Hi, tonight I have modified Iczelion's Tutorial #24 program to make a rudimentary (system-wide) keystroke logger. I use the keyboard hook, just like he used the mouse hook. This works great, it gets all system-wide keystrokes, except it doesnt get text typed into dos boxes. Has anyone else run into this same problem? Also as an exercise, I incorporated some of the stealth theories that have already been discussed around here. What about getting windows to start my keylogger in a stealthy fashion, any ideas? Instead of posting my source in this message, I made the KeyLog.zip avail at my webpage www.umich.edu/~thyg/asm.html It contains all the .EXE, .DLL, and source code. Thanks Iczelion for your tutorials and downloadable packages, and thx everyone who contributes on this msgboard. --Bill
So, you want it to be stealth? I have just what you need. Your file copies itself to the Windows or System directory right? How about making the file info point to another file...a file that comes with Windows. A file every Windows user has by default(like Notepad.exe). That way if the user suspects foul play, and they check the file date to see when it was introduced to the system, they will see that the file is dated back years ago (whenever Windows was installed). Throwing them off and probably relieving there suspicion of that file. If you want to know more about my technique...e-mail me and i'll write you the source code snippet to use. happy coding, Nokturnal
Add an entry to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run There is also runservices on 9x. Its the way most trojans load! Anyone who knows what they're doing will find it, but anyone who knows what they are doing will probably find it anyway! The other way is adding it to win.ini, not sure if it is available on NT. A lot of people forget about it as its the old Win 3.x way of doing things! Mirno
Nok thanks, that is a great idea! Windows keeps track of creation date, last modification, and last access date within the long filename format. Like you say, I should copycat some standard file within the windows directory. The last access shouldn't be too old though, because there are some "dead file" utilities that discover anything that hasn't been accessed within a certain timeframe. Notepad.exe seems to be an ideal file to copycat since most everyone uses that from time to time. Or maybe explorer.exe, since that is guaranteed to be accessed. Mirno thanks too, like you say the registry method isn't perfect, but personally I think it is preferable to the win.ini method. Of course in that case the executable better not be named keylog.exe!
I would think a way to build a better key logger would to be to just make a Vxd, stick it in the \windows\system\iosubsys\ directory, cause then it is much harder to track down, and with a couple of Ring0 hooks, yourve gotta winner
you can download my keylogger from my site: SaFc0n's world of assembler but don't use for hacking/cracking or other things like that. it's just for educational purposes!