Centrum elektronickeho obchodovania na SLOVENSKU

KeyLogger - HARDVER - popis

The PC keyboard protocol The background

If you were to cut a PC keyboard cable through, you would probably find 6 wires within. Only 4 of these are meaningful. Two of these are power lines : ground (GND) and +5 volt from the computer power supply (Vcc). The other two wires are synchronous transmission lines: the data line (DATA) and the clock line (CLK). You can see how these lines correspond to DIN (a) and PS/2 (b) connector pins on the figure to the right. Transmission is bi-directional, however the keyboard is superior. The keyboard sends information about keys which have been pressed and released. The data chunk consists of only one byte, preceded with a starting bit, and followed by a parity and stop bit. The keyboard puts successive bits on the DATA line, and clocks them with negative impulses on the CLK line. Clock frequency is 10...30kHz. This would be a very nice serial protocol if it wasn't for the computer, which occasionally wants to send information to the keyboard. In such cases, the PC pulls the CLK line low for some time and waits for the keyboard to start generating impulses. When these impulses start, it clocks it's own character in on the DATA line. You can see state diagrams of keyboard to host (a) and host to keyboard (b) transmission on the figure below. This protocol has of course a few exceptions, like interrupting a transmission, character repeat etc. However, these are very rare cases.

Data

So what is actually transmitted through the keyboard lines? On startup both the keyboard and the computer send initialization data, informing that they are OK. When the computer is running normally, only the keyboard sends data. This is data about every event that took place. An event is considered a key being pressed or released. If a standard key is pressed, its so called "scancode" is sent. Every key has exactly one scancode, creating a map of scancodes. If a key is released, first the special byte 240 is sent (0xf0 in hex), then the keys scancode is sent. So a standard keystroke causes 3 characters to be sent down the line. If a key is held down for some time, it's scancode will be generated constantly with the set repetition delay. When it's finally released, the 240 character will be sent, followed by the scancode.
This would still be a nice protocol if it wasn't for some special keys present on the standard PC keyboard, like Home, End, the arrows and so on. I really don't know, why the designers of this protocol did it this way. Over 250 characters can be generated using one byte, and the keyboard has slightly over 100 keys. This leaves plenty of "free" characters to use for additional keys. So what is the sense of introducing special keys? Whoever created this system must have had a bad day. Nevertheless, when a special key is pressed, the byte 224 (0xe0 in hex) is generated, then goes the scancode. When a special key is released, the sequence 224, 240 is fired (0xe0, 0xf0), followed by the scancode. All special keys are drawn on the map of scancodes with their 0xe0 characters beside them. OK, so this might still be easy. But there are also two super-special keys, Print Screen and Pause, which cause a whole bunch of data to be transmitted. For a keyboard interfacer, it's best to pretend these keys do not exist.

Logging

So how do the keyboard loggers work? Actually it's quite simple. A small microcontroller monitors the DATA and CLK lines all the time, acquiring all data. For the KeyLogger Pro in enhanced mode, data is logged to non-volatile EEPROM memory as it goes down the line. Thanks to this, the user can later find out about every event on the keyboard. This helps reconstructing the sequence in which a combination of keys was pressed and released. The standard KeyLogger does some interpretation of data going to the computer. The KeyLogger logs only key-presses for normal characters, and a few special characters, like Shift, Delete etc. This is to save memory and download time, as a lot of data is redundant.
When the user decides recording is over and types in the special password, the keyboard logger switches to playback mode. The keyboard gets switched off and the logger starts simulating key strokes from internal memory. The KeeLog Downloader application has to be active, to process the flow of data from the logger. Normal keys are simulated as they were written in memory, and special keys are transmitted using a two-byte hex code.

DIY hardware keylogger

We present the prototype version of the KeyLogger with full documentation, electrical schematics, and program. Operation of this device is similar to the KeyLogger Pro version, although download is initiated by a special button. Also the DIY keylogger version logs all data on the PS/2 keyboard line, so memory isn't used as efficiently as in the commercial version. Nevertheless, this is a 100% operational and checked hardware keyboard logger. We provide a special software application with full source code for analysis of the memorized data. You may use data here provided as you wish, although we do not take any responsibility for the way you use this keylogger device.

What you need

Before you start, go down this list and see if you have all the basic stuff needed to do this project on your own:

a little bit of experience in electronics
a soldering iron
a microcontroller programmer supporting the Atmel 89C20XX family

The biggest problem will probably be the programmer. This will be needed only once, to program the AT89C2051 chip. Therefore you can ask someone who does have this type of programmer to program your chip. Once you are ready, buy the following components from your electronics dealer:

an Atmel AT89C2051 microcontroller (AT89C1051 or AT89C4051 will do as well)
a 24C512 serial EEPROM chip
a 12MHz crystal (as small as possible)
two 33pF capacitors
one 10uF capacitor (as small as possible)
one 10kiloohm resistor
a small push-button

Put it togethe

rThe first thing to do is program the microcontroller. Start your programmer software, pick the AT89C2051, and burn the flash with the binary file or the hex version (make sure your browser downloads these files in binary mode!). You can also compile the program on your own using the source code and a 8051 compiler.
Now comes the soldering. This is probably the most difficult part in the whole project, as the keyboard logger should be made as small as possible. The electrical schematics below shows how connections should be made between components.

Solder the components together starting from the microcontroller and the EEPROM. Unused pins can be removed. Make sure the push button is accessible. When mounting the 10uF capacitor, make sure it is biased correctly (minus should be connected to pin 1).

Now it is time to solder the PS/2 connectors. A good idea is to cut the PS/2 extension cable into two pieces and solder each part separately. Make sure you put the heat shrink tubing on one part of the cable. Be sure to connect all four used PS/2 pins (CLK, DATA, VCC, and GND) on both plugs (at the keyboard and at the computer). Before pulling the thermal tubing on, a good idea is to let some glue or resin in between the components, to make the device more rigid. Finally pull the thermal tubing on, heat it until it wraps around the soldered components, and cut a small hole out so the button is accessible.

Recording mode

The keyboard logger starts recording key-strokes once plugged between the keyboard and the computer. Only PC keyboards of PS/2 standard are supported. The logger is completely transparent for computer operation and cannot be detected by software in recording mode. All data sent by the keyboard will be logged in internal non-volatile EEPROM memory (up to 65536 bytes). Recording mode is completely independent from the operating system installed on the computer.

Find the PS/2 connector at the computer. Disconnect the keyboard. Connect the keyboard logger in place of the keyboard. Connect the keyboard to the logger. On computer power-up data will start being recorded.

Playback mode

Once data has been recorded into the keyboard logger, it can be retrieved to a PC running Windows 9X/Me/XP/2000. The keyboard logger does this by simulating the keyboard. The transmitted characters are acquired by a special application called KeyGrab. You can download this application in the download section at the end of this page. Once data has been transmitted to the computer, it can be processed by software and analyzed. Follow the instructions for initiating data download.

Run the KeyGrab application. Connect the keyboard logger instead of the keyboard. Do not connect the keyboard! Click on the KeyGrab title bar to make it the active application. Press the button on the keyboard logger to initiate data download. During transmission do not do anything with the computer! You can press the button again to finish the transmission. Do this when the desired data has been downloaded to the computer. Plug your keyboard back in.

Data analysis

When data when been downloaded into the KeyGrab main table, it has been preprocessed automatically to show what keys have been pressed during recording. As you have probably noticed, data was transmitted in descending order. This is to show keys pressed recently first. Keystrokes that occurred a long time ago are transmitted later. You can analyze the table on your own, or you can use some of the program options to search for some particular strings.

The position in the keyboard loggers memory used by a keyboard event (hex form).

The key pressed or released - the thing that interests us the most.
The event that took place - a key press or release.
The character that the keyboard generated.
The last memory position that was written during recording.
The memory size in kilobits (hex form).

The only column that is of any interest to the user is Key and Action. These columns code what keys have been pressed and released. You can scroll the bar to see the history of key-strokes during recording. You have to remember that the data is retransmitted in reverse chronological order, so to get the keys pressed a long time ago, you have to let the transmission last a while (up to 20 minutes). See the next section for some details about the keyboard logger operation.

Download
This version has a special data download and analysis application for Windows 9X/ME/2000/XP called KeyGrab:

KeyGrab.zip (664kB)

The full source code for the AT89C2051 microcontroller is available:

diy.asm

The precompiled AT89C2051 program is also available (be sure to download these in binary mode!):
binary file
hex version

Things you should know

We encourage you to read this section to avoid problems that might occur using the keyboard recorder.

The laws

Countries have different laws about logging keyboard data. Not knowing the law does not allow you not to obey it. Please read the our user agreement.
We do not take any responsibility for any damage caused by the use of this device.
Use the keyboard logger only when necessary. Discovering a device like this will not do you any good.
When installing the logger, make sure you didn't disrupt computer operation. Test the computer after installation.

Memory

The keyboard logger has 64kbytes of non-volatile EEPROM memory. When this memory is full, writing will start over again from the first memory location. The oldest data will be lost.
On power-up writing starts from the last used memory location. The first 80 bytes of memory are reserved for this purpose. The last write address is updated approximately every 10 seconds.
Do not leave the logger connected in record mode when unnecessary. This will use memory and cause old, sometimes important, data to be overwritten.

Data transmission

For data transmission you will need at least a 100MHz Pentium class computer with Windows 9X/Me/XP/2000 installed.
The keyboard logger transmits data back to the computer simulating the keyboard. The real keyboard has to be disconnected during transmission (otherwise the computer will hang).
The active application must be KeyGrab (otherwise Windows will start interpreting the simulated keystrokes).
Data is transmitted in reverse chronological order. This is to provide recent data first. You have to wait a while to get very old keyboard data. The whole transmission process can last up to 20 minutes.
You have to end the transmission manually by pressing the button on the logger again. Do this when the data starts getting duplicated.

The PC keyboard protocol

The PC keyboard is a bit more complicated than you might think. You can notice this analyzing raw data logged by the device. The PC keyboard generates one character each time a key is pressed. When the key is released, the character is generated again with a preceding F0 character. There are also extended keys using the E0 character. You can read about this in the short PC keyboard documentation.
Although the keyboard logger has 64kbytes of memory, this doesn't mean 64 thousand keystrokes can be memorized. One key-press-release sequence requires 3 bytes for a standard key and 5 bytes for an extended key. Logging has been improved in the commercial versions.

Software

Read the help file in the KeyGrab application for instructions on using special features. You will need an WWW browser for this.

Špión počítačovej klávesnice What is it ?

The KeyLogger is a hardware keyboard recorder capable of memorizing over
260 000 keys pressed on a PC keyboard. KeyLogger is in fact a small electronic device plugged in between a standard PS/2 type keyboard and a Personal Computer. It's main function is to log all keys pressed on the keyboard to internal non-volatile memory. Stored data can be later recalled and analyzed by special software on any other computer.

	Where do you use it? The KeyLogger has a few basic applications: children monitoring employee monitoring data intercepting data backuping Features small and discrete completely undetectable for software transparent for computer operation over 260 000 character memory capacity (256kB version) independent from operating system in recording mode special KeeLog software for data retrieve and analysis national keyboard layout support data retention without power for over 100 years Requirements record mode - a PC class computer with a PS/2 keyboard playback mode - Pentium class PC with Windows 9X/ME/XP/2000



	Record mode - quick install Installing the hardware keylogger in record mode is fairly simple - just plug it in between the keyboard and the PS/2 connector on the PC rear panel. On power-up the keylogger will start recording all data typed on the keyboard. Previous data will not be overwritten because recording will continue from the last used memory location. 1. Find the PS/2 connector at the computer rear panel. 2. Disconnect the keyboard. 3. Connect the keyboard logger in place of the keyboard. 4. Connect the keyboard to the logger. On computer power-up data will start being recorded. You can find more details about installing the KeyLogger in record mode in the section Install Guide.


	Playback mode Once data has been acquired in record mode, you can transmit it to any other computer running Windows 9X/ME/XP/2000. Install the provided KeeLog Downloader 3.0 or KeeLog Downloader Lite application first. You may obtain these applications for trial purposes in the download section. The keyboard logger should be connected in the same way as in record mode. Typing in a special password provided with the keyboard logger will initiate data transmission to the computer. Do not disturb the computer while transmitting. Connect the keyboard logger in the same as in record mode on any computer running Windows 9X/ME/XP/2000.
	Run the one of the provided applications: KeeLog Downloader Lite (for quick and easy, text-based playback) or the KeeLog Downloader 3.0 (table and text analysis features).
	Type in the password supplied with the device and press Enter. Data download from the keyboard logger will occur automatically. Transmission can be stopped at any time by pressing a key.
	Data can now be analyzed. You can use the applications automatic search options and save the log file.


	Quick data analysis Data transmission from the keyboard logger to the computer can take up to 20 minutes. However, you don't have to wait this long, as download can be finished at any time by pressing any key. This is usually the case, as the most recent data (usually the most interesting data too) is transmitted first. The longer you wait during transmission, the older the retrieved memory locations will be. When download is finished, you will be able to see raw data in the KeeLog Downloader main table. This table will contain single character text data and special keys pressed during recording. The data may be analyzed manually by scrolling the table. However, an easier way for analyzing captured data is to view it in text mode (Tools->View as Text). This will show all typed and downloaded data as text, discarding special keys. You can save this data to a text file in form of a table or in text form with File->Save as Table... and File->Save as Text... Another useful option is phrase search (Search->Find text...). This option will scan through downloaded data discarding special characters. This option is often used to quickly find out if any 'forbidden' phrases were entered in record mode. KeeLog Downloader also allows to quickly move through the downloaded data. This includes jumping to the first and last memory location, and the first and last downloaded character. Use the options in the search menu (Search->Jump to...). For more detailed information, see the software section Hardware installation - KeyLogger, KeyLogger Pro, KeeVirus Installing the KeyLoggers and KeeVirus is fairly simple - just plug the device in between the keyboard and the PS/2 connector. On power-up the device will self-activate. 1. Find the PS/2 connector at the computer rear panel. 2. Disconnect the keyboard. 3. Connect the KeyLogger, KeyLogger Pro, or KeeVirus in place of the keyboard. 4. Connect the keyboard to the KeyLogger, KeyLogger Pro, or KeeVirus. On computer power-up the device will self-activate. You can find more details about installing and using these devices in the User Guides, available in the download section.

Dodávatel

Programy na editáciu a čítanie záznamov sa nachádzajú:
Verzia P R O F I
Verzia L I T E

Ak zadáte správne heslo (vsnlpbtj, gxnfrpds ...) do kolónky daného programu ( alebo aj napr. STAR/spustit, alebo v aplikacii word) a stlačíte ENTER začnú sa postupne vypisovať špeciálne znaky, ak sú nečitateľné použite funkciu na dekódovanie ( pre ver. PRO.)
POZOR kopírovanie – výpis údajov môže trvať aj 3 minúty. Po danú dobu sa nesnažte nič robiť z PC, lebo sa údaje z logu budú vypisovať jednoducho tam kde je kurzor, alebo do neznáma. Ukončenie výpisu zistite že v programe sa prestal pohybovať ukazovateľ zaplnenia v kB, alebo sa už nevypisujú znaky do koloniek.

• Schéma + protokol
• Software

- Konkurencia I

- Konkurencia II

Programy na editáciu a čítanie záznamov sa nachádzajú:
Verzia P R O F I
Verzia L I T E

Ak zadáte správne heslo do kolónky daného programu ( alebo aj napr. STAR/spustit, alebo v aplikacii word) a stlačíte ENTER začnú sa postupne vypisovať špeciálne znaky, ak sú nečitateľné použite funkciu na dekódovanie ( pre ver. PRO.)
POZOR kopírovanie – výpis údajov môže trvať aj 3 minúty. Po danú dobu sa nesnažte nič robiť z PC, lebo sa údaje z logu budú vypisovať jednoducho tam kde je kurzor, alebo do neznáma. Ukončenie výpisu zistite že v programe sa prestal pohybovať ukazovateľ zaplnenia v kB, alebo sa už nevypisujú znaky do koloniek.

Frequently Asked Questions (F.A.Q.)

Can I retrieve logged data on a different computer than it was recorded? :Of course! This is the whole sense of it.

Do you give personal data of previous clients?: No. We do not even keep track of our clients after sending the product.

KeeLog Downloader 3.0 or KeeLog Downloader Lite?: Depends on you. You can install both applications and use the one you like more. See the software section.

Why is data downloaded backwards in the KeyLoggers?: This is because the most interesting data is usually the most recent data. The keyboard loggers start the download from the current memory location and proceed in reverse chronological order. Thanks to this, recent data is transmitted first. When the interesting things have been transmitted, you don't have to wait for the download to finish. Press any key to stop the transmission.

Why shouldn't I change the active application during data transmission from the KeyLogger?: This applies only to the KeyLogger, KeyLogger Pro, and Modules. If you change the active application during data download, the new active application or Windows will start interpreting the data flow from the KeyLogger. This usually leads to a system hang, as applications other than KeeLog Downloader are not programmed to take large amounts of data through the keyboard line.

Can you connect and disconnect the keylogger when power is up?: For PS2 keyloggers theoretically not (however we haven't heard about any damage so far). For the USB keylogger it's OK to hot-plug the keyboard and logger.

What happens when the keylogger's memory is full? : The PS2 keylogger's memory works in a 'circular' way, it will start filling up from the first memory location. This means the oldest data will be lost. The USB keylogger has a flash disk with huge memory capacity (years worth of typing). If it eventually fills up, the user has to delete or crop the log file manually.

Sponzorované miesto pre neziskovú organizáciu
Budte prvý, a doprajte si sen "web reklami" na prestýžnej dómene
www.market.sk

Reklama v časopise marketSK

Inzerujte v novinach ktoré zdarma dostavajú Vśetky velké firmy na Slovensku.

Ponuka

Ponuka do vypredania slov !!! Máte záujem o doménu III rádu www.firma.market.sk ???

Nedajte sa predbehnúť ! Nutné zaslanie kópie živno-listu a doména zhodná z Vašou firmou je Vaša.

Píšte na mail@market.sk

www.Mercury.Market.sk
www.tessco.Market.sk
www.nieco.Market.sk

alebo preferovane:

www.Super.Market.sk
www.Shop.Market.sk
www.Wan.Market.sk
www.Art.Market.sk
www.Drogeria.Market.sk