Some months ago i’ve written a post about keyloggers (because “during a malware analysis process is useful to know how a keylogger works”), where I’ve shared a simple Windows keylogger written in Python.

Today I want to share another example, this time written in Powershell: I think it may be a useful knowlege during malware analysis activities.

This kind of code may be found often in simple powershell malwares (obviously obfuscated).

The concept is always the same: import from user32.dll some keyboard related methods (GetAsyncKeyState, GetKeyboardState) and using them in order to monitor activities on keyboard and sniffing pressed keys (the code is commented and pretty self-describing).

When executed, the script starts an endless loop that continously reads keyboard state, and wait a CTRL+C.

When users stops loop, the recorded keys will shown in notepad.

References