2

I was thinking of creating an on-screen keyboard to protect against keyloggers. The main problem is that I have found that there is a category of keloggers, called screenshot key loggers, which are able to take screenshots of the screen every time the mouse button is clicked.

For this reason, I feel that my approach of creating an on-screen keyboard does not protect against this category of keyloggers. Is there a way of coding the application which does not allow screenshots to be taken, or else alerts the user if these are being taken without his permission?

I am assuming that only the user is present in the room. Therefore, I am not trying to protect against other users from taking photos with their digital cameras. I only want to protect against screenshot keyloggers.

Adi
  • 43,808
  • 16
  • 135
  • 167
Matthew
  • 621
  • 2
  • 11
  • 18
  • One work around is by making the virtual keys "pressable" with mouse hover. If the user hovers the mouse over the key for 1000-1500ms then the key is "pressed". Of course that wouldn't protect against that are constantly taking screenshots (I don't think that those are common). – Adi Mar 21 '13 at 16:55
  • @Adnan: they are not common... yet. But if people begin to use mouse hovering as equivalent to mouse clicks, be sure that keyloggers will soon learn to track "hovering events". Also, you cannot hover your mouse when using an iPad, if only for lack of a mouse to hover. – Thomas Pornin Mar 21 '13 at 17:14

2 Answers2

5

A key logger can log keys, or take screenshots, only by virtue of having extensive access to the operating system, allowing the malware to do basically whatever it wishes to. As such, there cannot be a failsafe way to prevent or even detect screenshots, since the malware would perfectly be able to simply deactivate that check.

At best, you could implement a partial protection against existing key loggers, which will be efficient until keylogger authors adapt their code, which should take about one week. See this answer for some more treatment on the subject.

When hostile code runs on your machine, then it no longer is your machine. This is why payment terminals have their own screen and keyboard: to be immune to attacks on the cash register.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

A key logger does not log what keys you press typically, but rather what characters are requested to be entered by the OS. An on screen keyboard would still generate the same input as a physical keyboard and would be just as vulnerable. The only exception to this would be hardware key loggers that are physically placed between the keyboard and the computer, but those are exceedingly rare and there are far simpler ways to counter them (like superglue).

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110