Ghostpress - Free AntiKeylogger

Discussion in 'other anti-malware software' started by Tyrizian, May 19, 2016.

  1. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Okay, re whitelist exe.
    Okay, I'll re-check KeePass master key dialog (not secure desktop) w sample keylogger.
    Edit: wo elevate, caps locks numbers and special characters show, alphanumeric eaten.
    caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
    shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
     
    Last edited: Oct 11, 2016
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    Sidenote: not even HMP.A can see the keystrokes within Keepass if Ghostpress is running (no keystroke encryption indicator). Ghostpress is correctly eating them.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Okay, appears now (my setup) w/wo elevate GP, KeePass master key dialog (not secure desktop), sample keylogger >
    caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
    shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
    I had intermittent no orange keystroke bar, Alert 565 + KeePass (before Ghostpress).
     
    Last edited: Oct 11, 2016
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    I switched to a different keylogger and now i can see keystrokes too, if Ghostpress is not running with admin-rights.
    This means, elevating GP is needed for a better protection.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    > now with Ghostpress and KeePass elevated = sample keylogger appears to eat keystrokes #103.
    I'll run KeePass secure desktop so, not a GP deal breaker, albeit a curiosity.
    Maybe, sample keylogger anomaly. Over-my-pay-grade. Thanks

    Edit: Ghostpress elevated + keystrokes to login fields on sensitive site (Firefox sandbox).
    caps locks + numbers = [Capital][D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]
    shift + numbers = [D1][D2][D3][D4][D5][D6][D7][D8][D9][D0]

    Up/Lo case letters and numbers in Wilders message are eaten (Firefox sandbox).
     
    Last edited: Oct 11, 2016
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    #7313
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Last edited: Oct 14, 2016
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    :eek:
    After looking at the temporary files in the memory (with Processhacker) i see:
    Code:
    Microsoft.Win32.TaskScheduler.TaskService
    powershell.exe
    Reflection.Assembly]::LoadFile('{0}');
    https://taskscheduler.codeplex.com/
    With older versions (Ghostpress.exe: ~400-500 kbyte) there were no temporary files created.
    These temporary files can be seen with newer versions (Ghostpress.exe: ~1100 kbyte)

    This may be only a helper-program that is executed after the user clicks on "Start with Windows" within Ghostpress (and a task is created).
    But the developer definitely know it better.
    ------
    I executed an old version of Ghostpress (0.9.300), closed it and after executing the newest version (1.2.407) all settings were lost o_O
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    @mood
    do you see same codes with hmplert keyboard logger as #107
    what keylogger
     
    Last edited: Oct 14, 2016
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    Keystrokes typed in application: notepad.exe (normal + sandboxed)

    Ghostpress elevated, hmpalert logger elevated:
    in all cases = [E7]
    (protected)


    Ghostpress elevated, hmpalert logger not elevated:
    in all cases = [E7]
    (protected)


    Ghostpress not elevated, hmpalert logger elevated:
    [0-9] = [0-9]+[E7]
    CapsLock/Shift + [0-9] = [0-9]+[E7]
    [a-Z]= [a-Z]+[E7]
    keystrokes can be seen (with an added [E7]) (not protected)

    Ghostpress not elevated, hmpalert logger not elevated:
    in all cases = [E7]
    (protected)


    Sidenote: Zemana Keylogger Simulation Test doesn't see keystrokes even if it's elevated (Ghostpress is not elevated)
    Ghostpress elevated = keystrokes are protected
    But as soon as the keylogger has more user-rights than Ghostpress, keystrokes can be seen.
    (Sandboxed / unsandboxed application = no difference in logged keystrokes)
    ------
    If a malicious addon is installed in the browser, it is able to read all keystrokes.
    The Keystroke Encryption of HMP.A / Ghostpress,... they can't prevent it.
    I used "Zemana Keylogger Simulation Test"
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Ahha, << as soon as the keylogger has more user-rights than Ghostpress, keystrokes can be seen. If a malicious addon is installed in the browser, it is able to read all keystrokes.>> Geewhiz........Not as expected :(.......Thanks!
     
    Last edited: Oct 15, 2016
  12. hsdev

    hsdev Developer

    Joined:
    May 20, 2016
    Posts:
    101
    @mood Your test is correct. This is a Windows limitation, since it cannot prevent keylogger using a higher privileged system hook than Ghostpress. This exception does not cover all keyloggers due the method of keyboard data gathering.

    @bjm_
    That is why we switched to https://taskscheduler.codeplex.com/ if supported. This can skip your UAC dialogue on your Windows start up after allowing once with UAC dialogue. This makes sure it will always run with highest privileges and covers the full protection. Otherwise it will

    We added a new language for the upcoming update(Romanian). This will contain an updated help file as well where we describe this behavior in detail.
     
  13. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    W10 Home, Admin user with UAC off. Does 'Run as admin' elevate Ghostpress..?
    Comment re #107 ...?
    BTW https://safeweb.norton.com/report/show?url=www.hendrik-schiffer.com = WARNING
    http://s13.postimg.org/mwae382ef/screenshot.png
    BTW ScreenWings.exe = VT 3/56
    update: ScreenWings #1
     
    Last edited: Oct 17, 2016
  14. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    786
    Location:
    sweden
    There is a box for process protection in Ghostpress that can be ticked, what does that mean? Exactly!
    Anyone knows or where i can find that info. The homesite is a dead end.
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    have you seen Help.
    Process protection prevents basic attacks on Ghostpress such as non-administrators closing Ghostpress.
    http://www.hendrik-schiffer.com/software/doc/Ghostpress_Help.pdf
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    SafeWeb :thumbd:
    URL: http: //hendrik-schiffer. com/
    Detection ratio: 0 / 68
    Analysis date: 2016-10-16
     
  18. hsdev

    hsdev Developer

    Joined:
    May 20, 2016
    Posts:
    101
    That is a good point, so we removed this compiled code.
     
    Last edited: Oct 16, 2016
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    So, 'Run as admin' Ghostpress...is best practice...?
     
    Last edited: Oct 18, 2016
  21. mWave

    mWave Guest

    @hsdev You can work with the Windows Task Scheduler to have the software auto-executed at start-up (for example) with administrator privileges (elevated) whilst avoiding any UAC prompt being displayed to the user - however to create the new task you'll require administrator privileges, so it could be done from the software installation (which will be running as admin anyway). This is how most other standard apps bypass the UAC prompt whilst allowing them to become elevated.

    You don't need to work with the managed wrapper to do this, you can create the task using even CMD commands (e.g. Run CMD and pass the parameters for the commands to create the task).
     
    Last edited by a moderator: Oct 30, 2016
  22. hsdev

    hsdev Developer

    Joined:
    May 20, 2016
    Posts:
    101
    @Rasheed187
    Ghostpress catches every key press and then sends it to the current process. Other processes cannot access this key press information.

    @bjm_
    Yes. That is why we were using the auto start via Windows tasks, to skip your UAC dialogue and still run it with highest privilegs.

    @mWave That is what we already were doing, but there are still some smaller problems to a small range of users.

    Anyway we are still working on a huge update with new protection mechanism.

    Settings files will work in the future even after updating encryption internals.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    I'm UAC Off so, I wouldn't know GP was skipping my UAC.
    So, rt click 'Run as administrator' does nothing nor is needed....
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,735
    It's the same as with CCleaner.
    It can create such a task too (Task: "CCleanerSkipUAC") with the following setting: (CCleaner - Settings, Advanced - "Skip User Account Control warning")
    The result is, if you login as administrator and start CCleaner you see no UAC prompt.
     
  25. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Okay, IIRC testing GP results varied w/wo Run as administrator. Probably, just my faulty testing.
    I'm always administrator user account.
    What happens to GP in browser sandbox w Drop rights.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.