Sign in to follow this  
Followers 0
DeltaRocked

Anti-KeyLogger - Virtual Keyboard

16 posts in this topic

Hello All,

A few days ago I had commented on

The code for this Anti-Keylogger based virtual keyboard is

; for lower-case
Send("{ASC " & AscW($_Key) & "}") 
;for upper case
Send("{ASC " & AscW(StringUpper($_Key)) & "}")

I have tested this against all the known keyloggers commercial - non-commercial and even wrote a few using different methods just to test the viability of this code.

The only problem which I had faced when testing was that some of the unicode keyloggers (kernel based) logged the keystrokes as Alt 097 for 'a' . while some were pathetic even in this, anyway its not my concern .

My Concern is, instead of sending keystrokes as a unicode, is there any other method available which will mask the keystrokes?

Regards

Delta Rocked.

Share this post


Link to post
Share on other sites



I imagine getting the control handle and using ControlSend or (even better) ControlSetText. That way there will be no way they can log it.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

I imagine getting the control handle and using ControlSend or (even better) ControlSetText. That way there will be no way they can log it.

Hi Mat,

It works... now finding a way to send the keystrokes using the virtual keyboard.... cause I might end up having problems with Shift keys , Alt Key Ctrl keys... so need to segregate them and then use only the character keys.

I think i have already segregated the keys ... so the task is to grab the current window (that also is integrated) and do extensive testing...

regards

Delta Rocked.

PS: this code has not been entirely written by me, all I am doing is modifying, so that the compiled application functions the way it should function.

Edited by deltarocked

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Done.

Tested with some of the best known keyloggers :) thanks Mat.

Global $keyStroke_Array[68] = ['{SPACE}', '{ENTER}', '{ALT}', '{BS}', '{BACKSPACE}', '{DEL}', '{UP}', '{DOWN}', _
        '{LEFT}', '{RIGHT}', '{HOME}', '{END}', '{ESC}', '{INS}', '{PGUP}', '{PGDN}', '{F1}', '{F2}', '{F3}', _
        '{F4}', '{F5}', '{F6}', '{F7}', '{F8}', '{F9}', '{F10}', '{F11}', '{F12}', '{TAB}', '{PRINTSCREEN}', '{LWIN}', _
        '{RWIN}', '{BREAK}', '{PAUSE}', '{NUMPADMULT}', '{NUMPADADD}', '{NUMPADSUB}', '{NUMPADDIV}', '{NUMPADDOT}', _
        '{NUMPADENTER}', '{APPSKEY}', '{LALT}', '{RALT}', '{LCTRL}', '{RCTRL}', '{LSHIFT}', '{RSHIFT}', '{SLEEP}', _
        '{NUMPAD0}', '{NUMPAD1}', '{NUMPAD2}', '{NUMPAD3}', '{NUMPAD4}', '{NUMPAD5}', '{NUMPAD6}', '{NUMPAD7}', _
        '{NUMPAD8}', '{NUMPAD9}', '{ALTDOWN}', '{SHIFTDOWN}', '{CTRLDOWN}', '{ALTUP}', '{CTRLUP}', '{SHIFTUP}', '{CAPSLOCK}', _
        '{INSERT}', '{DELETE}', '{Escape}']

_ArraySort($keyStroke_Array)

;;;;;;;;;;;
;;Some code...
;;;;;;;;;;
Func PressButton($_Key, $_HoldNeeded)
    Local $ctrl
    $ReplacedString = StringReplace(WinGetTitle($Form1), "Virtual Keyboard v0.1 - ", "")
    WinActivate($ReplacedString)
    $ctrl = ControlGetFocus($ReplacedString)
    If WinActivate($ReplacedString) Then
        If _ArrayBinarySearch($keyStroke_Array, $_Key) <> -1 And $_Key <> "{TAB}" Then
            Select
                Case $_Key == '{SHIFTDOWN}'
                    $shiftstatus = 1
                Case $_Key == '{SHIFTUP}'
                    $shiftstatus = 0
                Case $_Key == '{CTRLDOWN}'
                    $ctrlstatus = 1
                Case $_Key == '{CTRLUP}'
                    $ctrlstatus = 0
                Case $_Key == '{ALTUP}'
                    $altstatus = 0
                Case $_Key == '{ALTDOWN}'
                    $altstatus = 1
                Case StringLower($_Key) == StringLower('{BS}')
                    ControlFocus($ReplacedString, "", $ctrl)
                    ControlSend($ReplacedString, "", $ctrl, "{ASC 008}")
                Case StringLower($_Key) == StringLower('{BACKSPACE}')
                    ControlFocus($ReplacedString, "", $ctrl)
                    ControlSend($ReplacedString, "", $ctrl, "{ASC 008}")
                Case Else
                    Send($_Key)
            EndSelect
        Else
            If $shiftstatus == 1 And $CapsLockOn == False And $ctrlstatus == 0 And $altstatus == 0 And $_Key <> "{TAB}" Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, "{ASC " & AscW(StringUpper($_Key)) & "}") ; uppercase
            ElseIf $shiftstatus == 0 And $CapsLockOn == True And $ctrlstatus == 0 And $altstatus == 0 And $_Key <> "{TAB}" Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, "{ASC " & AscW(StringUpper($_Key)) & "}") ;uppercase
            ElseIf $shiftstatus == 1 And $CapsLockOn == True And $ctrlstatus == 0 And $altstatus == 0 And $_Key <> "{TAB}" Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, "{ASC " & AscW($_Key) & "}") ;lowercase
            ElseIf $shiftstatus == 0 And $CapsLockOn == False And $ctrlstatus == 0 And $altstatus == 0 And $_Key <> "{TAB}" Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, "{ASC " & AscW($_Key) & "}") ; lowercase
            ElseIf $ctrlstatus == 1 And $altstatus == 0 Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, '^' & $_Key)
            ElseIf $ctrlstatus == 0 And $altstatus == 1 Then
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, '!' & $_Key)
            Else
                ControlFocus($ReplacedString, "", $ctrl)
                ControlSend($ReplacedString, "", $ctrl, "{ASC 0x09}")
            EndIf
        EndIf
    EndIf
    If $_HoldNeeded = 1 Then
        SoundPlay("Hold.wav")
    Else
        SoundPlay("Type.wav")
        SoundSetWaveVolume(10);Set volume for both Hold.wav and Type.wav
    EndIf
EndFunc   ;==>PressButton
Edited by deltarocked

Share this post


Link to post
Share on other sites

Using Spy++ reveals :

<00001> 001B0338 P WM_KEYDOWN nVirtKey:'G' cRepeat:1 ScanCode:22 fExtended:0 fAltDown:0 fRepeat:0 fUp:0

<00002> 001B0338 P WM_CHAR chCharCode:'g' (103) cRepeat:1 ScanCode:22 fExtended:0 fAltDown:0 fRepeat:0 fUp:0

But on the other hand when did the same against another virtual keyboard the result was

First a 0 is sent then a backspace then the WM_Char is empty. but still the character appears on the notepad.

damn.... i am frustrated...

Share this post


Link to post
Share on other sites

Where can I get your program? I'm interested in testing it against my own keylogger.

Share this post


Link to post
Share on other sites

I don't like the way this thread is headed at the moment... It seems we are gradually slipping down to a dark subject that this forum isn't interested in. If I were you Coulihan I would be very careful.

Share this post


Link to post
Share on other sites

I don't like the way this thread is headed at the moment... It seems we are gradually slipping down to a dark subject that this forum isn't interested in. If I were you Coulihan I would be very careful.

Don't worry, my own software will not be distributed or shared here in any way. As the OP was allowed to take the thread this far, I figured he would be allowed to share his program with me as well. I have no problem with it if not.

Share this post


Link to post
Share on other sites

Then why did you feel the need to mention it? You could have said: "Where can I get your program? I'm interested in testing it.". It's unneccesary as maybe you have legit reasons but the next person won't, and if you are allowed to talk about a keylogger you made, why can't he? Thats why there's a line, your toes are on the edge at the moment, step back.

Share this post


Link to post
Share on other sites

Then why did you feel the need to mention it? You could have said: "Where can I get your program? I'm interested in testing it.". It's unneccesary as maybe you have legit reasons but the next person won't, and if you are allowed to talk about a keylogger you made, why can't he? Thats why there's a line, your toes are on the edge at the moment, step back.

Unnecessary nit-picking.

I already said I'm not going to share anything, this should be enough. Especially since the OP started the mentioning of keyloggers in a thread that you have not reacted to thus far. It would be like telling him that he can't use the phrase "anti-keylogger" because it might arouse someone else to mention this awful word or ask him where he got any of the programs he was testing against.

I hate this kind of thread-filling silly argument garbage that you have started for no good reason. Now if you feel like you need to take it out on me because you have something to prove, go right ahead. I don't care, no damage will be done for me at all.

Share this post


Link to post
Share on other sites

I think the point Mat is trying to make is something along these lines.

The OP was asking about an anti-keylogger.

You asked for that code to test your keylogger against.

If that were to happen it would enable you to modify your keylogger to overcome whatever protection he managed to put in thus in fact making your request an appeal to help make your keylogger better and therefore against the rules.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

Not that I would help but by that same logic:

modified quote:

If that were to happen it would enable you to modify the Anti-keylogger to overcome whatever protection the Keylogger managed to put in thus in fact making your request an appeal to help make the Anti-keylogger better and therefore adheres the rules.

I like the All or Nothing stance towards botting, seems the same should apply for logging.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

We don't have rules against anti-keyloggers as you are well aware. We do on the otherhand have ne desire to see people getting help with a keylogger as you are also well aware.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Quite, my only point being (feeling quite the antagonist today).

How do you know your Anti-Keylogger code implementation works? And once you have that test, how do you make that test non-beneficial to someone developing a Keylogger?

So you cant define the enemy, explain its behaviors, or attempt to mimic its attacks....but you are welcome to try and thwart it (but please do so in a manner that does not reveal anything of substance).


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

wait a sec...

Key-loggers = Bad

Anti-Key-Loggers = good

Anti-Key Logger testing vs. a Keylogger = bad

Do I have that right?


Everseeker

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0