Original: Http://www.codeproject.com/Articles/529676/How-to-make-keyloggers-life-difficult
Download Source antikeylogger.zip-16.5 KB Introduction
If you are usually typing a password in a desktop application, it may is that a keylogger spies out your. This is obviously not good. Screen keyboards might is a good solution, but again, there could is a screen captureprogram which watches effortlessly yo ur passwords. Furthermore, screen keyboards are relative unhandily.
The following article presents a relatively simple principle, which prevents the keylogger to write down passwords entered . Basically, the used system is surprisingly easy and can therefore being transferred to other programming/operating /platforms, although under a small limitation. Background
The question Is:how can a program hide keystrokes? Perhaps there are some difficult ways to doing this, but most the this isn't probable. We Create an assumption:entered characters necessarily mean the keylogger sees. And that ' s what we use against the keylogger.
The second question Is:how can a program generate keystrokes? This is normally possible. For example, we use in C # the class SendKeys, which provides methods for sending keystrokes. By the way, there can is the mentioned limitation because a website has to the authorization.
The third question Is:how can we combine these two statements? At every time is the user types a character, the program generates some keytrokes. The keylogger write down all characters both to the user and program know the entire pass Word. Unauthorized third parties you can not they the main decrypt the "only" letter salad and password.
The fourth question Is:is this main system% secure? Surprisingly and unfortunately no. The prinziple has many weak points but, there are also many, solutions to close are these gaps. I advise every developer to the it before they add this concept to their code. Let me explain the vulnerabilities and the solutions:
Creating random keystrokes after every, character allows attackers to reproduce the typed. Therefore the program must create identical keystrokes. Then again the produced keystrokes should the not is identical for all passwords. In summary, we need a algorithm, which produces for every character the always same. In addition to this, the length of the generated keystrokes should vary.
For this, an attacker can create a table with all characters and their hash result either by reverse engineering or by Testing. Using This table, he can decrypt the password relatively easy. To prevent this, the generated keystrokes should depend in a password identity, such as account name, account number, E-ma Il or computer specification. Unfortunately, this is a obstacle, but no blockage for attackers. Using The Code
At the "Create a new component Securetextbox with some properties:collapse | Copy Code
public class Securetextbox:textbox
{
///<summary>
///Gets the typed password.
</summary> public
string Password
{get
;
private set;
}
<summary>
///Sets or gets the password ID.
</summary> public
string ID
{get
;
Set;
}
}
The next is to implement a constructor for initializing important Events:collapse | Copy Code
Public Securetextbox ()
{this
. TextChanged + = new EventHandler (securetextbox_textchanged);
This. KeyDown + = new Keyeventhandler (securetextbox_keydown);
This. KeyUp + + new Keyeventhandler (Securetextbox_keyup);
}
The methods Securetextbox_keydown and securetextbox_keyup should ensure, no key is pressed, Otherwis E characters are inserted incorrectly or even not. The Boolean variable istriggering declares if the user entered a character while it is holding another key. Collapse | Copy Code
private int keyspressed = 0;
private bool istriggering = false;
void Securetextbox_keydown (object sender, KeyEventArgs e)
{
keyspressed++;
}
void Securetextbox_keyup (object sender, KeyEventArgs e)
{
keyspressed--;
if (keyspressed = = 0 & istriggering) this
. Securetextbox_textchanged (null, NULL);
Now consider the random functions. For this example, I used Random combined with a given seed. The "seed is created" from "ID" and "" last entered character from user. Collapse | Copy Code
random _nextsaltlength, _nextsaltchar;
Todo:extend the charcontent with all important characters!
String charcontent = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
private int nextsaltlength (bool CreateNew) {//Todo:replace this code with your own function! if (CreateNew) _nextsaltlength = new Random (ID. GetHashCode ()-password[password.length-1].
GetHashCode ());
Return _nextsaltlength.next (1, 4);
} private String Nextsaltchar (bool CreateNew) {//Todo:replace this code with your own function! if (CreateNew) _nextsaltchar = new Random (ID. GetHashCode () + password[password.length-1].
GetHashCode ()); Return Charcontent[_nextsaltchar.next (Charcontent.length)].
ToString (); }
Finally, we can create the main method which manage the generation of the keystrokes: collapse | Cop Y Code
private int remainingsaltchars = 0;
private int lasttextlength = 0; void Securetextbox_textchanged (object sender, EventArgs e) {if (keyspressed > 0) {istriggering =
True
Return
} istriggering = false; if (Lasttextlength < this. TextLength) {lasttextlength = this.
TextLength; if (Remainingsaltchars > 0) {if (Remainingsaltchars > 1) sendkeys.send (This.
Nextsaltchar (false));
remainingsaltchars--; } else {this. Password = this. Text[this.
TEXTLENGTH-1]; Remainingsaltchars = this.
Nextsaltlength (TRUE); Sendkeys.send (this.
Nextsaltchar (true)); }} else {this.
Resettext ();
lasttextlength = 0; }
}
Here's a short description of the Implementation:if no keys are pressed and the user entered a character in THETEXTB Ox, the char is saved, the quantity of the next generated characters are randomly calculated nd through sendkeys.send (). Now the program was in a complicated loop a