.cmd as an alternate to using kdl.exe loader to uninstall the driver.
[edit] [06/01/06]: Version 1.0.4
Added 2 alternate registry entries to kdlx86.inf to demonstrate the use of alternate data streams for the log file
Added instructions for post installation change of registry key for alternate stream data log file
[edit] Appendix
Download KDL1.0.4.zip.
