This project, developed within the scope of a Cyber Security internship and it is a group project, serves as a proof-of-concept (PoC) for endpoint surveillance malware. While popularly known as a "keylogger," the technical classification is Keystroke Logging Spyware.

The primary objective extends beyond simple data capture; it aims to dissect the lifecycle of an attack vector. By engineering a functional keylogger, we analyze how malicious actors interact with the Operating System (OS) Application Programming Interfaces (APIs), specifically focusing on how input events are intercepted before they reach the intended application.

My Contribution: Forensic Documentation: Generated the "Output" repository by capturing execution logs and taking screenshots of registry changes to demonstrate the artifacts left behind by the malware.

Report Synthesis: Led the compilation of the final project report, integrating technical code explanations with theoretical security concepts to create a cohesive document.

Bug Fixing: Identified and resolved critical issues during the testing phase, such as character encoding errors (handling special characters and capitalization) in the log output.

Key Research Questions:

• How does malware achieve persistence (surviving reboots)?
• How can user-mode applications hook into system-level input streams?
• What is the "time-to-detection" for signature-based antivirus solutions against custom-written loggers?

The C++ implementation in this project likely relies on specific Windows API mechanisms. Understanding these is crucial for the security impact study.

Most user-mode keyloggers utilize a technique called API Hooking.

• The Chain: The OS maintains a "hook chain" for system events (mouse clicks, keystrokes).
• The Interception: The malware injects a hook procedure into this chain. When a user presses a key, the OS passes the message to the malware before (or simultaneously with) the active window.
• The Translation: The raw virtual key codes are captured and translated into human-readable ASCII/Unicode characters based on the system locale.

A critical part of the analysis involves how the software hides itself.

• Process Masquerading: Renaming the executable to resemble system processes (e.g., svchost-service.exe or update_helper.exe).
• Registry Manipulation: Modifying the Windows Registry (Run keys) to ensure the malware launches automatically when the user logs in.
• Window Hiding: Programmatically hiding the console window so the process runs strictly in the background.

The study analyzes how captured data is handled, which determines the severity of the privacy breach.

• Local Logging: Keystrokes are buffered in memory and flushed to a hidden text or encrypted file on the local disk.
• Log Formatting: Sophisticated loggers categorize input by the "Active Window Title." (e.g., Identifying that "Password123" was typed into "Chrome - Facebook Login" vs. "Notepad").
• Transmission Vectors: The project analyzes how attackers extract this data, such as:
• SMTP: Sending logs via automated emails.
• FTP/HTTP: Uploading logs to a remote Command & Control (C2) server.

This section details the catastrophic potential of a successful keylogger infection.

Keyloggers bypass complex passwords. Even if a password is 50 characters long and hashed in the database, the keylogger captures it in plaintext as it is typed.

• Impact: Unauthorized access to email, social media, and enterprise VPNs.

Banking Trojans often include keylogging modules.

• Impact: Capturing credit card numbers, CVV codes, and banking PINs immediately leads to financial theft.

• Impact: Capturing intellectual property, internal memos, and proprietary code as it is written by employees.

As this is a security study, outlining defenses is mandatory.

• Signature-based: Traditional AV looks for known file hashes. Custom C++ keyloggers (like this project) often bypass this because their hash is unique.
• Heuristic/Behavioral: Modern EDR (Endpoint Detection and Response) looks for behavior, such as a program trying to set a global hook (SetWindowsHookEx) or writing to the System32 folder.

• Virtual Keyboards: On-screen keyboards can sometimes bypass hardware or hook-based loggers (though screen scrapers can defeat this).
• MFA (Multi-Factor Authentication): This is the strongest defense. Even if the keylogger captures the password, the attacker cannot replicate the Time-based One-Time Password (TOTP) or biometric prompt.
• Network Monitoring: Inspecting outbound traffic for suspicious encrypted packets leaving the network (exfiltration).

Warning: The creation, distribution, and usage of keyloggers are governed by strict legal frameworks.

Installing monitoring software on a device without the owner's explicit knowledge and consent is a violation of privacy. In a corporate environment, this must be covered by employment contracts and Acceptable Use Policies.

• USA: Computer Fraud and Abuse Act (CFAA) - Unauthorized access or interception of communications is a federal crime.
• India: Information Technology Act, 2000 (Section 66) - Hacking and data theft are punishable offenses.
• Europe: GDPR - Secretly recording user behavior violates data processing rights and rights to privacy.

This source code is strictly for White Hat (Ethical) Research. It is intended to help security professionals recognize the artifacts created by such malware (e.g., specific DLL injections, registry changes) to improve forensic analysis and incident response.

⚠️ Ethical Disclaimer