mailing list archives
Trusteer Rapport and anti-keylogging
From: Neil Kettle <neil () digit-labs org>
Date: Wed, 21 Sep 2011 11:31:58 +0100
All - It has been a few weeks now since I demonstrated the following at
44con (http://www.44con.com) and thus time to just dump the details here.
The following are what can only be described as 'design flaws' in
Trusteer Rapport's anti-keylogger protections, that is Rapport provides
the functionality to decrypt keys to *everyone* along with the ability
to 'switch-off' anti-keylogger protections all together. However, I
should say that in the latter case, Trusteer aren't the only ones to
provide such functionality, KeyScrambler does also.
This is somewhat documented in the following post,
The following are for OSX *only*, but you can extend these to Windows
trivially (the ioctl obfuscation layer is easily bypassed by using
Trusteer's own code),
- switches off anti-keylogger protections on OSX allowing your already
existing keylogger to function correctly once again.
- uses Trusteer's own functionality to 'decrypt' keys directly.
(neil () digit-labs org)
"Only a few people will follow the proof. Whoever does will
spend the rest of his life convincing people it is correct."
- Anonymous, "P ?= NP"
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/