All - It has been a few weeks now since I demonstrated the following at 44con (http://www.44con.com) and thus time to just dump the details here. The following are what can only be described as 'design flaws' in Trusteer Rapport's anti-keylogger protections, that is Rapport provides the functionality to decrypt keys to *everyone* along with the ability to 'switch-off' anti-keylogger protections all together. However, I should say that in the latter case, Trusteer aren't the only ones to provide such functionality, KeyScrambler does also. This is somewhat documented in the following post, http://www.digit-security.com/blog/?p=47 The following are for OSX *only*, but you can extend these to Windows trivially (the ioctl obfuscation layer is easily bypassed by using Trusteer's own code), http://wwww.digit-security.com/files/exploits/rapport-switchoff.c - switches off anti-keylogger protections on OSX allowing your already existing keylogger to function correctly once again. http://wwww.digit-security.com/files/exploits/rapport-listen.c - uses Trusteer's own functionality to 'decrypt' keys directly. -- mu-b (mu-b@xxxxxxxxxxxxxx) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP"
