Keylogger
Posted on 08/02/2025
Word count: 600
To better understand how malware is constructed and distributed, I've developed my own piece of rudimentary malware. A simple keylogger written in Python. Deploy and run this script on a target machine to capture user's keystrokes!
This script utilises Python's keyboard library to detect keystrokes. Once a key is pressed, this event will trigger a function to create a log file and will write the keypress to it. The script will continue until either the specified timer runs out, or the exit key (#) is pressed.
Most of the heavy lifting is done by the keyboard library, with it's on_press() function being able to capture each keystroke. The wait() function is then used to prevent the script from exiting once the user has interacted with the keyboard, allowing it to capture subsequent keystrokes. In it's simplest form, the entire keylogger can be written in just a handful of lines:
open("output.txt", "w").close()
def press_key(event):
file.write(event.name)
keyboard.on_press(press_key)
keyboard.wait()
Before running the script, users have the option to parse in specific flags into the terminal. In total there are five options: help, format, timer, encrypt, and decrypt.
The -h flag displays a help menu with a short description of the script and a breakdown of all the flags that can be used.
The formatting of the log file can be changed with -f. If this flag is present then each keystroke will be written to a new line, else everything is written onto the same line.
A timer can be set for the keylogger with the -t flag by providing an integer which is used as the number of seconds the script will run for.
Users are able to encrypt the contents of the log file with the -e flag by providing a string which is used as the encryption key. This triggers once the last keystroke has been pressed, signified by either the provided timer running out or the exit key being pressed.
Equally, users can use the -d flag to decrypt the contents of the log file but only if they provide the same key used to encrypt it.
The log file is named ".process.log" in an attempt to mask it as a generic system file that wouldn't be flagged as anything out of the ordinary. The file is also hidden from the file explorer view to further reduce the possibility of it being discovered by the targeted user.
Improvements
An obvious improvement to this project is to configure continuous encryption of the log file, rather than encrypting it towards the end of the script once the timer has stopped or exit key is pressed. This is to better conceal the captured keystrokes, protecting them against being intercepted or read prematurely. Currently, when the script is ran with the encryption mode on but is then stopped in an unexpected way (e.g. forced interruption), the captured keystrokes are still recorded but are not encrypted since the script exited before the encryption function could be reached.
Although the log file is hidden, disguised as a generic system file, and is able to be encrypted, its generation location hasn't been optimised. At the moment, it is created within the same directory that houses the keylogger script. An improvement to further conceal the it would be to house it in a non-obvious deeper directory that's closer to root and is still able to be modified without higher than standard user privileges.
Here are some examples of where the log file could be written to that can be done by a standard user:
Windows - C:\ProgramData
Linux - /usr/share
Mac - /var/tmp