How a keylogger works: a simple Powershell example

Some months ago i’ve written a post about keyloggers (because “during a malware analysis process is useful to know how a keylogger works”), where I’ve shared a simple Windows keylogger written in Python.

Today I want to share another example, this time written in Powershell: I think it may be a useful knowlege during malware analysis activities.

This kind of code may be found often in simple powershell malwares (obviously obfuscated).

The concept is always the same: import from user32.dll some keyboard related methods (GetAsyncKeyState, GetKeyboardState) and using them in order to monitor activities on keyboard and sniffing pressed keys (the code is commented and pretty self-describing).

When executed, the script starts an endless loop that continously reads keyboard state, and wait a CTRL+C.
When users stops loop, the recorded keys will shown in notepad.


Related posts

  1. PowerZure, exploit framework targeting Azure, has been updated
  2. Practical approach to Golden Ticket Attacks: one technique, five useful tools
  3. Windows Service Accounts enumeration using Powershell
  4. Also Node.js has been used to perform a Living off the Land (LotL) attack
  5. Windows information gathering using Powershell: a brief cheatsheet