mouse underlaying: global key and mouse listener based on ...nbn:de:gbv:7… · keyloggers are...

Mouse Underlaying: Global Key and Mouse ListenerBased on an Almost Invisible Window with LocalListeners and Sophisticated FocusTim Niklas Witte

Institute of Computer Science, Osnabrück University, Germany

Abstract

Keyloggers are serious threats for computer users both private and commercial. If an attacker is capable ofinstalling this malware on the victim’s machine then he or she is able to monitor keystrokes of a user. Thiskeylog contains login information. As a consequence, protection and detection techniques against keyloggersbecome increasingly better. This article presents the method of Mouse Underlaying for creating a new kindof software based keyloggers. This method is implemented in Java for testing countermeasures concerningkeylogger protection, virtual keyboard, signatures and behavior detection by anti-virus programs. Productsof various manufacturers are used for demonstration purposes. All of them failed without an exception.In addition, the reasons why these products failed are analyzed, and moreover, measures against MouseUnderlaying are developed based on the demonstration results.

Received on 02 July 2018; accepted on 09 October 2018; published on 15 October 2018Keywords: Computer security, Information security, Keylogger, Malware, Security, Spyware

Copyright © 2018 Tim Niklas Witte et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.

doi:10.4108/eai.15-10-2018.155740

implementation of Mouse Underlaying is explained indetail. In the following, countermeasures are testedwith the keylogger applying Mouse Underlaying.Subsequently, the result of this evaluation basedon keylogger protection techniques and differencesbetween Mouse Underlaying and other keyloggingmethods is analyzed. In the end, the results aresummarized to develop effective countermeasuresagainst Mouse Underlaying.

2. Software Based KeyloggersSoftware keyloggers are applications for monitoringuser keystrokes, without the awareness of the user, inorder to retrieve information such as login details [24].Frequently, keyloggers have capabilities that extendbeyond this keylogging function: screen scrapers takeperiodic screenshots, advanced keyloggers are similarto backdoor viruses because they allow remote control.For this reason, the attacker tracks anything onthe victim’s computer, for instance, file operations(executing, printouts, copy and paste operationsetc.) [26]. In most cases, this information is stored ina log file hidden in the file system. Hence, this log file

1

Research ArticleEAI Endorsed Transactions on Security and Safety

EAI Endorsed Transactions on Security and Safety

05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

∗Corresponding author. Email: [email protected]

1. IntroductionKeyloggers are software and hardware components (devices between keyboard and I/O port mostly plugged into the end of the keyboard cable) for monitoring keystrokes [16]. They are powerful spying tools because an attacker is able to reconstruct user activities on the compromised system. For this reason, special police forces, intelligence services and similar organizations use these tools frequently [8]. In many cases it is easier to reconstruct an encrypted email via keylogging than decrypt this email. In addition, keyloggers are simple to install. The installation process is comparable to a virus installation: the target needs to open an infected file. I n m ost c ases, a n attacker applies social engineering such as opening an image [4]. However, criminals (black hat hackers) often employ keyloggers for obtaining login information about bank accounts of users. Protection techniques exist for protecting users against keyloggers. However, Mouse Underlaying is capable of bypassing any of them easily.

This article is structured as follows: Both known methods for keylogging and protection techniques against them are introduced. Hereafter, the total

http://creativecommons.org/licenses/by/3.0/

T. N. Witte

is difficult to distinguish from regular operating systemfiles [5]. Typically, these files are encrypted [14]. For thisreason, it is impossible for the user to notice this attack.A keylogger application sends the collected informationback to the spying person using an email or uploadsit directly to a server (e.g. FTP) [23]. Keyloggers aredifferent from other types of malware because they donot damage the system or propagate to other systems.Keylogger applications are designed for running instealth mode. Therefore, they have both a low CPU andmemory usage. In addition, they do not show in theprocess list (e.g. Task Manager) [26]. As a consequence,it is a challenge to distinguish them from legitimateprograms.

2.1. General processing of keystrokesMethods for software keyloggers mustbe specified for each operating system:this article is focused on WindowsTM.As depicted in Figure 1 Windows employs an eventmechanism: if a key is pressed, then the keyboarddriver translates this keystroke into a WM_KEYDOWN

Windows Message. Subsequently, this message isforwarded to the Windows System Message Queue(WSMQ). Ensuing, Windows conveys this messageto the Thread Message Queue (TMQ) of the focusedwindow. In the end, a thread of this window pollsthis queue (Thread Message Loop) and processes thisWindows Message [21, 26].

There is a minimum time between two keystrokes. Ifthe time span between these two keystrokes is shorterthan this minimum time, then the second keystrokewill be ignored. This should prevent the WSMQ fromoverloading [4].

2.2. Kernel-based Keyboard Filter Driver MethodFigure 1 depicts how the the keylogger is installing aKeyboard Filter Driver before the system’s keyboarddevice driver takes effect [12]. In order to install thisfilter driver administrator privileges are required [17].In the following, this filter driver captures keystrokesof the user and relays them by cloning. However,keystrokes are monitored at the kernel level. In otherwords, keystrokes will be monitored even before theoperating system takes effect [8]. As a consequence, thiskeylogger is invisible for detection techniques.

2.3. Windows Keyboard Hook MethodA hook is an interface for allowing the programto execute extension code. Often these functionsare provided by the operating system. Normally,keyboard hooks are applied to recognize shortcuts andreact to them [13]. However, a hook-based keyloggerexploits this functionality to monitor keystrokes: The

Keystroke

Keyboard Device Driver

Windows System Message Queue

Thread Message Loop

Translate keystroke into WM_KEYDOWN

Window

Keyboard State Table Method

Local Hook

Windows Keyboard Hook Method

Kernel-Based Keyboard Filter Driver

Thread Message Queue

Kernel-Based Keyboard Filter Driver Method

Global Hook

Keylogger Thread

AttachThreadInput API

Keyboard State Table

GetKeyboardState

Figure 1. Processing keystrokes in Windows with keyloggingmethods.

keylogging process registers itself into this keyboardhook. For this reason, every WM_KEYDOWN WindowsMessage reaches the keylogger process before enteringthe window that receives this message [20, 21].

Keyboard hooks can be classified into two distincttypes:

1. Global (system-wide) keyboard hook: This hook islinked between the WSMQ and TMQ. Therefore,this hook is able to capture global key events of asystem [26].

2. Local (thread-specific) keyboard hook: This kindof hook is linked between the TMQ and theThread Message Loop of a specific window. Forthis reason, a local hook is only capable of moni-toring keystrokes for this specific application [26].

2.4. Keyboard State Table MethodEvery application using a window refers to a KeyboardState Table. This table contains the status of 256 virtualkeys. Typically, this table is used by programs fordetecting more then one key state at the same time [18].This is in most cases implementing shortcuts in aprogram (e.g. [CTRL] + [C] for copying text).

As presented in Figure 1, the keylogger adds its ownthread into the Thread Message Loop by applying the

2 EAI Endorsed Transactions on Security and Safety

05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

Mouse Underlaying: Global Key and Mouse Listener Based on an Almost Invisible Window with Local Listeners and Sophisticated Focus

AttachThreadInput API. Then the keylogger employsthe GetKeyboardState API function to determineinformation about the Keyboard State Table [4].Generally this thread contains an infinite loop withanother loop inside, which requests every key state byapplying this function: if a key is pressed, then it islogged [32].

3. Countermeasures

3.1. Key Event Encryption

An encryption unit is linked between the Key-board Device Driver and the WSMQ. All incom-ing WM_KEYDOWN Windows Messages by the KeyboardDevice Driver will be encrypted prior to entering theWSMQ. The encryption of a WM_KEYDOWN WindowsMessage does not change the type of this message.This message is still a WM_KEYDOWN Windows Messagebut the information which key is pressed is changed.However, a decryption unit is linked between TMQ andthe window. For this reason, all incoming encryptedWM_KEYDOWN Windows Messages will be decryptedbefore entering the window for processing [2, 6].

As a consequence, keyloggers which apply theWindows Keyboard Hook Method or Keyboard StateTable Method monitor encrypted keystrokes. In otherwords, these keyloggers record wrong keystrokes. TheKey Event Encryption can not prevent keylogging bythe Kernel-based Filter Driver Method because thekeystrokes are monitored even before these reach theencryption unit.

3.2. Anti-Hook Technique

This technique is based on the fact that somekeyloggers apply API functions for hooking. Thedetection mechanism works as follows: firstly, thetotal system will be scanned for enumerating eachprocess. In the following, every process will beenumerated by all DLLs (Dynamic Link Libraries). Forinstalling a hook the command SetWindowHookEx isnecessary [20]. This command resides under the bannerof USER32.LIB. Consequently, if a process is using thisAPI, then this process will be marked. At the end,all marked processes will be listed, and the user hasto decide whether this process has rights for hookingkeystrokes [7, 28].

As a result, keyloggers which apply the WindowsKeyboard Hook Method will be detected. Although theAnti-Hook Technique can not prevent keylogging bythe Keyboard State Table Method and Kernel-basedKeyboard Filter Driver Method, these methods do notapply an API for hooking keystrokes.

3.3. Fool a keylogger: conceal sensitive data

This simple scheme is based on the fact that a keyloggeris capable of monitoring every keystroke but it is notable to understand them. In other words, a keyloggerfails to recognize which application is employingkeystrokes and which are used [26].

Typically, an operating element (e.g. the passwordfield in the window) reacts to keystrokes if thisoperating element has focus. If no operating elementis in focus, then only the layout is able to react tokeystrokes by a local key listener [10].

The user types a part of his or her password then heor she clicks elsewhere, e.g. in a other text field. Nowthe password field is out of focus. Yet, the user typesrandom characters. In the next step, the user clicksagain on the password field, and so on [28].

As a consequence, the attacker is unable toreconstruct the login information from the keylog(recorded keystrokes). The attacker does not knowwhich characters of login information belong togetherin a row. Between the characters of the real logininformation are the random characters typed by theuser. Regardless, the attacker could use brute-force todetermine the real login information by trying eachpossible combination of monitored keystrokes in a row.However, this process takes a long time [10].

Generally, this scheme is capable of confusingall keylogging methods previously mentioned. Thisscheme fails if the keylogger monitors the mouse’sactions too because the attacker recognizes in the keylogthe changed focus.

3.4. HoneyID

Based on generating keystrokes this technique baitskeyloggers. This mechanism consists of three modules:trap manager, bogus event generator and spywaredetector. The trap manager gathers the CPU usageof each process. While the bogus event generator isimitating keystrokes, the spyware detector comparesthe CPU usage of each process before and while bogusevent generator evokes the keystroke imitation. If theCPU usage of a process is increasing, then this processreacts upon the imitated keystrokes. In other words,this process monitors keystrokes [28, 33].

For this reason, the keyloggers which apply the Win-dows Keyboard Hook Method or the Keyboard StateTable Method will be detected. However, a detectionof keyloggers based on Kernel-based Keyboard FilterDriver Method fails, because the applied Kernel-BasedKeyboard Filter Driver is not a process. Therefore, itsCPU usage will not be listed.


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

3.5. Random Multiple LayoutsEvery key has a unique value, called a scan code. If akey is pressed then the keyboard controller generatesa corresponding scan code for this keystroke. In thefollowing, the keyboard driver translates this scan codebased on the current keyboard layout into a virtual-key code. Afterwards, the keyboard driver generatesa WM_KEYDOWN Windows Message which contains thisvirtual-key code information. This Windows Message ispushed into the WSMQ [22].

This keylogger protection technique applies multi-ple keyboard layouts to mislead keyloggers: For eachkeystroke the current keyboard layout is randomlyreplaced with another layout. Therefore, the gener-ated WM_KEYDOWN Windows Message contains translatedvirtual-key code information based on this randomlyreplaced layout keyboard. In other words, this Win-dows Message contains an incorrect virtual-key code.This virtual-key code information of the Windows Mes-sage will be corrected by converting back into the orig-inal keyboard layout before entering the window [6].

Keyloggers applying the Windows Keyboard HookMethod or Keyboard State Table Method recordkeystrokes based on the Windows Message, which con-tains incorrect virtual-key code information. In otherwords, these keylogging methods monitor incorrectkeystrokes. However, Random Multiple Layouts cannot prevent keylogging by the Kernel-based KeyboardFilter Driver Method because the keystroke (scan code)is recorded even before it is translated based on thekeyboard layout.

3.6. Detection by Support Vector MachineA Support Vector Machine (SVM) is a machine learningalgorithm. A SVM determines the best separating lineinto a dataset by maximizing the distance betweeneach data point and this line. In other words, a SVMclassifies the given datasets into two classes. Every datapoint before the line belongs to the same class. As aconsequence, every data point behind the line belongsto the other class [30].

The applied data points of the dataset for keyloggerdetection have the following form:

DDDUUDUURT

• Down-Down (DD): time difference between when

a key is pressed and when the next key ispressed [22].

• Down-Up (DU): time difference between when thesame key is pressed and when it is released [22].

• Up-Down (UD): time difference between whena key is released and when the next key ispressed [22].

• Up-Up (UU): time difference between when a keyis released and when the next key is released [22].

• Reaction Time (RT): time difference betweenwhen a key is pressed and when it is received bythe process [22].

This training dataset is generated by typingkeystrokes while:

1. a keylogger is active.

2. no keylogger is active.

Meanwhile, a global keyboard hook is applied tomeasure the time of a key press and its release tocalculate DD, DU, UD, and UU values. To calculatethe corresponding RT value, the time when the targetwindow receives this keystroke is logged. This targetwindow displays the reception of this keystroke in atext box. Afterwards, the SVM is applied to determinethe best separating line into this training dataset. Now,the data points can be classified into keylogger activeor no keylogger active based on this separating lineas presented in Figure 2. This figure is a simplifieddata representation, because only two dimensions arerepresented instead of five. To check the system for theexistence of a keylogger, a keystroke is typed and thecorresponding DD, DU, UD, UU, and RT values will bedetermined. If this data point lies in the keylogger activesection, then a keylogger is monitoring keystrokes [22].

Data point classified as “keylogger active” (training dataset)

Data point classified as“no keylogger active” (training dataset)

Best separating line

Data point to classify

Data point classified as “keylogger active”

Data point classified as “no keylogger active”

DD

DU

Figure 2. Keylogger detection by Support Vector Machine.

Generally, this technique is based on the fact that akeylogger delays the arrival of the Windows Messageto the target window by monitoring keystrokes. The


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

keystroke information of this message will be copiedand stored such as in a log file. This technique isable to detect keyloggers which apply the WindowsKeyboard Hook Method. Recorded time differences(DD, DU, UD, UU, and RT value) are longer thannormal because the Windows Message must enterthis hook (additional element) before entering thewindow (target). Detection of keyloggers based onthe Keyboard State Table Method is difficult, becausethere is no entering of the Windows Message into itsadditional thread. This thread is only monitoring theKeyboard State Table concurrent (multithreading) withthe keystroke processing. For this reason, monitoredtime differences are minimally higher than normal.Besides, this technique is unable to detect keyloggersapplying the Kernel-based Keyboard Filter DriverMethod due to keystrokes that are logged even beforethe time differences are determined.

4. Mouse Underlaying4.1. General ApproachThe keylogger generates a small transparent windowwhich is always under the mouse pointer requestingfocus. Hence, local listeners are capable of capturingthe entire user input (keystrokes and mouse clicks). Inthe following, this keylogger window closes while thecaptured user input is imitated. The intra-system focushanding for windows secures that the actual windowreceives the imitated user input.

The overall implementation of Mouse Underlayingis presented in Figure 3. The keylogger window hasthe following properties: undecorated, visible, sameposition as mouse pointer, size of 1x1 pixel, opacity of 1%, focusable and always on top 1 . If the opacity valueis lower then 1 %, then there is an incompatibility withthe used key and mouse listener.

The moveWindow_thread contains an infinite loopsetting the keylogger window position equal tothe mouse pointer position 2 . In addition, therequestFocus_thread is always checking which windowis in focus: if the keylogger window is not infocus, then this window receives focus 3 . Overall,it is impossible for the keylogger window to losefocus, e.g. if another window is opening. Moreover,the closedWindow_thread is constant checking if thekeylogger window is closed then there is a shortcutfor closing a window imitated after the keyloggerwindow opens again 4 . This mechanism closes anotherweakness of this technique (see #2 in the listing below).

If a key is pressed 5 , then all applied threadswill be paused 6 . Afterwards, the keystroke will berecorded 7 . Subsequently, the keylogger window isclosing 8 . After a brief waiting time, this keystrokewill be imitated: there is a key pressure imitationafter a waiting time, followed by a key release

Window properties:- Undecorated- Visible- Same position as mouse pointer- Size of 1x1 pixel- Opacity of 1 %- Focusable- Always on top

If mouse pressedIf key pressedexcept special keys

Record keystroke

Close window

Imitate keystroke

Wait

Wait

Open the window again

1

2

5

7

8

9

10

12

Press key

Release key

Wait

Set window unfocusable14

Move window to a different position

Wait

17

Imitate mouse release15

Imitate mouse press18

Pause: moveWindow_thread requestFocus_thread

closedWindow_thread

6

If mouse is pressed more than 5s

23If mouse released (if mouse entered)

Set window focusable21

20

Set window focusable25

Imitate mouse release24

11

Start moveWindow_thread:

Set window under mouse pointer

Infinite loop

Start closedWindow_thread:

If this window is closed then imitate a shortcut for closing a window then open this window again

Infinite loop

Start requestFocus_thread:

If this window is not on focus then this window requests focus

Infinite loop3

4

Resume: moveWindow_thread requestFocus_thread

closedWindow_thread

Pause: requestFocus_thread13

Wait

Pause: moveWindow_thread16

Resume: moveWindow_thread19

22 Resume: requestFocus_thread26 Resume: requestFocus_thread

Wait

Figure 3. Implementation of Mouse Underlaying.

5



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

imitation 9 . However, an exception exists for thefollowing keys: [CTRL], [SHIFT], [CAPS LOCK], [ALT]and [ALT GRAPH]. This is a requirement for imitatingcapitals and special characters, moreover applyingkey combinations. Without this exception there is animitation of key release directly after the imitation ofkey pressure. Hence, the operating system does notlonger recognize this key pressed, although the userstill holds the key down. After a brief waiting time, thekeylogger window opens again 10 . Finally, all appliedthreads will be resumed 11 .

If a mouse button is pressed 12 , then the requestFo-cus_thread will be paused 13 . Subsequently, the keylog-ger window changes to an unfocusable state 14 . Aftera short waiting time, the released mouse button willbe imitated 15 . Afterwards, the moveWindow_threadwill be paused 16 . Now the keylogger window movesto a different position in the vicinity of the mousepointer 17 . After a short waiting time, the pressedmouse button state will be imitated 18 . Accordingto an again waiting time, the moveWindow_threadwill be resumed 19 . Due to this resumed thread, thekeylogger window is always set directly under themouse pointer. If the mouse is released (perceivedwith a MouseEntered-Event) 20 , then the keyloggerwindow changes to focusable 21 . Finally, the request-Focus_thread will be resumed 22 .

This mechanism enables the user to move windows,tabs, etc. with the mouse while recording the mouseevents. The mouse press by the user is intercepted bythe focusable keylogger window. The imitated mouserelease while the keylogger window is under themouse pointer is only for resetting the mouse state.Though, this MouseReleased-Event will be relayed bythe operating system to the actual window becausethe keylogger window is unfocusable. The move ofthe keylogger window to a different position followedby an imitated mouse press leads to a MouseEntered-Event for the actual window and leads to a MouseExit-Event for the keylogger window. In addition, thereis a MousePressed-Event for the actual window.The moveWindow_thread sets always this keyloggerwindow under the mouse pointer. However, thismovements do not lead to a MouseEntered-Event forkeylogger window and do not lead to a MouseExit-Event for the actual window due to the unfocusablestate of the keylogger window. Overall, the keyloggerwindow is under the mouse pointer while the mouseis pressed in the actual window. However, if the mouseis released by the user then a MouseEntered-Event forkeylogger window and MouseExit-Event for the actualwindow will be created. Moreover, this MouseReleased-Event will be also relayed to the actual window due tothe unfocusable keylogger window. If there is only amouse click (mouse button pressed after fast releasing)then 21 will be immediately triggered. Hence, mouse

clicks will be relayed to the actual window. In total, aMousePressed-Event and a MouseReleased-Event reachthe actual window.

1px

1px

32px

32px

Application window Mouse pointer

Keylogger window

x

Key pressed

Keylogger process

Imitate key press

Keylogger process

Application windowNormal

Key event

Imitation

Recording

Keyboard

Keyboard

Keyboard

x

Application window

x

Application window

x

Keylogger process

Figure 4. Overview of Mouse Underlaying.

As presented in Figure 4, by closing the keyloggerwindow, the actual window in the background regainsfocus. Hence, the imitation of key and mouse eventscan be transmitted to the actual window. The imitationis required because the focusable keylogger windowintercepts all key and mouse events by the user.Without this imitation, all of these events would onlybe recorded, but there would be no relaying of them tothe actual window. As a consequence, the user wouldnot be able to interact with the actual window.


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

However, Mouse Underlaying has two vulnerabilities:

1. While the user is pressing his or her mousebutton, the keylogger window is unfocusable.Therefore the local key listener is disabled. Hence,keystrokes are not recorded. However, this isuntypical user behavior. Although, there is amechanism: if the mouse is pressed more thanfive seconds 23 , then the released mouse statewill be imitated for resetting the mouse state 24 .Subsequently, the keylogger window changes tofocusable 25 . Finally, the requestFocus_threadwill be resumed 26 .

2. Various key combinations are able to closethe focused window, such as [ALT] + [F4]

in Windows. If the user applies this shortcut,then he or she will close the keylogger windowand no keylogging will be possible. Therefore,the closedWindow_thread employs an infiniteloop checking whether the keylogger window isclosed 4 . In this case, the shortcut for closing awindow will be imitated. Afterwards, the closedkeylogger window opens again. An exceptionexists for this mechanism while the keyloggerprocess is relaying the keystroke to the actualwindow. This exception is realized by pausing 6

and resuming 11 the closedWindow_thread. Withthis mechanism the Mouse Underlaying is ableto relay the effect of this shortcut to the actualwindow.

Windows pushes in regular intervals (system updatetime) the Windows Message of the WSMQ to the TMQof a current focused window [26]. As a consequence, thewaiting time must be higher than the duration of theseregular intervals for securing a registration of:

• A changed window focus.

• Imitated key and mouse events.

• A switch between of a focusable and unfocusablestate of a window.

• An opening and closing of a window.

4.2. Protocol And Relay KeystrokesFigure 5 shows the manipulation of keystroke process-ing in Windows by Mouse Underlaying: Ultimately,Windows employs a WSMQ for managing which TMQof a window receives information about keystrokes [4].The keylogger window is always on focus. For thisreason, the TMQ of this window obtains WSMQ infor-mation about keystrokes. If a key is pressed, then thekeylogger window is closing and subsequently removedfrom the WSMQ. Simultaneously, the actual window

is on focus, and its TMQ receives WSMQ informa-tion about keystrokes. While imitating the keystroke aWM_KEYDOWN Windows Message is created by the keylog-ger process and automatically pushed to the WSMQ. Inthe following, the TMQ of the actual window is receiv-ing information about this keystroke. In other words,with this function the keylogger window is capable ofrelaying logged keystrokes to the actual window. Thereis no difference in generating keystrokes between akeyboard device driver and a process. Hence, the actualwindow is able to react upon any kind of generatedkeystroke. The same applies to mouse events: insteadof a WM_KEYDOWN there is a WM_MOUSEDOWN, WM_MOUSEUPetc. Windows Message.

Normal

Imitation

Keystroke

Keyboard Device Driver

Windows System Message Queue Thread Message Loop

Translate keystroke into WM_KEYDOWN

Keylogger window

Actual window


Thread Message Queue Thread Message Loop

Thread Message Loop

Keylogger process

Imitating keystroke by generating WM_KEYDOWN

Actual window Windows System Message Queue


If keystroke

Figure 5. Manipulation of keystroke processing in Windows byMouse Underlaying.

4.3. Change Window FocusFigure 6 presents the changing of window focus whileMouse Underlaying is active: The keylogger window isin focus, and its TMQ comes first in the WSMQ. If thereis a mouse click, then the keylogger window interceptsit. In addition, the keylogger window is closing, and its

7



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

TMQ is removed from the WSMQ. The actual window(window no.1 in Figure 6) has focus. Therefore its TMQis now first listed in the WSMQ. The imitated mouseclick (same position as the intercepted mouse click)in a window not focused (window no.3 in Figure 6)sets this window in focus and puts its TMQ on thefirst place in the WSMQ. If this mouse click resideson an operating element, then this element is focus inthe window. However, if this window is in focus again,then this element is automatically in focus too. Thereopening of the keylogger window sets this window infocus and assigns its TMQ to first listed in the WSMQ.

Window no.3

Window no.2

Keylogger window

Window no.1

Window no.2


Normal

Keylogger window

Mouse click on window no. 3

Mouse click

Keylogger window is closing

Imitation of mouse click

Imitated mouse click

Changing focus

Window no.3

Window no.1

Window no.3

Window no.2

Keylogger window

Window no.1

Window no.2

Keylogger windowWindow no.3

Window no.1

Window no.3

Window no.2

Window no.1

Window no.2

Window no.3

Window no.1

Window no.3

Window no.2

Window no.1

Window no.2

Window no.3

Window no.1

Window no.2

Window no.1

Window no.3

Window no.1

Window no.2

Window no.3

Window no.2

Window no.1

Keylogger window

Window no.3

Window no.1

Keylogger window

Window no.2

Window no.3

Reopen of keylogger window






Figure 6. Changing window focus while Mouse Underlaying isactive.

5. EvaluationA sample.jar file (programming language: Java) isgenerated applying Mouse Underlaying. This windowis a JFrame. A key and mouse listener is employed formonitoring key and mouse events of the user. Mouseand key events are imitated by a robot. The programcontains a kill switch: if [ESC] is pressed, then theprogram will stop. However, the program sample.jardisplays captured keystrokes in a console. Furthermore,no admin rights, only standard user privileges areapplied to the following operating systems: Windows(Version: XP - 10), OS X (Version: 10.8 - 10.13), Linux(Ubuntu and Debian), Solaris, Android and Qubes OS.

5.1. Operating System CompatibilityMouse Underlaying works perfectly under Windows,Linux and Solaris. However, there is a minor issue withOS X as described in the following paragraph.

Table 1. Compatibility of Mouse Underlaying with operatingsystems.

Name Version Vulnerable

Windows XP 3

Vista 3

7 3

8 3

8.1 3

10 3

OS X 10.8 (Mountain Lion) 3

10.9 (Mavericks) 3

10.10 (Yosemite) 3

10.11 (El Capitan) 3

10.12 (Sierra) 3

10.13 (High Sierra) 3

Linux Ubuntu 16.04.3 3

Debian 9.3 3

Solaris 11.3 3

Android 8.1.0 7

Qubes OS 3.2 7

Before sample.jar is being launched on OS X, awindow appears indicating that this program is usingaccessibility features (imitation of keystrokes andmouse clicks) as shown in Figure 7.

As usual in OS X, the keylogger process generatesWindow Messages (in Windows: Windows Messages)for imitating key and mouse events and tries to pushthese Messages into the Event Queue (in Windows:WSMQ). However, OS X prevents pushing WindowMessages into the Event Queue by processes. Normally,only the corresponding device driver to this eventhas privileges to push Window Messages into thisEvent Queue. However, the user is able to define


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

Figure 7. Message of OS X before launching sample.jar.

exceptions [15]. After the user confirms this message bydefining an exception for this keylogger process, MouseUnderlaying will work perfectly. Social Engineering isan effective method to convince the user to confirm thismessage.

Android is not vulnerable for Mouse Underlayingbecause it does not provide software-induced focusrequest. Moreover, the graphical user interface ofAndroid is not a typical desktop. Only one window canbe opened exclusively. The other windows are stored ina queue [29]. The following sequence of activities canbe observed:

1. if the current window closes;

2. then the next window in this queue will openimmediately;

3. if the keylogger window is open;

4. then the user can see the background image,which is suspisious;

5. (again) mouse or keystroke by the user;

6. keylogger window closes;

7. evoking next window in the queue;

8. keylogger imitates mouse or keystroke;

9. keylogger window opens again;

10. the user can see the background image againwhich is suspisious, and so on.

However, Mouse Underlaying does not work onQubes OS. For testing purposes, the keylogger wasstarted in a VM while trying to monitor keystrokes inanother VM. Qubes OS employs a compartmentaliza-tion. For this reason, there is an instantiation of eachVM [25]. On this basis, the keylogger window receivesonly focus in one VM but not in other VMs. Hence, thekeylogger window is not able to get the overall focuson the desktop. Therefore, local key and mouse listenerare not effective. Basically, Mouse Underlaying works onQubes OS only if one VM is used. In order to achievethat the the attacker has two effective methods to applythe keylogger:

1. sending an HTTP link file to the user openinga website with a bound keylogger. From thismoment on the attacker is capable of monitoringall keystrokes in the browser because this browserand the keylogger run in the same VM.

2. a modification of Mouse Underlaying can par-tially bypass the compartmentalization of QubesOS: the keylogger window is open, then it closesbriefly in order to open again. As a result, the key-logger window has obtained the total focus on thedesktop including all VMs. Local key and mouselistener are now able to monitor user activities inone VM but no imitation of user activities in otherVMs is possible because of the compartmentaliza-tion.

Some operating systems such as Linux and Solairsemploy multiple desktops. For testing purposes thekeylogger was started in the first desktop instance whiletrying to log keystrokes in the second desktop instance.Mouse Underlaying is not able to record keystrokesin the second desktop instance because the keyloggerwindow exists only in first desktop instance. However,the modification of Mouse Underlaying applied inQubes OS transfers the keylogger window to the seconddesktop instance (currently used). In addition, thiswindow is on focus. As a consequence, keystrokes willbe recorded.

For ensuring a platform independence of MouseUnderlaying there are different waiting times foreach operating system based on the system updatetime for window focus. For example, in Windowsthe update time is determined the WSMQ. However,this does not apply to operating systems based oncompartmentalization. The system update time isinfluenced by the hardware performance and currentCPU usage. Moreover, Mouse Underlaying requiresa desktop allowing more than one window openedconcurrently.

5.2. Minor LimitationsNormally, every window in Windows 8 (or higher)which is not on focus has a gray layout. The focusedwindow has its normal layout as presented in Figure 8(a).

While Mouse Underlaying is running on a Windows-type operating system, every window appears as notfocused. In other words, each window has a gray layoutas depicted in Figure 8 (b). The focused window is thekeylogger window (size of 1x1 pixel therefore almostinvisible for the user).

In addition, during the relaying process of useractivities the focus changes twice. This relaying processis extremely fast. For this reason, the window layoutchanges similarely fast: the active layout of the actual

9



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

(a) inactive (b) active

Figure 8. Changed window focus behaviour due to MouseUnderlaying.

window displays only a few milliseconds before itturns into gray again. For example in the case ofword processing, the user does not notice this changebecause he or she focuses on the text and not on thewindow frame while writing. However, there is no textcursor in text fields because this operating element isnot on focus. While relaying user activities this textcursor is appearing for milliseconds. Furthermore, ifthe user is typing faster than the waiting time (thetime elapsed between to keystrokes is shorter than thewaiting time), then this keystroke will not be recordedand imitated because the user is writing while thekeylogger window is closed. This usually happens whenthe user constantly presses a key. The same applies tomouse events but this is an unusual user behavior.

Besides, there is a minimal delay (barely noticeable)between typing keystroke and see result on thescreen. Moreover, while Mouse Underlaying is active,automatic completion such as in browsers is disableddue to the browser not being in focus.

5.3. Countermeasures

Antivirus software. This sample.jar file was uploaded tothe website www.virustotal.com which uses signaturesof a lot of anti-virus software for detecting malware [3,31]. The results of this analysis is demonstrated inFigure 9: none of 60 used anti-virus programs were ableto recognize sample.jar as malware (keylogger).

Figure 9. Analysis by virustotal.com.

In addition, for testing purposes the followingbehavior controls of anti-virus software are applied: GDATA, Symantac, Kaspersky, Avira and Trend Micro.None of them was able to recognize sample.jar asmalware (keylogger).

Keylogger protection software. A whole variety of key-logger protection software by different manufacturershas been tested. None of them was able to preventmonitoring keystrokes by sample.jar as illustrated inTable 2.

Table 2. Keylogger protection software attempting to preventkeylogging.

Name Attack Prevented

Elite Anti Keylogger 7

G DATA 7

Ghostpress 7

GuardedID 7

Kaspersky 7

KeyScrambler 7

SpyShelter 7

Zemana 7

Virtual keyboards. Virtual keyboards are applied fortesting their capability to prevent capturing keystrokesby sample.jar. As displayed in Table 3 none of them wasable to prevent keylogging by Mouse Underlaying.

Table 3. Virtual keyboards attempting to prevent keylogging byMouse Underlaying.

Name Attack Prevented

Free Virtual Keyboard 7

Kaspersky Virtual Keyboard 7

Windows On-Screen Keyboard 7

6. Analysis6.1. CountermeasuresA detection of Mouse Underlaying by signatures andbehavior controls of anti-virus programs failed. MouseUnderlaying is based on actions which are often appliedby usual programs such as moving, opening andclosing of its window, and requesting focus. Theseactions are benign because there is no system damageor serious system change caused by them. Moreover,Mouse Underlaying was virtually unknown at this time.

Keylogger protection techniques presented in TableII employ the Key Event Encryption [2]: WM_KEYDOWNWindows Messages will be encrypted by the encryptionunit of the Key Event Encryption and pushed to theWSMQ. At the end of the keystroke handling processthere is a decryption of this Windows Message by thedecryption unit before entering the keylogger window.However, each keystroke by the user will be recordedin a decrypted state. As usual, there is an imitation ofthese keystrokes. The generated WM_KEYDOWN WindowsMessage of the keylogger process will be encrypted


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

by the encryption unit and pushed to the WSMQ.The same applies for this generated Windows Messageby entering the actual window. In other words, thisgenerated Windows Message will reach the actualwindow in a decrypted state. As a consequence, the KeyEvent Encryption does not prevent Mouse Underlaying:The keystroke (of the user) will be recorded in adecrypted state and the imitated keystroke reaches theactual window in a decrypted state.

Moreover, keylogger protection techniques andbehavior controls of anti-virus software often addition-ally apply the Anti-Hook Technique [9]: Mouse Under-laying does not use an API for hooking keys becauseit applies a sophisticated window focus in combinationwith a local key listener. For this reason, Mouse Under-laying is undetectable for the Anti-Hook Technique.

Basically, Mouse Underlaying can be overreachedsuch as other keyloggers with changing focus while typ-ing. By modifying the local mouse listener into record-ing mouse clicks in the keylog, Mouse Underlaying isable to recognize a changing focus.

Generated keystrokes by HoneyID are kernel basedkeystrokes because these do not originate from akeyboard driver. By imitation of a keystroke aWM_KEYDOWN Windows Message is created and pushedinto the WSMQ by a process instead of a keyboarddriver. However, there is no difference between aWM_KEYDOWN Windows Message generated by a keyboarddriver or a process [28]. For this reason, a local keylistener reacts to generated keystrokes by HoneyID.As a consequence, the CPU usage of the keyloggerincreases while HoneyID is imitating keystrokes.However, this increasing is limited by a low CPU usagevalue based on a maximum count of imitation dueto using waiting times. Therefore, it is a challenge todistinguish a keylogger applying Mouse Underlayingfrom other processes based on the fact that otherprocesses do not have a constant CPU usage.

However, Random Multiple Layouts can not preventkeylogging by Mouse Underlaying because this incor-rect virtual-key code information of the Windows Mes-sage will be converted back into the original keyboardlayout before entering the keylogger window. For thisreason, the keylogger window receives the WindowsMessage containing the correct virtual-key code infor-mation.

Moreover, the detection technique based on theSVM is able to detect Mouse Underlaying. WhileMouse Underlaying is active, a Windows Message hasdouble the normal distance to reach the target (actualwindow): Reaching the keylogger window, monitoringand imitating it, then reaching the target. Therefore, themeasured time differences are approximately twice ashigh as normal.

The window of a virtual keyboard application isunfocusable: if this window is focusable, then it blocks

the generated key events independently. As mentionedabove, there is no difference in generating keystrokesbetween a keyboard device driver and a process. Hence,the local key listener is able to react to them. However,virtual keyboards only prevent keylogging by theKernel-based Keyboard Filter Driver Method becausethe generated Windows Messages are pushed into theWSMQ by the process of a virtual keyboard. Hence,these messages do not enter the Kernel-Based KeyboardFilter Driver.

6.2. Differences between Mouse Underlaying andconventional keylogging methodsMouse Underlaying does not install an additionalelement (thread, hook, or driver) to the keystrokeprocessing of the operating system like conventionallyapplied keylogger methods [4]. These methods getthe keystroke information illegally because thereis no focused window. Mouse Underlaying recordskeystrokes in accordance with the operating systempolicy (legal) by using a sophisticated window focus.The operating system sets its window, residing at theend of the keystroke handling process due to its focusedstate. For each key press the keylogger window closesand relays this keystroke to the actual window byimitation.

For this reason, Mouse Underlaying substantiallychanges the flow of the Windows Messages: The keylog-ger window intercepts all incoming Windows Messagesby logging. Afterwards, the keylogger window closes.Subsequently, a clone of these messages will be gener-ated by imitating the same keystroke. Now this gener-ated Windows Message will be pushed into the WSMQ.Afterwards, this message reaches the actual window(target). In other words, while Mouse Underlaying isactive, a Windows Message has double the normaldistance to reach the target: Reaching the keyloggerwindow, monitoring and imitating it, then reachingthe target. Unlike Kernel-based Keyboard Filter DriverMethod and Windows Keyboard Hook Method, there isno interception of all incoming Windows Messages bylogging them [26]. Hence, there is no recreation of thismessage by imitation required. As a consequence, theoriginal Windows Message reaches the window (target)in one way. There is a further entering of the additionalelement. Unlike the Keyboard State Table Method, thereis no entering of the Windows Message into its addi-tional thread [4]. This thread is only monitoring theKeyboard State Table concurrent (multithreading) withthe keystroke processing. The table indirectly repre-sents a WM_KEYDOWN Windows Message: If this messageis generated then its information about the keystrokeexists in this table.

Mouse Underlaying applies a 1x1 pixel-sized andvery transparent window. Hence, the user does not

11



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

notice this window as focused. The user is mistakenlyconvinced that the actual window (in the background)has focus. Conventional keylogging methods operatedirectly on the operating system or kernel level. Hence,these methods are not applied on the graphical userinterface. As a consequence, the user is not visuallyfooled.

For installing an additional element applied byconventional keylogging methods, kernel modification(driver installation) or changes in the configuration fileof the operation system (hook registration and threadattaching) are required [17]. As a consequence, anti-virus programs will report this action to the user. Theseactions also require administrator privileges.

Mouse Underlaying operates directly on the graphicaluser interface (desktop) by applying:

• Imitation of key and mouse events.

• Information about the mouse pointer position.

• Local key and mouse listener.

• Moving, opening and closing of its window.

• Switching between a focusable and unfocusablestate.

• Requesting focus.

Thus, only standard user privileges are required.Moreover, these actions are often applied by usualprograms. As mentioned above, these actions are alsobenign. As a result, Mouse Underlaying will notbe identified as suspicious (malware) by anti-virusprograms.

Moreover, if the attacker applies one of theconventional keylogging methods, he or she often triesto cover their tracks by uninstalling the additionalelement after the attack. However, operating systemsand other tools log when an additional driver (Kernel-based Keyboard Filter Driver Method) is installed,hooks are applied (Windows Keyboard Hook Method)etc. [27]. Therefore, conventional keylogging methodsare traceable after the attack. An attacker who appliesMouse Underlaying needs only to terminate thisprocess. For this reason, it is a challenge to prove MouseUnderlaying after the attack.

7. Outlook and further research7.1. Disabling keyboard and mouseIf there is no local key listener, then Mouse Underlayingis capable of disabling the keyboard instead ofkeylogging. The same applies to the mouse by removingthe used mouse listener. However, other techniquesrequire administrator privileges for disabling bothkeyboard and mouse due to kernel modifications [27].

For this reason, there is a detection by behaviorcontrols of an anti-virus program. In addition, MouseUnderlaying with cumulative modifications (see above)can be applied in Qubes OS to disable the entirety ofkeyboard and mouse functions (also in other VMs).

7.2. OptimizationAppearance of focus layout. While Mouse Underlayingis active in Windows 8 (or higher) each windowhas a grey layout. Generally, regular users are notable to recognize this layout modification. Thoughthere are computer-experts and highly attentive usersnoticing this modification enabling them to reactappropriately. On that account, Mouse Underlayingshould disable this layout modification. A registry keymodification is a way to do that [11]. However, if thekeylogger implements this directly via command, thenthe keylogger will be detected by behavior control of ananti-virus program.

Instead of manipulating a registry key there isanother way to solve this layout problem by modifyingMouse Underlaying: the program takes a screenshot.The window size is identical with the screen size andrequesting focus. This window contains the screenshottaken. If there is a key or mouse event (noticed by locallisteners), then the window will close. After imitatingthis event there is another screenshot activity. At thispoint, the window opens with the updated screenshot.However, this modification causes a still image on thedesktop. In general, the user does not notice this attackwhile, for instance, watching a video or playing a game.Moreover, a number of operating systems such as Linuxnoticed a white contour for a few seconds during theopening process.

Imitation of keystrokes. For imitating keystrokes MouseUnderlaying forges pressure and release of a particularkey. Between pressure and release there is a waitingtime based on the system update time. This waitingtime is identical for each imitation. For this reason,it is possible to develop specific detection techniques.These techniques analyze the elapsed time of a pressedkey. If this time is always the same or too short forhuman activites, then Mouse Underlaying is active. Asa consequence, the length of the waiting time must bewithin particular interval boundaries. The length of thewaiting time is determined by a random value withinthese boundaries. The interval range is determined byan analysis of human keystrokes.

8. ConclusionsThis paper has described a new software-basedkeylogger method: Mouse Underlaying does not installan additional element (thread, hook, or driver) tothe keystroke processing of the operating system like


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

conventional applied keylogger methods. For each keypress the keylogger window closes and relays thiskeystroke to the actual window by imitation. Thiskeylogger window is almost invisible. For this reason,the user is mistakenly convinced that the actual windowis on focus and there exists no focused keyloggerwindow. In other words, Mouse Underlaying visuallyspoofs the user.

Besides, Mouse Underlaying has the following advan-tages compared with conventional applied keyloggingmethods:

• No modification of kernel or configuration file forinstalling an additional element to the keystrokeprocessing of the operating system.

• No administrator privileges are required, onlystandard user privileges.

• Obtains keystroke information legally by employ-ing a focused window.

• Indirect manipulation of Windows Messagesflow (keystroke processing): keylogger protectiontechniques based on encryption can not preventthis attack.

• No identification as suspicious by anti-virusprograms based on benign operations such asmoving, open and closing of its window (oftenapplied by usual programs).

• Difficult to prove after the attack.

Although, Mouse Underlaying has the followingdisadvantages:

• Requires a desktop which allows several windowsopen at the same time.

• Operating systems chart the focus by layoutof the window and the operating element.There is no focused window and no focusedoperating element represented. Besides, whiletyping keystrokes there are two focus changes(also represented in the layout). Overall, the usercould become suspicious.

• The employed waiting time is different for eachoperating system.

Conventional keylogger protection techniques aredesigned to prevent keylogging by methods whichinstall an additional element in the keystroke process-ing of the operating system. However, these protec-tion techniques are not designed to prevent an almostinvisible window to receive keystroke information andrelay it to the actual window (manipulation of WindowsMessages flow). Overall, Mouse Underlaying is a seriousthreat. However, there are various countermeasures anddetection techniques for Mouse Underlaying:

• The behavior control of an anti-virus programmust analyze the WSMQ on irregularities: if awindow appears frequently on the first place(focused window) even directly after its interme-diate disappearance, then this application shouldbe identified as suspicious. The MessageQueue-Class in C# and C++ is capable of analysing theWSMQ [19]. This method is able to detect themain part of Mouse Underlaying, a window fre-quently opening and closing and always on focus.

• Besides, the behavior control of an anti-virus pro-gram shall identify an application as suspicious ifits position changes often.

• Moreover, there should be a limited protected areawithin the mouse pointer: operating systems andanti-virus programs shall prevent the movementof applications in this area.

• However, a complete disabling or ignoring ofimitating both key and mouse events is not usefulbecause physically incapacitated people use toolssuch as voice control. In this way it may beseen as a discrimination. Over and above, remotemaintenance tools use this functionality too.

• Furthermore, if a program is imitating mouse andkey events, then the operating system and therelated anti-virus program must report this actionto the user in form of a message box. However, OSX is the only operating system capable of this typereporting.

• In addition, an 1x1 pixel-sized window issuspecious because this is untypical for a usefulprogram. Hence, the window manager mustrecognize the suitable window. Therefore, it mustprovide a minimum window size. If a windowis smaller than the minimum size, then thewindow manager is terminating the process of theundersized window.

• Moreover, based on the fact that the keyloggerwindow is always under the mouse pointer,Mouse Underlaying can be detected with amodification of HoneyID: there is a determentof CPU usage of each process. Instead ofimitating keystrokes there is an imitation ofmouse movement. Meanwhile the CPU usage ofeach process is determined again and comparedduring this imitation. If there is an increase ofCPU usage of a process, then this process will useMouse Underlaying.

• Another method to detect Mouse Underlayinggenerates a window with both a local key andmouse listener. The process of this window

13



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

T. N. Witte

imitates both mouse and key events at a highfrequency. If events are recorded with a delay(elapsed time between imitation and recording)by the local listeners, then Mouse Underlaying isactive.

• In addition, an analysis of the keylog is able todetect Mouse Underlaying: if there are always thesame two characters in a row such as tteesstt thenMouse Underlaying is active. Of the two samecharacters the first is user induced and the secondis the result of a keylogger imitation.

• An effective measure against Mouse Underlayingis compartmentalization such as in Qubes OS.There is a instantiation of each process. In otherwords, every process is isolated from the others.Microsoft operating systems can be protectedagainst Mouse Underlaying with Bromium SecurePlatform. This is a security software which runsevery application in a micro VM [1].

AnnotationThis paper was accepted to The 17th IEEE InternationalConference On Trust, Security And Privacy In ComputingAnd Communications (IEEE TrustCom-18) in New York.Unfortunately, there was not financial support to payconference fee etc. therefore I must withdraw thispaper.

Acknowledgements. I would like to thank the DistributedSystems Group from the Osnabrück University for valuablefeedback, discussions, and work. I would also like to thankJörg Krywkow who did an extended proofreading of my firstpaper. Moreover, I would like to thank the Cyber Analysis andDefense Group from the Fraunhofer FKIE for value feedbackand good suggestions for the evaluation.

References[1] (2016) Bromium- Redefining Endpoint Security. Tech. rep.,

Bromium.[2] (2017) GuardedID. Tech. rep., StrikeForce Technologies.[3] Abrams, R. (2017) Virustotal tips, tricks and myths. In

VB2017.[4] Abukar, Y., Maarof, M., Hassan, F. and Muse Abshir, M.

(2014) Survey of keylogger technologies 5: 25–31.[5] Akhil S, Neeraja M Nair, A.P.A.R. (2014) Detection and

prevention of keylogger spyware attacks. InternationalJournal of Computer Engineering & Technology (IJET) .

[6] Ali, T.O.M., Awadelseed, O.S.A. and Eldewahi,

A.E.W. (2016) Random multiple layouts: Keyloggerprevention technique. In 2016 Conference of BasicSciences and Engineering Studies (SGCAC): 1–5.doi:10.1109/SGCAC.2016.7457997.

[7] Aslam, M., Muzammil Baig, M. and Asif Arshad, M.

(2004) Anti-hook shield against the software key loggers.CiteSeerX .

[8] Creutzburg, R. (2017) The strange world of keyloggers -an overview, part I 2017: 139–148.

[9] Dadkhah, M., Davarpanah Jazi, M., Ciobotaru, A.M.

and Barati, E. (2014) An introduction to undetectablekeyloggers with experimental testing 4: 1–5.

[10] Florencio, D. and Herley, C. (2006) How to login froman internet cafe without worrying about keyloggers .

[11] Honeycutt, J. (2005) Microsoft Windows Registry Guide,Second Edition (Redmond, WA, USA: Microsoft Press).

[12] Howard, A. and Hu, Y. (2012) An approach fordetecting malicious keyloggers. In Proceedings of the 2012Information Security Curriculum Development Conference,InfoSecCD ’12 (New York, NY, USA: ACM): 53–56.doi:10.1145/2390317.2390326, URL http://doi.acm.

org/10.1145/2390317.2390326.[13] Kishore Subramanyam, Charles E. Frank, D.F.G. (2007)

Keyloggers: The Overlooked Threat to Computer Security.[14] Lee, R. (2004) Keystroke logging investigation. SANS

Security Essentials (GSEC) .[15] Miller, B.P., Cooksey, G. and Moore, F. (2006) An empir-

ical study of the robustness of MacOS applications usingrandom testing. In Proceedings of the 1st InternationalWorkshop on Random Testing, RT ’06 (New York, NY,USA: ACM): 46–54. doi:10.1145/1145735.1145743, URLhttp://doi.acm.org/10.1145/1145735.1145743.

[16] NameHemita Pathak, Apurva Pawar, B.P. (2015) Asurvey on keylogger: A malicious attack. InternationalJournal of Advanced Research in Computer Engineering &Technology (IJARCET) 4.

[17] Navarro, J., Naudon, E. and Oliveira, D. (2012)Bridging the semantic gap to mitigate kernel-levelkeyloggers. In 2012 IEEE Symposium on Security andPrivacy Workshops: 97–103. doi:10.1109/SPW.2012.22.

[18] Olzak, T. (2008) Keystroke logging (keylogging) .[19] Oney, W. (2002) Programming the Microsoft Windows

Driver Model, Second Edition (Redmond, WA, USA:Microsoft Press), 2nd ed.

[20] Ortolani, S., Giuffrida, C. and Crispo, B. (2013)Unprivileged black-box detection of user-space keylog-gers. IEEE Transactions on Dependable and Secure Com-puting 10(1): 40–52. doi:10.1109/TDSC.2012.76.

[21] Peter Schartner, M.F. (2011) System-manipulationusing windows-messaging-hooks. Semantic Scholar .

[22] Pillai, D. and Siddavatam, I. (2018) A modifiedframework to detect keyloggers using machine learningalgorithm : 1–6.

[23] Preeti Tuli, P.S. (2013) System monitoring and securityusing keylogger. International Journal of Computer Scienceand Mobile Computing 2.

[24] Rahim, R., Nurdiyanto, H., Ahmar, A., Abdullah, D.,Hartama, D. and Napitupulu, D. (2018) Keyloggerapplication to monitoring users activity with exact stringmatching algorithm 954: 012008.

[25] Rutkowska, J. and Wojtczuk, R. (2010) Qubes OSArchitecture. Tech. rep., Invisible Things Lab.

[26] Sagiroglu, S. and Canbek, G. (2009) Keyloggers:Increasing threats to computer security and privacy.IEEE Technology and Society Magazine 28(3): 10–17.doi:10.1109/MTS.2009.934159.

[27] Silberschatz, A., Galvin, P.B. and Gagne, G. (2008)Operating System Concepts (Wiley Publishing), 8th ed.


05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

http://dx.doi.org/10.1109/SGCAC.2016.7457997

http://dx.doi.org/10.1145/2390317.2390326

http://doi.acm.org/10.1145/2390317.2390326

http://doi.acm.org/10.1145/2390317.2390326

http://dx.doi.org/10.1145/1145735.1145743

http://doi.acm.org/10.1145/1145735.1145743

http://dx.doi.org/10.1109/SPW.2012.22

http://dx.doi.org/10.1109/TDSC.2012.76

http://dx.doi.org/10.1109/MTS.2009.934159

[28] Solairaj, A., Prabanand, S.C., Mathalairaj, J., Prathap,C. and Vignesh, L.S. (2016) Keyloggers software detec-tion techniques. In 2016 10th International Confer-ence on Intelligent Systems and Control (ISCO): 1–6.doi:10.1109/ISCO.2016.7726880.

[29] Song, M., Song, H. and Fu, X. (2011) Methodologyof user interfaces design based on android. In 2011International Conference on Multimedia Technology: 408–411. doi:10.1109/ICMT.2011.6002076.

[30] Tharwat, A., Hassanien, A.E. and Elnaghi, B.E. (2017)A ba-based algorithm for parameter optimization ofsupport vector machine. Pattern Recognition Letters 93:13–22. doi:10.1016/j.patrec.2016.10.007, URL https://

doi.org/10.1016/j.patrec.2016.10.007.

[31] Verma, A., Rao, M., Gupta, A., Jeberson, W. and Singh,

V. (2013) A literature review on malware and its analysis5.

[32] Wazid, M., Katal, A., Goudar, R.H., Singh, D.P.,Tyagi, A., Sharma, R. and Bhakuni, P. (2013) Aframework for detection and prevention of novelkeylogger spyware attacks. In 2013 7th InternationalConference on Intelligent Systems and Control (ISCO): 433–438. doi:10.1109/ISCO.2013.6481194.

[33] Ysterud, S.A. (2014) Keylogging of user interaction inphysical and virtual environments and its implications forhoneypot analysis. Master’s thesis, University Of Oslo.

15



05 2018 - 10 2018 | Volume 5 | Issue 15 | e5

http://dx.doi.org/10.1109/ISCO.2016.7726880

http://dx.doi.org/10.1109/ICMT.2011.6002076

http://dx.doi.org/10.1016/j.patrec.2016.10.007

https://doi.org/10.1016/j.patrec.2016.10.007

https://doi.org/10.1016/j.patrec.2016.10.007

http://dx.doi.org/10.1109/ISCO.2013.6481194

mouse underlaying: global key and mouse listener based on ...nbn:de:gbv:7… · keyloggers are...

Documents