An educational keystroke logging project built in Python and Rust, demonstrating offensive security concepts for penetration testing research.
⚠️ Legal Disclaimer: This tool is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have explicit written permission to test is illegal and may violate computer fraud laws (CFAA, CMA, etc.). The author assumes no liability for misuse.
keylogger/
├── head.py # Python implementation (Phase 3)
├── rust_logger/ # Rust implementation (Phase 4)
│ ├── Cargo.toml
│ └── src/main.rs
└── README.md
A hardened keylogger using raw OS APIs instead of commonly-flagged libraries.
- Raw Input Capture —
ctypesand/dev/inputinstead ofpynput/pyHook - AES-256-GCM Encryption — Hardware-derived keys via HKDF (no key stored on disk)
- Clipboard Monitoring — Via
xclip/xsel(nopyperclip) - Screenshot Capture — Via
scrot/import(noPIL) - Active Window Tracking — Logs application context per keystroke
- Multi-Channel Exfiltration — HTTPS POST and SMTP with proper TLS
- Persistence — systemd user service (Linux), COM hijack (Windows)
pip install cryptography requestspython3 head.pyA compiled native binary that addresses behavioral detection vectors.
| Problem | Solution |
|---|---|
| Python runtime is suspicious | 626KB stripped native ELF |
/dev/input requires root |
X11 XRecord — userland, no privileges |
| Library signatures flagged by EDR | Zero third-party runtime dependencies |
| Predictable network beaconing | Random payload padding + jittered timing |
- X11 XRecord — Protocol-level keyboard capture without root
- AES-256-GCM — Hardware-derived keys via
ringHKDF - Double-fork Daemonization — Breaks parent-child process chain
- Process Blending —
prctl(PR_SET_NAME)masquerades asdbus-daemon - Anti-Correlation — Random 64–512 byte padding on every payload
- Stripped Binary — No symbols, no debug info, LTO optimized
cd rust_logger
cargo build --releaseBinary output: target/release/shadow_logger
| Crate | Purpose |
|---|---|
x11-dl |
X11/XRecord keyboard capture |
ring |
AES-256-GCM + HKDF key derivation |
ureq |
HTTPS client with native TLS |
flate2 |
Gzip compression |
rand |
Jitter and random padding |
libc |
prctl, fork, setsid |
This project explores several offensive security topics:
- Multi-layer input capture — OS-level hooks + application context awareness
- Process blending — Making malicious processes look legitimate
- Resilient persistence — Multiple fallback mechanisms with self-healing
- Covert exfiltration — Traffic that resists pattern analysis
- Cryptographic key management — Hardware-derived keys with no disk artifacts
- MITRE ATT&CK — Input Capture
- MITRE ATT&CK — Boot/Logon Persistence
- OffSec OSCP Certification
- HackTheBox — Practice in legal environments
This project is for educational purposes. Use responsibly and legally.