Content deleted Content added
Rescuing 2 sources and tagging 0 as dead. #IABot (v1.6.1) (Balon Greyjoy) |
Rescuing 1 sources and tagging 0 as dead. #IABot (v1.6.1) |
||
Line 21:
* '''[[Kernel (computing)|Kernel]]-based''': A program on the machine obtains [[Superuser|root access]] to hide itself in the OS and intercepts keystrokes that pass through the kernel. This method is difficult both to write and to combat. Such keyloggers reside at the [[Ring (computer security)|kernel level]], which makes them difficult to detect, especially for user-mode applications that don't have root access. They are frequently implemented as [[rootkit]]s that subvert the operating system kernel to gain unauthorized access to the hardware. This makes them very powerful. A keylogger using this method can act as a keyboard [[device driver]], for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
* '''API-based''': These keyloggers [[Hooking|hook]] keyboard [[Application programming interface|APIs]] inside a running application. The keylogger registers keystroke events, as if it was a normal piece of the application instead of malware. The keylogger receives an event each time the user presses or releases a key. The keylogger simply records it.
** Windows APIs such as <code>GetAsyncKeyState()</code>, <code>GetForegroundWindow()</code>, etc. are used to poll the state of the keyboard or to subscribe to keyboard events.<ref>{{cite journal|url=http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf|publisher=[[Symantec]]|date=2005-11-26|title=The Evolution of Malicious IRC Bots|accessdate=2011-03-25|pages=23–24}}</ref> A more recent example simply polls the [[BIOS]] for pre-boot authentication [[Personal identification number|PIN]]s that have not been cleared from memory.<ref>{{cite journal|url=http://www.ivizsecurity.com/research/preboot/preboot_whitepaper.pdf|format=PDF|title=Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer (practical low level attacks against x86 pre-boot authentication software)|date=2008-09-03|accessdate=2008-09-23|author=Jonathan Brossard|publisher=[http://www.ivizsecurity.com/ Iviz Technosolutions]}}</ref>
* '''Form grabbing based''': [[Form grabbing]]-based keyloggers log [[Form (web)|web form]] submissions by recording the web browsing on submit events. This happens when the user completes a form and submits it, usually by clicking a button or hitting enter. This type of keylogger records form data before it is passed over the Internet.
* '''Javascript-based:''' A malicious script tag is injected into a targeted web page, and listens for key events such as <code>onKeyUp()</code>. Scripts can be injected via a variety of methods, including [[cross-site scripting]], [[man-in-the-browser]], [[Man-in-the-middle attack|man-in-the-middle]], or a compromise of the remote web site.<ref>{{Cite news|url=https://threatpost.com/web-based-keylogger-used-to-steal-credit-card-data-from-popular-sites/121141/|title=Web-Based Keylogger Used to Steal Credit Card Data from Popular Sites|date=2016-10-06|newspaper=Threatpost {{!}} The first stop for security news|language=en-US|access-date=2017-01-24}}</ref>
| |||