Anti Keylogger Tester V2.0

Discussion in 'other security issues & news' started by LoneWolf, Oct 23, 2007.

Thread Status:
Not open for further replies.
  1. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Cool, thanks for info!:D :thumb:
     
  3. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello LoneWolf,

    Using one of DefenseWall's latest driver builds(not v2.05) against AKLT v2.0, it was able to detect and give me the option to terminate "GetKeyState", "GetAsyncKeyState" and "DirectX" keylogging attempts on the spot and "Screenshot1" and "Screenshot2" were not able to capture anything of consequence. Unfortunately, it was not able to detect the new test("GetKeyBoardstate").


    Peace & Love,

    CogitoErgoSum
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those of you who are interested, Ilya has informed me that DefenseWall v2.06 which is expected to be released late Oct./early Nov. will detect the new test("GetKeyBoardstate").


    Peace & Love,

    CogitoErgoSum
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Very nice tool. Thanks for it and more thanks to the author.

    GW- passed all keylogging attempts and first screen read, just failed on 2nd screen read. :thumb: :D

    EQS- Failed on GetKeyBoradState. I was expecting it to detect it.:oops:

    Who will test GetKeyBoradState keylogging against these:

    PS, SSM, TF, OA- any users? Thanks

    Thanks

    PS: very nice GUI this time, colorful!:thumb:
     

    Attached Files:

  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any tried it on Vista? I wonder how will be the results on Vista? Isn,t that use now runs as limited user by default in Vista? Any one please can try it on Vista?

    Thanks
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    All of the AKLT's tests work on Vista 64bits, under a restricted account with UAC fully enabled.

    While I'm here, there is an update to AKLT v2.5, with two tests added (global hook) :
    http://www.firewallleaktester.com/news.htm

    Every sensible security software should pass these well known hook tests :)

    Regards,
    gkweb.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks a lot. Very nice utility by you.

    I tried NG, EQS and GW against keylogging tests 1 to 5( not screen reading).

    EQSecure- all passed except GetKeyBoradState
    NeoavaGuard- failed directX method( Arman has promised to implement its detection) and GetKeyBoradState method.:oops:
    GesWall- all passed :thumb:

    Guys, pls try ur HIPS and share the results and don,t forget the screen shots. Thanks
     

    Attached Files:

    Last edited: Oct 25, 2007
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It doesn,t. :D

    See my posts and pics above.
     
  10. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Here it fails this KL test and the last screen reader test o_O
     

    Attached Files:

  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am using 2.7 beta. U?
    Let,s wait until other test their versions of GW too!

    It fails 2nd screen reading, that,s obvious as GW doesn,t protect against it. I have wrote to Brian and according to him it might give rise to some problems with some applications especially skinned applications but they will try it as an internal beta and see how it goes. Ofcourse it will take time.
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    2.6 Free here.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So 2.7 has something better to offer. :thumb: I am using it since few months.

    But it,s a bit raw sometimes.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just a quick though, are u trying to type inside AKLT windows? Click outside of its window and then type- what r the results?
     

    Attached Files:

  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello LoneWolf,

    As I see in your screenshot AKLT has the focus, and it tells you that nothing is intercepted. As explained in the link below, you have to give the focus on another window and/or minimize AKLT's window in order to be flagged and seen as a keylogger by your HIPS :
    http://www.firewallleaktester.com/how_to_use_aklt.htm

    Regards,
    gkweb.
     
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Using one of DefenseWall's latest driver builds(not v2.05) against AKLT v2.5, it was able to detect and give me the option to terminate "GetKeyState", "GetAsyncKeyState" and "DirectX" keylogging attempts on the spot and "Screenshot1" and "Screenshot2" were not able to capture anything of consequence. It was not able to detect "GetKeyBoardstate". Lastly, DW was able to silently block both "LowLevel Hook" and "JournalRecord Hook".


    Peace & Love,

    CogitoErgoSum
     
  17. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Thank you gkweb, yes I was incorrect when testing GeSWall aginst AKLT.
    GeSWall pass's all but the last screenshot read test here. :D


    You are correct also, I was not testing AKLT properly.
    Thank you. :thumb:
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    incroyable aka incredible :eek: :eek: :eek:
     
  19. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Yeah , go Vista. :p

    On my box in one of my FD-ISR snaps:
    PrevX build 112 in "expert" mode identifies the "AKLT.exe" as 'unknown : run, block etc'...

    PrevX then fails 7/8 tests ( one seemed not to work )
    (NAV: no responses to any of the tests)
    (BOClean: no responses)
    I feel queasy...

    :p
    Still, I'm not sure that just manually executing these tests means any app has truly failed?
    I recall KMcA previously stated "tests" would not be detected by BOClean ?
    The .exe has to be dl'd, opened, run itself, then call out: that would be a better test?
    However I would like to see at least Prevx be able to catch a keylogger in action
    :p
    I'm certainly open to being corrected.
     
    Last edited: Oct 25, 2007
  20. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Comodo Firewall Pro Beta 3.0.9.229

    All tests were successfully blocked.

    Al
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Anyone tried KAV PDMs?
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I will try this too.
     
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello Longboard,

    Keylogging is a behavior, there is point to test AKLT against signature based software (anti-trojan scanner, antivirus scanner, etc...). AKLT is not a malware, it is a friendly test tool, and should not be flagged as virus by your antivirus. Imagine AKLT as a real malware, for which your signature based security software have not yet a signature for it.

    AKLT is meant to test your behavioral monitoring software, that I call HIPS or dedicated anti-keylogger. For instance System Safety Monitor, KAV's PDM, DefenseWall, OnlineArmor, GesWall, etc... Some of them have keylogger detection features, but not all really detect every keylogging methods, as you can see from this thread.

    I hope AKLT will lead to more secure HIPS and more effective keylogger detection :)

    Regards,
    gkweb.
     
  25. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    I've just been giving Geswall a spin and am really quite liking it.

    These tests are now giving me a warm fuzzy feeling :D

    My congrats to Firewallleaktester for supplying them :thumb:
     
Loading...
Thread Status:
Not open for further replies.