Asp Forum - Can Ruby be a keylogger on Win/Mac?

Jay Levitt

12/29/2007 8:24:00 PM

I know the subject's vague; that's because I don't know what I'm talking
about.

Is it possible to write an Ruby program that will intercept keystrokes on
Windows XP? I'm on Windows at the moment, but I'm switching to Mac soon.
(Then again, I'm not sure if a Mac keylogger would be low-level enough to
get keystrokes destined for a Parallels virtual machine running Windows, so
both may be important.)

No, I'm not doing anything nefarious. In fact, here are the specs for what
I want to write, and I'd probably give a small bounty to someone who did
this SMOP:

- Measure the average percentage of keystrokes that are either delete,
backspace, or cursor keys
- If that percentage is significantly higher than normal (for some value of
"significantly"), pop up a modal alert
- Don't be a CPU hog; maybe even self-disable when the computer is idle

And if you know me, or dig a little, you'll know exactly why I want that.
:)

If it can hide from the process list or otherwise make itself difficult to
close, all the better, but that's not strictly necessary. It's fine if it
needs Administrator/root permissions to run.

--
Jay Levitt |
Boston, MA | My character doesn't like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://... | - Kristoffer

9 Answers

Jeremy McAnally

12/29/2007 9:10:00 PM

You can hook WMI if you want to and I bet you could somehow figure out
keyboard events from there.

I don't have a clue about OS X...

--Jeremy

On Dec 29, 2007 3:25 PM, Jay Levitt <jay+news@jay.fm> wrote:
> I know the subject's vague; that's because I don't know what I'm talking
> about.
>
> Is it possible to write an Ruby program that will intercept keystrokes on
> Windows XP? I'm on Windows at the moment, but I'm switching to Mac soon.
> (Then again, I'm not sure if a Mac keylogger would be low-level enough to
> get keystrokes destined for a Parallels virtual machine running Windows, so
> both may be important.)
>
> No, I'm not doing anything nefarious. In fact, here are the specs for what
> I want to write, and I'd probably give a small bounty to someone who did
> this SMOP:
>
> - Measure the average percentage of keystrokes that are either delete,
> backspace, or cursor keys
> - If that percentage is significantly higher than normal (for some value of
> "significantly"), pop up a modal alert
> - Don't be a CPU hog; maybe even self-disable when the computer is idle
>
> And if you know me, or dig a little, you'll know exactly why I want that.
> :)
>
> If it can hide from the process list or otherwise make itself difficult to
> close, all the better, but that's not strictly necessary. It's fine if it
> needs Administrator/root permissions to run.
>
> --
> Jay Levitt |
> Boston, MA | My character doesn't like it when they
> Faster: jay at jay dot fm | cry or shout or hit.
> http://... | - Kristoffer
>
>

--
http://www.jeremymca...

My books:
Ruby in Practice
http://www.manning.com...

My free Ruby e-book
http://www.humblelittlerub...

My blogs:
http://www.mrneigh...
http://www.rubyinpra...

John Joyce

12/29/2007 10:42:00 PM

You're going to have a hell of a time building a keylogger for OS X.
You'll want to look into the input managers. The same thing for
building an Input Method for another language.
With that part of Cocoa, you could definitely monitor input.
Beware though, the docs are dense, and there is big learning curve.
Also, input methods tend to cross the gap between Cocoa and Carbon
(basically between Obj-C and C frameworks)

You might try an AppleScript layer that intercepts and then passes
the same keystrokes... (System Events)

James Tucker

12/29/2007 11:50:00 PM

For windows:

http://msdn2.microsoft.com/en-us/library/ms9...

I don't know about OS X, from what I understand, it's hotkeys only,
but keep looking...

On 29 Dec 2007, at 20:25, Jay Levitt wrote:

> I know the subject's vague; that's because I don't know what I'm
> talking
> about.
>
> Is it possible to write an Ruby program that will intercept
> keystrokes on
> Windows XP? I'm on Windows at the moment, but I'm switching to Mac
> soon.
> (Then again, I'm not sure if a Mac keylogger would be low-level
> enough to
> get keystrokes destined for a Parallels virtual machine running
> Windows, so
> both may be important.)
>
> No, I'm not doing anything nefarious. In fact, here are the specs
> for what
> I want to write, and I'd probably give a small bounty to someone who
> did
> this SMOP:
>
> - Measure the average percentage of keystrokes that are either delete,
> backspace, or cursor keys
> - If that percentage is significantly higher than normal (for some
> value of
> "significantly"), pop up a modal alert
> - Don't be a CPU hog; maybe even self-disable when the computer is
> idle
>
> And if you know me, or dig a little, you'll know exactly why I want
> that.
> :)
>
> If it can hide from the process list or otherwise make itself
> difficult to
> close, all the better, but that's not strictly necessary. It's fine
> if it
> needs Administrator/root permissions to run.
>
> --
> Jay Levitt |
> Boston, MA | My character doesn't like it when they
> Faster: jay at jay dot fm | cry or shout or hit.
> http://... | - Kristoffer
>

Frederick Cheung

12/29/2007 11:53:00 PM

On 29 Dec 2007, at 22:42, John Joyce wrote:

> You're going to have a hell of a time building a keylogger for OS X.
> You'll want to look into the input managers. The same thing for
> building an Input Method for another language.
> With that part of Cocoa, you could definitely monitor input.
> Beware though, the docs are dense, and there is big learning curve.
> Also, input methods tend to cross the gap between Cocoa and Carbon
> (basically between Obj-C and C frameworks)
>
> You might try an AppleScript layer that intercepts and then passes
> the same keystrokes... (System Events)
>
InputManagers are only loaded into applications that load the cocoa
runtime and are sort of on their way out. The lowlevel functionality I
would look at would be a CGEventTap (see CGEvent.h)

Fred

John Joyce

12/30/2007 12:18:00 AM

On Dec 29, 2007, at 5:53 PM, Frederick Cheung wrote:

>
> On 29 Dec 2007, at 22:42, John Joyce wrote:
>
>> You're going to have a hell of a time building a keylogger for OS X.
>> You'll want to look into the input managers. The same thing for
>> building an Input Method for another language.
>> With that part of Cocoa, you could definitely monitor input.
>> Beware though, the docs are dense, and there is big learning curve.
>> Also, input methods tend to cross the gap between Cocoa and Carbon
>> (basically between Obj-C and C frameworks)
>>
>> You might try an AppleScript layer that intercepts and then passes
>> the same keystrokes... (System Events)
>>
> InputManagers are only loaded into applications that load the cocoa
> runtime and are sort of on their way out. The lowlevel
> functionality I would look at would be a CGEventTap (see CGEvent.h)
>
> Fred
>
>
Shows how much I (don't) know... :)
I was reading the (still terse docs) on the newer input manager
system, but it was pretty heady.
In abstracting it further for Cocoa, it seems they've also given it a
steeper learning curve, which sophisticated input should have, since
it is intended for handling complex language input really.

It is interesting that the Core Graphics things hold many keys to
input, supposedly geared toward game development?

Perhaps there are some RubyCocoa CGxxxx wrappers?

Jay Levitt

12/30/2007 12:31:00 AM

On Sat, 29 Dec 2007 19:18:03 -0500, John Joyce wrote:

> I was reading the (still terse docs) on the newer input manager
> system, but it was pretty heady.

Isn't there also something about them being deprecated/hard to use/insecure
in Leopard? Or is that the old system that the CGEventTap replaces?

--
Jay Levitt |
Boston, MA | My character doesn't like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://... | - Kristoffer

Frederick Cheung

12/30/2007 7:50:00 AM

On 30 Dec 2007, at 00:35, Jay Levitt wrote:

> On Sat, 29 Dec 2007 19:18:03 -0500, John Joyce wrote:
>
>> I was reading the (still terse docs) on the newer input manager
>> system, but it was pretty heady.
>
> Isn't there also something about them being deprecated/hard to use/
> insecure
> in Leopard? Or is that the old system that the CGEventTap replaces?
>
InputManagers are now officially deprecated. They also have to be
installed in /Library, owned by root which they didn't used to.

Fred
> --
> Jay Levitt |
> Boston, MA | My character doesn't like it when they
> Faster: jay at jay dot fm | cry or shout or hit.
> http://... | - Kristoffer
>

John Joyce

12/30/2007 12:11:00 PM

On Dec 30, 2007, at 1:49 AM, Frederick Cheung wrote:

>
> On 30 Dec 2007, at 00:35, Jay Levitt wrote:
>
>> On Sat, 29 Dec 2007 19:18:03 -0500, John Joyce wrote:
>>
>>> I was reading the (still terse docs) on the newer input manager
>>> system, but it was pretty heady.
>>
>> Isn't there also something about them being deprecated/hard to use/
>> insecure
>> in Leopard? Or is that the old system that the CGEventTap replaces?
>>
> InputManagers are now officially deprecated. They also have to be
> installed in /Library, owned by root which they didn't used to.
>
> Fred
>> --
>> Jay Levitt |
>> Boston, MA | My character doesn't like it when they
>> Faster: jay at jay dot fm | cry or shout or hit.
>> http://... | - Kristoffer
>>
>
>
are they?
NSInputManager and NSInputServer don't seem to be deprecated in the
docs...

Piyush Ranjan

12/31/2007 9:25:00 AM

[Note: parts of this message were removed to make it a legal post.]

is there anyway to do this on linux machines with root access ?

On Dec 30, 2007 5:40 PM, John Joyce <dangerwillrobinsondanger@gmail.com>
wrote:

>
> On Dec 30, 2007, at 1:49 AM, Frederick Cheung wrote:
>
> >
> > On 30 Dec 2007, at 00:35, Jay Levitt wrote:
> >
> >> On Sat, 29 Dec 2007 19:18:03 -0500, John Joyce wrote:
> >>
> >>> I was reading the (still terse docs) on the newer input manager
> >>> system, but it was pretty heady.
> >>
> >> Isn't there also something about them being deprecated/hard to use/
> >> insecure
> >> in Leopard? Or is that the old system that the CGEventTap replaces?
> >>
> > InputManagers are now officially deprecated. They also have to be
> > installed in /Library, owned by root which they didn't used to.
> >
> > Fred
> >> --
> >> Jay Levitt |
> >> Boston, MA | My character doesn't like it when they
> >> Faster: jay at jay dot fm | cry or shout or hit.
> >> http://... | - Kristoffer
> >>
> >
> >
> are they?
> NSInputManager and NSInputServer don't seem to be deprecated in the
> docs...
>
>

comp.lang.ruby

Can Ruby be a keylogger on Win/Mac?

Jay Levitt

Jeremy McAnally

John Joyce

James Tucker

Frederick Cheung

John Joyce

Jay Levitt

Frederick Cheung

John Joyce

Piyush Ranjan

x Login to ForumsZone