Advanced Remote Keylogger
with Self-Destruct Mechanism
This project is developed exclusively for academic, educational, and authorized research purposes under faculty supervision at NIELIT Chennai. Any unauthorized deployment or use of this software on any system without explicit written consent is strictly illegal and a criminal offence under the IT Act, 2000 (India) and other applicable laws.
Introduction
In today's digital age, cybersecurity is one of the most critical areas of study. One of the most powerful tools used by cybercriminals is a Keylogger — a program that silently records every keystroke typed on a computer.
This project, developed as part of the Internship Program in Cyber Security at NIELIT Chennai, demonstrates how such tools work in real-world scenarios so that we can better defend against them. The system includes real-time keystroke logging, screenshot capture, webcam monitoring, clipboard tracking, Chrome password stealing, anti-VM detection, and a remote self-destruct mechanism — all controlled via a web-based dashboard.
The project serves dual purposes: a technical demonstration of offensive security tools, and an educational platform to spread awareness about digital threats and the importance of cybersecurity hygiene.
Objectives
- Design and develop a fully functional remote keylogger using Python operating stealthily in the background.
- Implement real-time keystroke logging, automatic screenshot capture, webcam monitoring, and clipboard tracking.
- Integrate a Chrome password stealer module to demonstrate credential theft risks.
- Develop an Anti-VM detection system to prevent execution in analysis environments.
- Create a reliable remote self-destruct mechanism for complete removal via web command.
- Build a web-based control panel (dashboard) for remote monitoring and management.
- Implement persistence techniques for automatic startup after system reboot.
- Analyze technical challenges in stealth malware and develop defensive awareness against such threats.
Key Features
Core Features
Advanced Monitoring
Security & Evasion
Remote Control
Tools & Technologies
Keylogger (Backend)
- Python 3.10+
- pynput — Keyboard listener
- pywin32 — Windows API
- OpenCV (cv2) — Webcam capture
- Pillow (PIL) — Screenshots
- pyperclip — Clipboard monitor
- requests — Data exfiltration
- winreg — Registry operations
Web Dashboard
- PHP — Backend processing
- SQLite — Lightweight database
- Bootstrap 5 — Responsive UI
- JavaScript — Dynamic interactions
Environment
- Windows 10 / Windows 11
- Visual Studio Code
- XAMPP (Local Web Server)
System Architecture
The project follows a Client–Server Model. The keylogger (client) runs silently on the target Windows machine and communicates with the web-based control panel (server).
Data Flow
- Keylogger starts → Installs itself in C:\ProgramData\WindowsHelper\ → Adds registry persistence.
- Captures keystrokes, screenshots, webcam images, and clipboard data.
- Sends data to web server via HTTP POST requests at regular intervals.
- User views data in real-time on the web dashboard.
- User sends "uninstall" command → Keylogger performs multi-layer cleanup and deletes itself.
Advanced Modules
| Module | Description |
|---|---|
| Persistence Module | Copies to C:\ProgramData\WindowsHelper\ and adds Windows Registry Run key for auto-startup. |
| Anti-VM Module | Detects VMware, VirtualBox, Hyper-V via process names, registry entries, and MAC address patterns. Exits silently if detected. |
| Credential Stealer | Extracts saved passwords from Google Chrome using Windows DPAPI decryption. |
| Screenshot Module | Captures full screen at regular intervals using Pillow (PIL). |
| Webcam Module | Captures webcam images periodically using OpenCV. |
| Clipboard Monitor | Records everything copied to clipboard — passwords, UPI IDs, links, etc. |
| Self-Destruct Module | On receiving remote command: removes registry entry, deletes files from C Drive, cleans temp files, schedules final deletion via batch file. |
Defensive Cybersecurity Perspective
Understanding how this keylogger works provides direct insight into effective defenses:
| Attack Technique | Defensive Counter-Measure |
|---|---|
| Registry Run Key Persistence | Audit Registry Run keys using Autoruns (Sysinternals). Block unauthorized registry writes via Group Policy. |
| Hiding in C:\ProgramData\ | Deploy endpoint monitoring (Sysmon, CrowdStrike) to alert on new executables in system folders. |
| HTTP POST Data Exfiltration | Use IDS/IPS and network monitoring (Wireshark, Zeek) to detect unusual outbound HTTP traffic. |
| Keystroke Capture (pynput) | EDR solutions can flag abnormal keyboard hook registrations at OS level. |
| Anti-VM Evasion | Use bare-metal analysis environments or advanced sandboxes (Any.run, Cuckoo) configured to mimic real systems. |
| Chrome DPAPI Password Theft | Use password managers (Bitwarden, 1Password) instead of browser-stored passwords. Enable 2FA on all accounts. |
| Clipboard Monitoring | Banking apps and password managers restrict clipboard access on sensitive fields. |
| Webcam/Screenshot Capture | Cover webcam when not in use. EDR solutions detect unauthorized access to camera APIs. |
Prevention Best Practices
- Keep OS and all software updated to patch known vulnerabilities.
- Use reputable Endpoint Protection / Antivirus with real-time monitoring.
- Never open executable files from unknown or untrusted sources.
- Use a password manager — never save passwords in browsers.
- Enable Two-Factor Authentication (2FA) on all critical accounts.
- Regularly check Startup programs and Windows Registry Run keys for unknown entries.
- Implement the Principle of Least Privilege (PoLP) in organizational environments.
- Conduct regular Security Awareness Training for employees.
Testing & Results
Tested on multiple Windows 10 and Windows 11 systems over 15+ days of continuous testing.
| Test Case | Result | Remarks |
|---|---|---|
| Keystroke Logging | ✓ Pass | All keys captured accurately |
| Active Window Tracking | ✓ Pass | Window title logged correctly |
| Screenshot Capture | ✓ Pass | Clear screenshots every 25–30 sec |
| Webcam Capture | ✓ Pass | Working on devices with webcam |
| Clipboard Monitoring | ✓ Pass | Copied content captured |
| Chrome Password Stealer | ✓ Pass | Extracted saved passwords |
| Anti-VM Detection | ✓ Pass | Exited in VMware & VirtualBox |
| Persistence after Reboot | ✓ Pass | Auto starts from C Drive |
| Remote Uninstall Command | ✓ Pass | Complete removal on command |
| Web Dashboard | ✓ Pass | Real-time logs and alerts working |
| Stealth (No Console) | ✓ Pass | Runs silently in background |
Limitations
- Platform: Works only on Windows — no Linux or macOS support currently.
- AV Detection: Modern antivirus (especially Windows Defender) may detect and quarantine the executable.
- Browser: Password stealer supports only Google Chrome currently.
- Network: Requires active internet connection to send data and receive commands.
- No Encryption: Data sent to server is not encrypted (simplified for academic purposes).
- Self-Destruct: In rare cases, file deletion may not complete if locked by the OS.
Future Scope
- End-to-end encryption for all data transmission.
- Multi-browser support (Firefox, Edge, Brave).
- Voice recording and microphone access module.
- File exfiltration module (documents, images, etc.).
- Cross-platform support (Linux and macOS).
- Mobile application for remote monitoring.
- AI-based anomaly detection in captured logs.
- Improved code obfuscation and anti-detection techniques.
Conclusion
This project has been successfully developed and tested as part of the Internship Program in Cyber Security at NIELIT Chennai. The primary objective — understanding real-world offensive security tools and their technical implementation — has been achieved.
Through this project, hands-on experience was gained in Python programming, system-level operations, networking, evasion techniques, and ethical hacking concepts. It also strengthened understanding of the defensive side — how antivirus software detects such tools and the importance of continuous user awareness.
This project has been developed solely for academic and educational purposes under faculty supervision at NIELIT Chennai. I do not endorse, encourage, or support any malicious, illegal, or unauthorized use of this software or the techniques demonstrated herein.