The following is a stealthy keylogger I wrote in C a few years ago called LogThatShit (LTS). It was written on and for Windows XP, and probably works on Vista, but User Account Access (UAC) might prompt the user for a password. It began as a complete Remote Administration Tool (RAT) named Overdose. I realized that the keylogger is the most important part of the RAT and decided to branch that off into a separate project.
As of 09/09/08, LTS remains undetectable by anti-virus software. It bypassed the heuristic analysis engines of its time, but the more advanced ones today might pick it up.
I am releasing the source code under the GPL license, with no warranty whatsoever, for educational purposes only. I don’t use it, and I don’t suggest you use it. Usage might be illegal where you live, if not just unethical. I will not compile/send out any binaries. I don’t even know if it’ll compile out of the box.
Feature set (This was written a long time before the app was complete, and was never updated)
A key stroke logger for Windows 9X/NT/2K/XP
- Hijacks a process, meaning it will not show up on the task manager.
- Bypasses heuristics engines.
- Starts up automatically on boot. Does not show up in msconfig.
- Logs OS, timestamp, Windows username, and the title and path of the window that currently has focus.
- Can be updated or removed from the victim’s computer remotely.
- Ability to download and and launch an executable silently from an FTP site.
- Does not show up on the task manager on both 9X and NT platforms.
- CPU and memory usage do not increase. No noticeable performance or memory hit.
- Written in ANSI C89
- Developed on XP SP1. Tested for Windows 2000 and XP SP2. Code includes some windows 9X stuff, but it was winged and never tested.
- Uses a system-wide hook (WH_KEYBOARD).
- Editor used was gvim (win32) with no plugins and mappings, but with some custom commands added to Windows’ right click context menus, and a bunch of batch (.bat) and Makefiles.
- Compiled using GNU make and other ported utilities.
The following was somewhat of a list of things I never got around to doing:
- TODO: Need thorough testing on 9X
- TODO: Restart feature
- TODO: Change INFINITE to 1000ms
- TODO: Don’t use general permissions on mappings / mutex.
- TODO: Load self into memory and poll for presence, rewrite files if not available (persistence mode).
The following is written off the top of my head. When executed, the keylogger may display a customized error message to fool the victim into thinking the program is simply broken or outdated. This is to deter suspicion that the program is malicious, which is the reaction most people have when nothing happens as they sit there trying to open an application.
The logger than copies itself to the SYSTEM32 folder (name is set in the ini config file) and adds itself to system startup. It uses several methods to do this, depending on the OS, but the preferred method is to register itself as an ActiveX object. This hides it deep in the registry, under a unique key, and keeps it out of the msconfig -> startup tab. It also keeps it out of most apps that display programs that launch on system startup.. or at least it did at the time. I think HijackThis and its ilk have caught up now.
When configured, the ‘Stub’ (EXE file) is appended with two DLL files; Hook and Injection. At this point, the stub injects a DLL (injection.dll) into explorer.exe (it also looks for the default browser to use as a backup). This is called DLL injection, and is used to bypass firewalls that only allow trusted programs access to the Internet, else the firewall will give a “notepad2.exe wants to access the Internet. Are you sure you want to allow this?” warning.
Nowadays, firewalls will prompt the user that a program has been altered or has loaded new DLLs (especially if they aren’t in the same folder as the application), but nearly every user will just click “ALLOW” without caring – especially when the application in question is Explorer.exe or Firefox.exe.This also means the user will not notice much in the process manager (ctrl+alt+delete).
Stub remains open but idle; Closing it will unload the DLLs. Most of the work now is done inside Hook.dll. Keys are intercepted at a low level, logged, and then sent where they’re supposed to go. This is better than other loggers that just poll for keys, since it is very efficient and will not cause a memory/performance hit.
The logfile will store the title and file path of the application that has focus, and every keyboard key sent to that application. Capslock, backspace, enter, tab, shift, “special keys” and so forth are also logged and labeled. I.e., Shift might be [LSHIFT] or [RSHIFT]. All timestamped.
An example would be:
Biodegradable Geek > Login – WordPress – Firefox (c:programsfirefoxfirefox.exe)
There’s a few more features and technical details. View the source below:
// This software file (the "File") is distributed under the terms of the // GNU General Public License Version 3, (the "License"). You may use, // redistribute and/or modify this File in accordance with the terms and // conditions of the License, a copy of which is available along with the // File in the license.txt file or by writing to // Free Software Foundation, Inc., // 59 Temple Place, // Suite 330, Boston, MA, 02111-1307 // // or on the Internet at http://www.gnu.org/licenses/gpl.txt. // THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND. THE AUTHOR // DOES NOT TAKE ANY RESPONSIBILITY FOR ANY DAMAGE OR LEGAL ISSUES YOU MAY // FACE WHEN USING THIS APPLICATION. PLEASE NOTE THAT LTS WAS WRITTEN AND // RELEASED FOR *EDUCATIONAL* PURPOSES ONLY AND IS NOT INTENDED TO BE USED // FOR ANYTHING THAT MAY BE AGAINST THE LAW WHERE YOU LIVE. IF YOU DO NOT // WANT THAT RESPONSIBILITY, PLEASE DONT COMPILE OR USE THIS APPLICATION. View the source here: http://code.biodegradablegeek.com/LogThatShit/