analysis of the fimbel keylogger and pace university converter

Analysis of the Fimbel Keylogger and Pace University ConverterChristopher Funk, Sheryl Hanchar, and Ned Bakelman

Keyloggers Record Keystokes

Not intrinsically good or evil Potential Uses

Data Grabbers (Evil) Active Identification (Good)

Visibility of Keyloggers Rootkit vs. Normal Process

PACE UNIVERSITY

Tools for finding Anatomy of any program Analyze it as if it was malicious software

Ultimate Packer for eXecutables (UPX) Fakenet – Network Diagnostics Process Explorer – Process Information OLLYdbg – Showing Flow of Program IDA Pro – Interactive Disassembler CFF Explorer – Decompile .Net directory

PACE UNIVERSITY

Keylogger Software Pack Originally three programs

Fimble Keylogger Pace Keylogger Launcher

Focus of in-depth analysis Pace Converter

Newer Version is two programs Combined the two Pace tools

PACE UNIVERSITY

Pace Keylogger Anatomy

Opens connect to Pace Server that remains open

User Agent is a .Net program

PACE UNIVERSITY


UPX strings showing where the program is sending the data

Password is blacked out

PACE UNIVERSITY


Process Explorer showing the call to start the Fimble Keylogger

PACE UNIVERSITY


Ollydgb showing uniquely .Net Calls

PACE UNIVERSITY


IDA Pro showing .Net boolean variable

Says if Fimble is running

Very Visible Program

PACE UNIVERSITY


CFF Explorer – only works with .Net programs

Entry Point where malicious software can take control

Or just inject code into other benign program

PACE UNIVERSITY

Combination Project Breakdown Goal – Combining Software Tools

Keylogger Launcher Converter

Issues Different Programming Languages External Program Control from Java

Environment Parallel work being done by customer on

code

Pace UniversityPACE UNIVERSITY

Two Different Tools


Goal Breakdown Expanding converter to encompass

launcher functions Start and Stop the keylogger Working with previous code Naming Convention

Identify keylogging target application Field for name information Numbering Outputs

Adding in customer revisions


Step 1: Working with Previous Code Compiling issues when exporting to Jar

Netbeans Meta data Very messy code

Did not follow best practices Obsoleted code that still was in use

Main() issues Moving it from Login() class to converter()

class


Step 2: Start and Stop Keylogger External Program Executioner

Java Process Builder / Process classes Issues

Unable to find the program Documentation does not specify necessary

parameters Error Messages Unclear

Working only on one machine Re-arranging GUI and how to identify the

keylogger


Pace University

`ProcessBuilder builder = new ProcessBuilder(keyloggerDirectoryField.getText() + "startkeylogger.exe"); builder.directory(new File (keyloggerDirectoryField.getText()));Process javap = builder.start();`

PACE UNIVERSITY

Step 3: Naming Convention LastName_Firstname_Application_Number.xml Identify Target Program

Drop down menu Hard coded string, not filtering the output

Name information Fields where there but by default were invisible

even though necessary Numbering

Had to find the last number with the name output name and then iterate


Step 4: Combining Customer Code Costumer has added to the code after

the original version that was combined Need for communication after last step to

make sure that his new changes work with new code

Did not change the converting code classes Allows for change as the code as long as

the function calls stay the same


Communication with Customer / Testing Constant email communication

Only one meeting at the last class Very easy to work with Indispensable to combining project

Test it on other machines to ensure it was working Try out functions in different ways Guide my steps to ensure all necessary functions

were worked on first Work with the previous code and understand what

the function did


Final KeyLogger Launcher and Converter


Questions, Comments, Concerns, or well wishes

PACE UNIVERSITY

analysis of the fimbel keylogger and pace university converter

Documents