Notes on Keylogging via ETW
Since our first post announcing our ETW USB Keylogger from our Ruxcon talk, we've been getting a lot of questions about our work (which we greatly appreciate!). One of the questions we've been asked is how to extract keystrokes from USB data using ETW so we wanted to share some of our notes and disclose some of the "lessons learned" during our analysis and development.
USB Keyboard Basics
If you are new to the USB protocol (like us) the first thing you'll likely notice is USB keyboards (and USB devices in general) are VERBOSE. There will be a huge number of USB "packets" or URBs (USB Request Blocks: https://msdn.microsoft.com/en-us/library/windows/hardware/ff537056(v=vs.85).aspx) coming from a keyboard at a rate defined by the device. This is known as the keyboard's polling rate. It's important to remember that USB keyboards are not interrupt-based but rather they poll for data. Polling frequencies in USB keyboards vary but are usually somewhere around 125Hz which means that every 8ms or so, depending on the device, the keyboard will transmit the keyboard state which equates to 300-400 bytes (when using ETW).
We're happy to announce our ETW keylogger POC code from our talk at Ruxcon 2016 (slides here: 
As a follow-up to our talk at 
It's a system that houses Dockerized containers of some of the most popular open source honeypots such as Suricata, Honeytrap, Cowrie, Glastopf, and Dionaea. While there are plenty of other open source honeypots out there, this list makes for a solid foundation for a new honeypot setup (or a great addition to an existing one). 
It was the best of timelines (the other was the worst of timelines…) Greg Linares of CyberPoint's 
It was the best of timelines (the other was the worst of timelines…) Greg Linares of CyberPoint's