Messenger Keystrokes mouse logging

Networking/Security Forums -> Computer Forensics and Incident Response

Author: securitymeans PostPosted: Sat Oct 25, 2008 7:48 pm    Post subject: Messenger Keystrokes mouse logging
    ----
Hi everyone, I have a slightly unusual question here.
I have just done a reinstallation of windows and installed zonealarm latest most expensive edition with full support.
I keep getting a pop up message warning and it says

"Windows messenger is attempting to monitor user activities on this computer. If allowed it may try to track or log keystrokes (User Input), mouse movements/clicks, web sites visited, and other behaviours"

The file involved is msmgs.exe so it is windows messenger.

What i want to do is to let it do some of this logging and monitoring and recording and find out where it is keeping it on my computer then watch for any access from external networks then track where it has gone or goes to.

Is this possible?

Thanks

Tom

Author: capiLocation: Portugal PostPosted: Sat Oct 25, 2008 9:45 pm    Post subject:
    ----
MSN hooks the keystroke and mouse messages that Windows sends to other programs. Like Zonealarm warned you, this allows it to see every key you press on other programs, and every mouse movement or click.

Yahoo Messenger, at least in previous versions a few years ago, did this (don't know about current versions, I presume it's still doing the same). I haven't analyzed what MSN does with the keystroke and mouse information, but I did analyze what Yahoo Messenger did. Yahoo Messenger hooked the keystroke and mouse messages by registering a DLL called idle.dll as a message listener for all processes (injecting the DLL into other processes). It used this information to keep track of how long you go without pressing a key or moving the mouse. Presumably, this was to implement the "automatically change my status to Idle/Away if I'm inactive for X minutes" feature. In particular, Yahoo Messenger did not record the actual keys you pressed, or where you were clicking. Only how long you went without pressing a key or moving the mouse.

I cannot speak for current versions of Yahoo Messenger, or for any version of MSN.

It is indeed possible to trace what MSN is doing, through several different ways. One rather verbose possibility is to debug the program while it runs with a debugger (e.g. a Windows port of GDB, or the Visual Studio debugger, etc). Another possibility is to trace filesystem activity while the program runs, so you see which files are being written to (using something like FileMon, by SysInternals). You may also want to monitor the process's activities, using something like Process Monitor, again by SysInternals.

If you identify the DLL which is being used to monitor the keystroke and mouse messages (in case they're using a DLL in the first place, which is likely) then you could disassemble the DLL (if that is legal in your country, I am not a lawyer).

You could also try to find a Windows equivalent of strace (there seems to be a Cygwin port of the utility).



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group