Statement: In consideration of all possible negative effects this software will bring, this software is developed only for academic usage. Any malicious usage of this software is forbidden and unrelated to the author.
Keylogger is consisted with an application and a server. The application listens events on keyboard and changes of clipboard, then send them to the target server.
The keylogger application is programmed to record keyboard events, clipboard, and the current running process title. When there is no operation in the recent 10 seconds, it will serialise to JSON and send to the keylogger server via TCP. Every time the application runs, it checks, copies and registers autostart.
The application is suggested to be compiled to executable files then run. Make sure Go and GCC has been installed in your device.
Execute go build -ldflags "-H windowsgui" -o keylogger.exe. The ldflags of -H windowsgui hides the command line
window when the application is running. Then double-click the generated keylogger.exe file to run it. In the view of
users, it looks like nothing has happened, but in the Desktop Window Manager, a process named keylogger.exe will be in
the list.
To compile the keylogger application, other support libraries are required to be installed.
- GCC for compiling.
xcb,xkb,libxkbcommonfor listening keyboard events.xsel,xclipfor listening clipboards.
To install them using apt:
# Update sudo apt update # gcc sudo apt install gcc libc6-dev # x11 sudo apt install libx11-dev xorg-dev libxtst-dev # Hook sudo apt install xcb libxcb-xkb-dev x11-xkb-utils libx11-xcb-dev libxkbcommon-x11-dev libxkbcommon-dev # Clipboard sudo apt install xsel xcli
When all the necessary libraries are installed, execute go build -o keylogger to compile and sudo ./keylogger to run
the application. sudo is necessary here because the directories of /usr/local/bin/ and /usr/lib/systemd/system/
requires root privileges to modify.
So far, the application cannot run silently in the background or as a daemon process. And the service cannot start ( result by core-dump).
After running the Keylogger application, it will copy the file to the current user directory and set up autostart. Thus, even though the compiled application has been deleted, it still exists in other places.
- Go to the current user directory, e.g.,
C:\Users\CurrentUserName\, show all the hidden files. Delete the hidden file namedkeylogger.exe. - Press
WindowsandRkeys at the same time, then typeregeditto open the Registry Editor. - Go to the
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Rundirectory. - Delete the key-value pair named
keylogger.
- Delete
/usr/local/bin/.keyloggerby executingsudo rm /usr/local/bin/.keylogger. It deletes the binary copy in the system. - Delete
/usr/lib/systemd/system/keylogger.serviceby executingsudo rm /usr/lib/systemd/system/keylogger.service. This step removes keylogger service from the system.
The server is programmed to receive key event logs via TCP. It initialises a TCP listener which binds port 8722, then
continuously wait for the logs. Every time the server received logs, it will unmarshal the JSON data and try to update
log files. The server uses .log text file or SQLite database to record logs. In the current stage, the server will not
write the KeyLog.Title field data to texts.
Execute go build to compile the server. Using go run server.go to run is also acceptable. The following arguments
are available:
-db: Use SQLite database to store logs.-both: Use both SQLite database and.logtext file to store logs.- No extra argument or other arguments will use
.logtext file to store logs.
- Windows (passed test on Windows 10 and 11)
- Linux (passed partial functions on Ubuntu 20.4)
- Darwin (have not tested)