Some months ago i’ve written a post about keyloggers (because “during a malware analysis process is useful to know how a keylogger works”), where I’ve shared a simple Windows keylogger written in Python.
Today I want to share another example, this time written in Powershell: I think it may be a useful knowlege during malware analysis activities.
This kind of code may be found often in simple powershell malwares (obviously obfuscated).
The concept is always the same: import from user32.dll some keyboard related methods (GetAsyncKeyState, GetKeyboardState) and using them in order to monitor activities on keyboard and sniffing pressed keys (the code is commented and pretty self-describing).
When executed, the script starts an endless loop that continously reads keyboard state, and wait a CTRL+C.
When users stops loop, the recorded keys will shown in notepad.
- GetAsyncKeyState function | Microsoft Docs
- GetKeyboardState function | Microsoft Docs
- MapVirtualKeyA function | Microsoft Docs