Ghostpress - Free AntiKeylogger

Okay, re whitelist exe.
Okay, I'll re-check KeePass master key dialog (not secure desktop) w sample keylogger.
Edit: wo elevate, caps locks numbers and special characters show, alphanumeric eaten.
caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]

 

Sidenote: not even HMP.A can see the keystrokes within Keepass if Ghostpress is running (no keystroke encryption indicator). Ghostpress is correctly eating them.

 

Okay, appears now (my setup) w/wo elevate GP, KeePass master key dialog (not secure desktop), sample keylogger >
caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]

I had intermittent no orange keystroke bar, Alert 565 + KeePass (before Ghostpress).

 

I switched to a different keylogger and now i can see keystrokes too, if Ghostpress is not running with admin-rights.
This means, elevating GP is needed for a better protection.

 

> now with Ghostpress and KeePass elevated = sample keylogger appears to eat keystrokes #103.
I'll run KeePass secure desktop so, not a GP deal breaker, albeit a curiosity.
Maybe, sample keylogger anomaly. Over-my-pay-grade. Thanks

Edit: Ghostpress elevated + keystrokes to login fields on sensitive site (Firefox sandbox).
caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]

Up/Lo case letters and numbers in Wilders message are eaten (Firefox sandbox).

 

#7313

 

> what are temp files created by Ghostpress http://s13.postimg.org/s48stj67b/screenshot.png
hmplert keyboard logger
alpha renders [E7]
numeric renders [E7]
caps numeric renders [14]1234567890
shift numeric renders [A0]1234567890

 

After looking at the temporary files in the memory (with Processhacker) i see:

Code:

Microsoft.Win32.TaskScheduler.TaskService
powershell.exe
Reflection.Assembly]::LoadFile('{0}');
https://taskscheduler.codeplex.com/

With older versions (Ghostpress.exe: ~400-500 kbyte) there were no temporary files created.
These temporary files can be seen with newer versions (Ghostpress.exe: ~1100 kbyte)

This may be only a helper-program that is executed after the user clicks on "Start with Windows" within Ghostpress (and a task is created).
But the developer definitely know it better.
------
I executed an old version of Ghostpress (0.9.300), closed it and after executing the newest version (1.2.407) all settings were lost

 

@mood
do you see same codes with hmplert keyboard logger as #107

what keylogger

 

Spoiler: Testresults

Keystrokes typed in application: notepad.exe (normal + sandboxed)

Ghostpress elevated, hmpalert logger elevated:
in all cases = [E7]
(protected)

Ghostpress elevated, hmpalert logger not elevated:
in all cases = [E7]
(protected)

Ghostpress not elevated, hmpalert logger elevated:
[0-9] = [0-9]+[E7]
CapsLock/Shift + [0-9] = [0-9]+[E7]
[a-Z]= [a-Z]+[E7]
keystrokes can be seen (with an added [E7]) (not protected)

Ghostpress not elevated, hmpalert logger not elevated:
in all cases = [E7]
(protected)

Sidenote: Zemana Keylogger Simulation Test doesn't see keystrokes even if it's elevated (Ghostpress is not elevated)

Ghostpress elevated = keystrokes are protected
But as soon as the keylogger has more user-rights than Ghostpress, keystrokes can be seen.
(Sandboxed / unsandboxed application = no difference in logged keystrokes)
------
If a malicious addon is installed in the browser, it is able to read all keystrokes.
The Keystroke Encryption of HMP.A / Ghostpress,... they can't prevent it.

I used "Zemana Keylogger Simulation Test"

 

Ahha, << as soon as the keylogger has more user-rights than Ghostpress, keystrokes can be seen. If a malicious addon is installed in the browser, it is able to read all keystrokes.>> Geewhiz........Not as expected .......Thanks!

 

@mood Your test is correct. This is a Windows limitation, since it cannot prevent keylogger using a higher privileged system hook than Ghostpress. This exception does not cover all keyloggers due the method of keyboard data gathering.

@bjm_
That is why we switched to https://taskscheduler.codeplex.com/ if supported. This can skip your UAC dialogue on your Windows start up after allowing once with UAC dialogue. This makes sure it will always run with highest privileges and covers the full protection. Otherwise it will

We added a new language for the upcoming update(Romanian). This will contain an updated help file as well where we describe this behavior in detail.

 

W10 Home, Admin user with UAC off. Does 'Run as admin' elevate Ghostpress..?
Comment re #107 ...?
BTW https://safeweb.norton.com/report/show?url=www.hendrik-schiffer.com = WARNING
http://s13.postimg.org/mwae382ef/screenshot.png
BTW ScreenWings.exe = VT 3/56
update: ScreenWings #1

 

There is a box for process protection in Ghostpress that can be ticked, what does that mean? Exactly!
Anyone knows or where i can find that info. The homesite is a dead end.

 

have you seen Help.
Process protection prevents basic attacks on Ghostpress such as non-administrators closing Ghostpress.
http://www.hendrik-schiffer.com/software/doc/Ghostpress_Help.pdf

 

Isn't it better to put the "Sample keylogger" in a password-protected zip-file to get rid of these warning messages/threat reports?

 

SafeWeb
URL: http: //hendrik-schiffer. com/
Detection ratio: 0 / 68
Analysis date: 2016-10-16

 

That is a good point, so we removed this compiled code.

 

BTW, you didn't respond to this:

https://www.wilderssecurity.com/threads/ghostpress-free-antikeylogger.385972/page-4#post-2623636

 

So, 'Run as admin' Ghostpress...is best practice...?

 

@hsdev You can work with the Windows Task Scheduler to have the software auto-executed at start-up (for example) with administrator privileges (elevated) whilst avoiding any UAC prompt being displayed to the user - however to create the new task you'll require administrator privileges, so it could be done from the software installation (which will be running as admin anyway). This is how most other standard apps bypass the UAC prompt whilst allowing them to become elevated.

You don't need to work with the managed wrapper to do this, you can create the task using even CMD commands (e.g. Run CMD and pass the parameters for the commands to create the task).

 

@Rasheed187
Ghostpress catches every key press and then sends it to the current process. Other processes cannot access this key press information.

@bjm_
Yes. That is why we were using the auto start via Windows tasks, to skip your UAC dialogue and still run it with highest privilegs.

@mWave That is what we already were doing, but there are still some smaller problems to a small range of users.

Anyway we are still working on a huge update with new protection mechanism.

Settings files will work in the future even after updating encryption internals.

 

I'm UAC Off so, I wouldn't know GP was skipping my UAC.
So, rt click 'Run as administrator' does nothing nor is needed....

 

It's the same as with CCleaner.
It can create such a task too (Task: "CCleanerSkipUAC") with the following setting: (CCleaner - Settings, Advanced - "Skip User Account Control warning")
The result is, if you login as administrator and start CCleaner you see no UAC prompt.

 

Okay, IIRC testing GP results varied w/wo Run as administrator. Probably, just my faulty testing.
I'm always administrator user account.
What happens to GP in browser sandbox w Drop rights.