Build a better Keylogger

i.r:  <excited> Ooooh! Oooh! I.R hack NASA!
i.m:  Whaaaaaaa? No! Foolish baboon, they will trace you for sure!
i.r:  Naahhhhh! I.R upload in-memory rootkit! I.R real stealthy, you bet!
i.m:  And what insane scheme do you plan to implement while you are in there?
i.r:  I.R install key sniffer! <sniffs finger> I.R sniffed NASA admin's password!  <dances about and jumps up and down beating chest> I.R GREAT HACKER!
i.m:  Well, we can but hope. Hadn't you better disconnect before they find you?
i.r:  Uhhhhhhh... ahhhhhhh... <scratches head> OK!  I.R unload rootkit! <pokes at keyboard>  Huh?  <taps more keys> EEEeeeeeee!!! <pounds keyboard in rage>
i.m:  What! What? What what what WHAT?!
i.r:  Rootkit no unload! Why rootkit no unload? IR issue net stop command but it still there!
i.m:  Oh, pitiful baboon, they have you now! <Sobs> Your doom is certain, and all because a keyboard IRP lies waiting at the bottom of the stack. <Cheers up> Yet NO! I shall save you! It is my noble duty and I shall not fail, for I AM WEASEL!

i.m.weasle takes us down a technical overview of fixing the common problem most keyloggers have, unloading after installing a filter driver in the keyboard device stackPosted on


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s