Keylogger project, 2

19.10.2005 11:03

I want my key logger to work in the same basic way as the KeyKatcher. This means that it must operate in two distinct modes: In the logging mode, it must only monitor the communication between the keyboard and the computer. In the ideal case it should not modify or affect the communication in any way. In the control mode, it should appear as a computer to the keyboard and as a keyboard to the computer. It receives commands from the keyboard interface and prints information (menu choices, stored data, etc.) to the computer interface.

The problem here is that PS/2 is a pretty complicated two-way two-wire protocol that is not very easy to emulate with a 801 microcontroller. The biggest problem that appeared so far is how to implement the transparent logging mode. I'm currently considering three approaches:

 <-- to keyboard          to computer -->
                 _______
 CLK  ---o------|       |------o---- CLK
         |      |switch |      |
 DATA ---+---o--|_______|--o---+---- DATA
         |   |      |      |   |
         |   |      |      |   |
         |   |   _______   |   |
         |   +--|       |--+   |
         |      | 8051  |      |
         +------|       |------+
                |_______|

This is the hardware approach. When the key logger is in logging mode, the electronic switch directly connects keyboard to the computer and the 8051 is only pasively monitoring the communication. In control mode, 8051 turns the switch off and communicates with keyboard and computer separately. Good sides: key logger is undetectable in logging mode. Low processing and code memory requirements for the 8051 in logging mode, since we are only monitoring the bus. Simple 8051 code (no hard real-time code required). Bad sides: requires an additional chip which means a bigger device.

 <-- to keyboard          to computer -->
                 _______
 CLK -----------|       |------------ CLK
                | 8051  |       
 DATA ----------|       |------------ DATA
                |_______|

This is the first software approach. When the key logger is in logging mode, the 8051 software mirrors signals from the keyboard to the computer side and signals from the computer to the keyboard side. Because the PS/2 bus heavily exploits the properties of the open-collector outputs (the bus line works as a wired-or), the coupling code needs to be pretty complicated (as far as I see, a state machine with 3 states) and must use polling instead of hardware interrupts. Good sides: Low code memory and RAM requirements for the 8051 in logging mode, since we do not need to decode the protocol and/or buffer data on the fly but are only mirroring the bus. Bad sides: Hard real-time code required. CPU intensive in logging mode (not sure if even feasible with 24 MHz CPU clock and 10kHz PS/2 bus clock). Detectable in logging mode since software bus coupling introduces delays and glitches.

The second software approach. The key logger always emulates the computer on the keyboard side and keyboard on the computer side. In logging mode it, for example, receives data from the keyboard, decodes it, puts it into buffer and (when possible) transmits the data on the computer side. The receiving and transmitting code can work from interrupt service routines. Good sides: Low processing requirements for the 8051 in logging mode, since we do not need polling of inputs and state machine emulation. Real-time code contained in interrupt service routines. Undetectable if the computer side fully implements the PS/2 protocol. Bad sides: Large RAM requirement because of buffering. Large code memory requirement because of all decoding and buffering logic.

Basically, the first software approach hits the processing limit of the 8051 and the second approach hits the code memory limit.

Posted by Tomaž | Categories: Digital

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)