Trusteer Rapport and anti-keylogging

From: mu-b <>
Subject: Trusteer Rapport and anti-keylogging

All - It has been a few weeks now since I demonstrated the following at
44con ( and thus time to just dump the details here.

The following are what can only be described as 'design flaws' in
Trusteer Rapport's anti-keylogger protections, that is Rapport provides
the functionality to decrypt keys to *everyone* along with the ability
to 'switch-off' anti-keylogger protections all together. However, I
should say that in the latter case, Trusteer aren't the only ones to
provide such functionality, KeyScrambler does also.

This is somewhat documented in the following post,

The following are for OSX *only*, but you can extend these to Windows
trivially (the ioctl obfuscation layer is easily bypassed by using
Trusteer's own code),
- switches off anti-keylogger protections on OSX allowing your already
existing keylogger to function correctly once again.
- uses Trusteer's own functionality to 'decrypt' keys directly.


  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

Copyright © 1995-2020 All rights reserved.