Firefox plugins and multiplatform keyboard hooks

I’ve been asked to make a user-logger for several systems. The requirements are

– Multiplatform (XP, Vista, Windows 7, BSD, Linux and all for 32&64bits)
– It should grab web form credentials and be expandable to grab the mouse in places where the login is done using clicks.
– It should be expandable by unskilled programmers.
– It should not trigger the Antivirus or other common automated monitoring programs.
– It has to be a software only solution.
– It has to be doable with limited local user credentials (no admin rights)
– It has to upload the contents to a web server.
– A keylogger proof of concept in less than 24h

The fastest solution is not to make several system wide hooks (hard to mantain) but to make a simple navigator plugin using only Javascript and with less than a thousand lines of code. The web is the platform.

There are articles at least 2 year old that suggest the same
https://phuu.net/2012/09/24/how-id-steal-your-passwords.html so I have no problems to do it and explain the recipe:

Some official firefox keylogger add-ons:
Xenotix keylogger
Nifty keylogger
Keylogger 1.6 by lipo-codes

In firefox <4 it was common to change the file nLoginManagerPrompter.js like this:
(but a complete keylogger is needed now, not only a login grabber. Note:
Firefox 4+ uses omni.ja[r] for preferences now and I didn’t bother looking at it.

/* trick to save login credentials allways without user notification
*
* _showSaveLoginNotification
*
* Displays a notification bar (rather than a popup), to allow the user to
* save the specified login. This allows the user to see the results of
* their login, and only save a login which they know worked.
*
*/
_showSaveLoginNotification : function (aNotifyBox, aLogin) {

var pwmgr = this._pwmgr;
pwmgr.addLogin(aLogin);
},

/*
* _removeLoginNotifications
*
*/

More info about the old aproach:

http://inpursuitoflaziness.blogspot.com.es/2014/01/editing-files-from-omnija-in-firefox-20.html

http://www.werockyourweb.com/force-firefox-save-password/

It seems someone has done it before and it is quite well documented. It is a bit old and has some minor mistakes so I’ll comment about it later.

http://resources.infosecinstitute.com/keylogger/#comment-1211039

Edit: I decided not to update the post, a developer could change it easily and I don’t want to help script kiddies.