Building a keylogger with Python

How long does it take to write a keylogger in Python?

7 lines (if you count jump lines)!

What is a keylogger?

“Keylogger” is short for “Keystroke logger”, as it records what you type on the keyboard. Such scripts are not necessarily evil, but threat actors use them all the time.

The most common approach is to record user inputs and send data to a remote server (e.g., C2). It’s highly efficient and can reveal very sensitive data such as credentials, emails, visited URLS, and many other details.

Keyloggers are a massive threat to security and privacy.

Here, we’ll see a quick example with the keyboard, but it can also log clipboard, screens (some prefer the term “screenloggers”), instant messages, or internet activities.

It’s also possible to embed keyloggers directly in the hardware, for example, between the CPU and the mouse/keyboard. In this case, the analysis requires a physical access, but the detection rate by anti-malware solutions would be significantly lower, perhaps null.

However, even software-based keyloggers can be pretty hard to detect.

Practical example in Python

from pynput import keyboard

def display_keys(key):

with keyboard.Listener(on_press=display_keys) as l:

It uses the pynput package. You can definitely improve the code by adding more information like timestamps or store the results in a text file. The pynput package allows monitoring the mouse as well.

However, with the basic example above, you can get the following:

As long as it runs on the machine, it can collect inputs.

How to run the code

Install the package and start the script:

pip install pynput
python3 &

The & is to run the script in the background. If you need more “persistence,” you can combine it with the nohup command to complete the process even if the user logs out from the terminal:

nohup python3 &

How to detect keyloggers

Our script would be detected at the speed of light:

ps aux | grep python

In real-world conditions and if it’s a Linux machine, you can try automated tools such as rkhunter or chkrootkit to detect known rootkits and malware. These tools cannot spot advanced keyloggers written by experienced hackers to evade detection, but script kiddies often use popular kits.

Keyloggers can bypass security measures

Such sneaky spywares will keep recording data even after some security measures. Updating credentials and hardening configurations is still necessary but not sufficient.

Password managers are convenient but many solutions only copy-paste data from the manager to the browser. Technically speaking, malware could still intercept the data by sniffing all the network traffic, for example.

In any case, password managers are not designed to block keyloggers.

Wrap up

No system is immune to keyloggers. You can’t assume there’s no keylogger on a machine, especially if it has been attacked.

Monitoring outgoing traffic, behaviors and processes can help detect these annoying snitches. However, some situations require destructive analysis, perhaps complete reformat and fresh install, so ensure you backup critical files regularly.