#win32

Finished the first part of my keylogger.

It’s 100% not perfect and I can imagine it not running as smoothly on keyboards of a different layout; honestly as this is just a PoC I’m pretty happy with where it is and proceeding forward with it in it’s current form.

It turned out to be more involved than expected- originally I had it working in a loop with GetAsyncKeyState (https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate) but this was using 20% of my CPU when investigated- while this had no negative effect on my laptop personally, it probably wouldn’t be ideal on laptops with weaker CPUs.

This is when I came across Windows hooks (https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks) To put it simply, Windows hooks are very similar to JavaScript event listeners- you know, listening for clicks on a specific button and similar? 

The code here is the first step in the process. I used 2 kinds of Win32 functions here as the Win32 API is pretty retarded as I couldn’t setup an event hook for a change in the foreground window through WindowsHookEx: while low level event hooks (denoted by _LL)  do not need to be put into a DLL and then loaded into another C program through WindowsHookEx, a majority of other event hooks do.

WinEventHook, however, doesn’t have this limitation. In order to avoid having to create a separate program just to load in the hooks from a DLL, I simply used the two different functions. This wouldn’t work if I wanted the callbacks to interact; I don’t so yeah. xD

These are the callbacks I created for the two events. I created a keyLogger class with virtual methods which provides the code for returning characters corresponding to keypresses and returning the active foreground window (literally just the window the user is currently interacting with.)

This is my returnChar method- pretty self explanatory. I decided to just use the integer value of the inputted character to determine certain punctuation that was inputted. Unfortunately, I am limited to UK keyboard testing only so I can’t say how well this works on a US keyboard layout! 

The shift key also proved to be a huge issue- for some reason I get an accented a before the shift key is registered as being pressed down. For the sake of simplicity, I simply noted this when encountered as either shift or an accented a (though this may not be needed now that I’m outputting when shift is pressed with a key!)

This is the method for returning the currently active window. Pretty self explanatory.

That’s pretty much it! I have the code in a repo here https://github.com/CourtneyJane2904/keylogger if anyone’s interested. 

My next step will be setting this up to run on startup and to run as hidden as physically possible with the permissions of the user. 

After that there’ll be a focus on sending the data to a remote server and finally looking into the obfuscation and encryption of the program if it flags up Windows Defender. 

Thinking of delivering it through a malicious word document in my PoC scenario but I honestly haven’t decided yet! 

https://github.com/nixawk/labs/blob/master/CVE-2017-8464/wp-cpl-malware.pdf 

https://github.com/nixawk/labs/blob/master/CVE-2017-8464/%5BMS-SHLLINK%5D-160714.pdf

powershell minus powershell

IT'S BEEN SEVERAL MONTHS AND I'VE MADE ZERO PROGRESS

IT'S NOT EVEN GIVING ME AN ERROR CODE WHAT THE HELL AM I SUPPOSED TO DO.

WHAT AM I DOING WRONG?