Keylog and KeylogRead

Start or Read from Keylogger

Amnesiac provides a keylogger functionality that allows you to capture keystrokes on a target system.

While this feature can be valuable for certain purposes, it comes with important considerations and limitations that you should be aware of.

Effective Keylogging

The effectiveness of the keylogger heavily depends on the parent process from which it is initiated. This concept is rooted in how keyloggers operate and interact with the target system. When you launch the keylogger, it essentially becomes a sub-process of the parent process you choose. This means that the keylogger inherits certain characteristics and permissions from its parent.

Now, consider the primary function of a keylogger: to capture and log keystrokes. To do this successfully, it needs to be associated with a parent process that has the capability to intercept and record user keystrokes, such as the "explorer" process. The "explorer" process, being an integral part of the Windows user interface, actively interacts with user inputs, including keyboard inputs.

Conversely, if you were to initiate the keylogger from a parent process that does not inherently handle user keystrokes, the keylogger may not receive any keyboard input to log. In such cases, no keystrokes would be recorded, rendering the keylogging operation ineffective.

In essence, selecting the right parent process is akin to ensuring that the keylogger is positioned in an environment where it can successfully intercept and log the target's keystrokes.

No Built-in Keylogger Termination

Amnesiac's keylogger does not include a built-in command to terminate or stop the keylogger process once it's running. Once initiated, the keylogger will continue to capture keystrokes until it is manually terminated.

Manual Termination Required

To stop the keylogger, you must manually terminate the process associated with it. Amnesiac provides you with the Process ID (PID) of the keylogger process when it's started. You can use this PID to kill the process using the provided command.

Keystrokes Saved to Disk

The keylogger records the captured keystrokes and saves them into a file on the target system's disk. This means that the keystrokes are stored in a file, and you will need to take additional steps to remove this file manually if desired.

Self-Termination Mechanism

Amnesiac includes a security feature that ensures the keylogger process is terminated in certain scenarios. Specifically, if you terminate the session where the keylogger is running, the keylogger will also terminate itself. This self-termination feature helps prevent unintentional keylogging and ensures that the captured keystrokes are deleted from the disk when the associated session ends.

However, it's important to note that when you manually terminate the keylogger process, the associated keystroke file on the target system's disk will not be automatically deleted.